乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-05: 细节已通知厂商并且等待厂商处理中 2015-03-05: 厂商已经确认,细节仅向厂商公开 2015-03-15: 细节向核心白帽子及相关领域专家公开 2015-03-25: 细节向普通白帽子公开 2015-04-04: 细节向实习白帽子公开 2015-04-20: 细节向公众公开
小米某服务器Elasticsearch Groovy命令执行
随手发现,这漏洞扫描和利用的成本都很低。
101.251.102.17:9200/_search?pretty
有小米采彡PIAOcp.mi.com的Ngix access log,可能是小米的机器。例如:
"message":"10.144.7.2 - - [22/Jan/2015:11:24:19 +0800] \"GET /v11/css/pay.css HTTP/1.0\" cp.mi.com 200 9315 \"http://cp.mi.com/pay/xiaomicashpay/xiaomi-cash-pay!xiaomireturndata.action?{%22result%22:%22errorCode=200&isSuccess=T¬ifyType=RETURN&orderDesc=%E5%B0%8F%E7%B1%B3%E5%BD%A9%E7%A5%A8-%E5%8F%8C%E8%89%B2%E7%90%83&outOrderId=20150122112119009284103&partnerId=10000077&payBank=NOT_APPLICABLE&payTime=1421897034&totalFee=1&tradeId=20150122112135132001060332001501&tradeStatus=TRADE_SUCCESS&sign=wmQF0NiZiH-cCzwnthoe1clyvez4nFDPXVC6HPk57CadEaAh5I_OBEunpsnYBa2IaNzY29jIYT9Yh6FUPm0iYI1sflVMiaVlnQ_tDxR6OJJylbmcDGVhQoMHiA1xeUNknKiYXCfmrPuwaQG3DEeqpAkOtuUU3fqNjrASg2MXjgE.%22,%22code%22:0}\" \"Mozilla/5.0 (Linux; U; Android 4.1.1; zh-cn; MI 2S Build/JRO03L) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 MiuiYellowPage\" \"112.65.230.236\" - - - \"-\" - > 0.000","@version":"1","@timestamp":"2015-01-22T03:24:20.095Z","type":"nginx-access","host":"vm10-140-26-24.ksc.com","path":"/micai_data/nginx_log/access.log","client_ip":"10.144.7.2","ident":"-","auth":"-","timestamp":"22/Jan/2015:11:24:19 +0800","verb":"GET","request":"/v11/css/pay.css","http_version":"1.0","domain":"cp.mi.com","response":"200","bytes":"9315","referrer":"\"http://cp.mi.com/pay/xiaomicashpay/xiaomi-cash-pay!xiaomireturndata.action?{%22result%22:%22errorCode=200&isSuccess=T¬ifyType=RETURN&orderDesc=%E5%B0%8F%E7%B1%B3%E5%BD%A9%E7%A5%A8-%E5%8F%8C%E8%89%B2%E7%90%83&outOrderId=20150122112119009284103&partnerId=10000077&payBank=NOT_APPLICABLE&payTime=1421897034&totalFee=1&tradeId=20150122112135132001060332001501&tradeStatus=TRADE_SUCCESS&sign=wmQF0NiZiH-cCzwnthoe1clyvez4nFDPXVC6HPk57CadEaAh5I_OBEunpsnYBa2IaNzY29jIYT9Yh6FUPm0iYI1sflVMiaVlnQ_tDxR6OJJylbmcDGVhQoMHiA1xeUNknKiYXCfmrPuwaQG3DEeqpAkOtuUU3fqNjrASg2MXjgE.%22,%22code%22:0}\"","agent":"\"Mozilla/5.0 (Linux; U; Android 4.1.1; zh-cn; MI 2S Build/JRO03L) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 MiuiYellowPage\"","x_forword":"112.65.230.236","upstream_content_type":"\"-\"","request_time":"0.000"
读取passwd:
"root:x:0:0:root:/root:/bin/bash", "bin:x:1:1:bin:/bin:/sbin/nologin", "daemon:x:2:2:daemon:/sbin:/sbin/nologin", "adm:x:3:4:adm:/var/adm:/sbin/nologin", "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin", "sync:x:5:0:sync:/sbin:/bin/sync", "shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown", "halt:x:7:0:halt:/sbin:/sbin/halt", "mail:x:8:12:mail:/var/spool/mail:/sbin/nologin", "uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin", "operator:x:11:0:operator:/root:/sbin/nologin", "games:x:12:100:games:/usr/games:/sbin/nologin", "gopher:x:13:30:gopher:/var/gopher:/sbin/nologin", "ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin", "nobody:x:99:99:Nobody:/:/sbin/nologin", "vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin", "saslauth:x:499:76:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin", "postfix:x:89:89::/var/spool/postfix:/sbin/nologin", "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin", "ntp:x:38:38::/etc/ntp:/sbin/nologin", "apache:x:48:48:Apache:/var/www:/sbin/nologin", "tcpdump:x:72:72::/:/sbin/nologin", "elasticsearch:x:498:498:elasticsearch user:/usr/share/elasticsearch:/sbin/nologin", "logstash:x:497:497:logstash:/opt/logstash:/sbin/nologin"
升级或配置script.groovy.sandbox.enabled: false不绑定外网IP
危害等级:高
漏洞Rank:15
确认时间:2015-03-05 17:55
该ip为合作厂商彩米公司所属,已积极联系合作厂商修复,感谢提交。
2015-03-06:彩米公司回复:1.该服务器上已经没有数据了,且已经被金山云收回;2.金山云收回服务器后没有初始化,所以我们之前没有关闭的服务还在运行(现在已经确认关闭)
