ZooKeeper is defaulted to open on port 2181 and without any access control, an attacker can gain a large amount of sensitive information about the system, including the system name and Java environment, by executing the envi command.
Environment Setup
The default open port for Zookeeper is 2181.
wgethttps://archive.apache.org/dist/zookeeper/zookeeper-3.4.10/zookeeper-3.4.10.tar.gztar-zxvfzookeeper-3.4.10.tar.gzcdzookeeper-3.4.10/cdconf/vizoo.cfg### Configure standalone modetickTime=2000dataDir=/tmp/zookeeper/datadataLogDir=/tmp/zookeeper/logsclientPort=2181bin/zkServer.shstart//start### Start the client connection to the serverbin/zkCli.sh-serverlocalhost:2181
image-20220519151558630
Vulnerability Exploitation
The following command can be used to remotely retrieve the environment of the server:
image-20220519151727236
stat: Lists statistics about performance and clients connecting.
image-20220519152001117
ruok: Tests if the server is running in a non-error state. echo ruok |ncat 127.0.0.1 2181
Prohibit exposing Zookeeper directly to the public network Add access control, choose the corresponding method according to the situation (authenticated user, username and password)
Bind specified IP access (recommended):
Login to zookeeper
View current permissions:
Add accessible IP
Check if it was added normally
Unauthorized people can also connect, but an error KeeperErrorCode = NoAuth for / will be reported when viewing the node, localhost will not work, and only accessible IP can be accessed.
Rollback method: Access using the IP set before:
Set to be accessible by everyone:
Set up authentication
Configure appropriate access permissions for ZooKeeper.
Add an authentication user addauth digest username:password in plain text
Setting permissions
setAcl /path auth:username:password in clear text:permission
setAcl /path digest:username:password in encrypted form:permission
