一董习、漏洞詳情

Zookeeper是一個(gè)分布式的，開(kāi)放源碼的分布式應(yīng)用程序協(xié)調(diào)服務(wù)爱只，是Google的Chubby一個(gè)開(kāi)源的實(shí)現(xiàn)皿淋，是Hadoop和Hbase的重要組件。它是一個(gè)為分布式應(yīng)用提供一致性服務(wù)的軟件恬试，提供的功能包括：配置維護(hù)窝趣、域名服務(wù)、分布式同步训柴、組服務(wù)等哑舒。
Zookeeper的默認(rèn)開(kāi)放端口是2181。Zookeeper 安裝部署之后默認(rèn)情況下不需要任何身份驗(yàn)證畦粮，造成攻擊者可以遠(yuǎn)程利用 Zookeeper，通過(guò)服務(wù)器收集敏感信息或者在 Zookeeper 集群內(nèi)進(jìn)行破壞（比如：kill命令）乖阵。攻擊者能夠執(zhí)行所有只允許由管理員運(yùn)行的命令宣赔。

二、漏洞利用（未做任何授權(quán)）

1瞪浸、envi：打印有關(guān)服務(wù)環(huán)境的詳細(xì)信息儒将。

[root@centos7 bin]# echo envi |nc 192.168.43.101 2181
Environment:
zookeeper.version=3.4.6-1569965, built on 02/20/2014 09:09 GMT
host.name=localhost
java.version=1.8.0_181
java.vendor=Oracle Corporation
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre
java.class.path=/usr/local/src/zookeeper-3.4.6/bin/../build/classes:/usr/local/src/zookeeper-3.4.6/bin/../build/lib/*.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/slf4j-api-1.6.1.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/netty-3.7.0.Final.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/log4j-1.2.16.jar:/usr/local/src/zookeeper-3.4.6/bin/../lib/jline-0.9.94.jar:/usr/local/src/zookeeper-3.4.6/bin/../zookeeper-3.4.6.jar:/usr/local/src/zookeeper-3.4.6/bin/../src/java/lib/*.jar:/usr/local/src/zookeeper-3.4.6/bin/../conf:
java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.io.tmpdir=/tmp
java.compiler=<NA>
os.name=Linux
os.arch=amd64
os.version=3.10.0-957.el7.x86_64
user.name=root
user.home=/root
user.dir=/usr/local/src/zookeeper-3.4.6/bin

2、ruok：測(cè)試服務(wù)器是否運(yùn)行在非錯(cuò)誤狀態(tài)对蒲。

[root@centos7 bin]# echo ruok |nc 192.168.43.101 2181
imok

3钩蚊、reqs：列出未完成的請(qǐng)求贡翘。（我這邊是無(wú)請(qǐng)求）

[root@centos7 bin]# echo reqs |nc 192.168.43.101 2181

4、dump：列出未完成的會(huì)話和臨時(shí)節(jié)點(diǎn)砰逻。

[root@centos7 bin]# echo dump |nc 192.168.43.101 2181
SessionTracker dump:
Session Sets (3):
0 expire at Mon Jun 26 17:08:38 CST 2023:
0 expire at Mon Jun 26 17:08:48 CST 2023:
1 expire at Mon Jun 26 17:08:58 CST 2023:
    0x188f02e23b10008
ephemeral nodes dump:
Sessions with Ephemerals (0):

5鸣驱、stat：列出關(guān)于性能和連接的客戶端的統(tǒng)計(jì)信息。

[root@centos7 bin]# echo stat |nc 192.168.43.101 2181
Zookeeper version: 3.4.6-1569965, built on 02/20/2014 09:09 GMT
Clients:
 /192.168.43.102:50186[0](queued=0,recved=1,sent=0)
 /127.0.0.1:43916[1](queued=0,recved=114,sent=114)

Latency min/avg/max: 0/0/160
Received: 887
Sent: 886
Connections: 2
Outstanding: 0
Zxid: 0x19
Mode: standalone
Node count: 4

三蝠咆、漏洞處理

網(wǎng)上搜索了很多處理方法踊东，比如zookeeper中acl指定IP

1、指定ip

這邊使用兩臺(tái)機(jī)器進(jìn)行驗(yàn)證刚操，兩臺(tái)機(jī)器的IP分別為192.168.43.101闸翅、192.168.43.102，部署相同的zookeeper版本
1》101機(jī)器登錄zookeeper客戶端

[root@centos7 bin]# ./zkCli.sh
[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper]
[zk: localhost:2181(CONNECTED) 1] getAcl /
'world,'anyone
: cdrwa

102機(jī)器遠(yuǎn)程訪問(wèn)

[root@centos7 bin]# ./zkCli.sh
[zk: localhost:2181(CONNECTED) 1] connect 192.168.43.101:2181
2023-06-26 17:16:27,504 [myid:] - INFO  [main:ZooKeeper@684] - Session: 0x188f6acabb40000 closed
2023-06-26 17:16:27,505 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=192.168.43.101:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@15615099
2023-06-26 17:16:27,505 [myid:] - INFO  [main-EventThread:ClientCnxn$EventThread@512] - EventThread shut down
[zk: 192.168.43.101:2181(CONNECTING) 2] 2023-06-26 17:16:27,508 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@975] - Opening socket connection to server 192.168.43.101/192.168.43.101:2181. Will not attempt to authenticate using SASL (unknown error)
2023-06-26 17:16:27,510 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@852] - Socket connection established to 192.168.43.101/192.168.43.101:2181, initiating session
2023-06-26 17:16:27,513 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server 192.168.43.101/192.168.43.101:2181, sessionid = 0x188f02e23b1000b, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
ls /
[zookeeper]
[zk: 192.168.43.101:2181(CONNECTED) 3]

2》設(shè)置acl權(quán)限
101機(jī)器設(shè)置權(quán)限

[zk: localhost:2181(CONNECTED) 1] getAcl /
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 2] setAcl / ip:127.0.0.1:cdrwa
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x0
cversion = -1
dataVersion = 0
aclVersion = 6
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
[zk: localhost:2181(CONNECTED) 3] getAcl /
'ip,'127.0.0.1
: cdrwa

102機(jī)器連接101的zookeeper菊霜，登錄失敗

[zk: localhost:2181(CONNECTED) 1] connect 192.168.43.101:2181
2023-06-26 17:18:46,902 [myid:] - INFO  [main:ZooKeeper@684] - Session: 0x188f6acabb40001 closed
2023-06-26 17:18:46,902 [myid:] - INFO  [main:ZooKeeper@438] - Initiating client connection, connectString=192.168.43.101:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@11028347
[zk: 192.168.43.101:2181(CONNECTING) 2] 2023-06-26 17:18:46,903 [myid:] - INFO  [main-EventThread:ClientCnxn$EventThread@512] - EventThread shut down
2023-06-26 17:18:46,905 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@975] - Opening socket connection to server 192.168.43.101/192.168.43.101:2181. Will not attempt to authenticate using SASL (unknown error)
2023-06-26 17:18:46,907 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@852] - Socket connection established to 192.168.43.101/192.168.43.101:2181, initiating session
2023-06-26 17:18:46,911 [myid:] - INFO  [main-SendThread(192.168.43.101:2181):ClientCnxn$SendThread@1235] - Session establishment complete on server 192.168.43.101/192.168.43.101:2181, sessionid = 0x188f02e23b1000c, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: 192.168.43.101:2181(CONNECTED) 3] ls /
Authentication is not valid : /

設(shè)置完acl權(quán)限坚冀，繼續(xù)使用漏洞掃描，還是可以繼續(xù)掃描到系統(tǒng)信息

2鉴逞、zookeeper服務(wù)器設(shè)置防火墻

#允許指定的IP訪問(wèn)2181端口记某，記得把本機(jī)的IP加上，不然本機(jī)也不能訪問(wèn)zookeeper
[root@centos7 ~]# iptables -A INPUT  -s 192.168.43.101 -p tcp --dport 2181 -j ACCEPT
#只要訪問(wèn)2181端口的請(qǐng)求全部丟棄
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 2181 -j DROP 

漏洞掃描報(bào)超時(shí)

[root@centos7 conf]# echo envi |nc 192.168.43.101 2181
Ncat: Connection timed out.