当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011853

漏洞标题:搜狐邮箱Struts2任意命令执行

相关厂商:搜狐

漏洞作者: 路人甲

提交时间:2012-09-07 01:15

修复时间:2012-10-22 01:15

公开时间:2012-10-22 01:15

漏洞类型:命令执行

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-09-07: 细节已通知厂商并且等待厂商处理中
2012-09-07: 厂商已经确认,细节仅向厂商公开
2012-09-17: 细节向核心白帽子及相关领域专家公开
2012-09-27: 细节向普通白帽子公开
2012-10-07: 细节向实习白帽子公开
2012-10-22: 细节向公众公开

简要描述:

http://mail.sohu.com/部分目录下测试页面存在任意命令执行漏洞。

详细说明:

http://mail.sohu.com/mapp/vote/addComment.action

漏洞证明:


jdbc:mysql://192.168.95.xx:3306/mail_app?user=mail&password=mail_@pp!?&useUnicode=true&characterEncoding=GBK
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
/usr/local/resin3/conf/resin.conf
/usr/local/src/activity/web/manage.jsp
/usr/local/src/mail_help/web/manage.jsp
/usr/local/src/mail_help.201105201733/web/manage.jsp
/usr/local/src/mail_help_0108/web/manage.jsp
/usr/local/src/my_mail_help/web/manage.jsp
/usr/local/resin3/doc/activity/manage.jsp
/usr/local/resin3/doc/mail_help/manage.jsp
/usr/local/resin3/doc/mail_help_12/manage.jsp
/usr/local/resin3/doc/mail_help_11/manage.jsp
/usr/local/resin3/doc/activity_20090916/manage.jsp
/usr/local/resin3/doc/mail_help-1/manage.jsp
/usr/local/resin3/doc/mail_help-1/mail_help_bak/manage.jsp
/usr/local/resin3/doc/mail_help_0108/manage.jsp
/opt/jy/rsync_log/mail_csm/web/vote/login.jsp
/opt/jy/rsync_log/mail_csm/web/login.jsp
/opt/zyh/file/resin-pro-4.0.0/doc/resin-doc/examples/security-basic/login.jsp
/usr/local/src/test_mail_csm/web/vote/login.jsp
/usr/local/src/test_mail_csm/web/login.jsp
/usr/local/src/score_web/web/login.jsp
/usr/local/src/score_web.200912141638/web/login.jsp
/usr/local/src/passport/web/partner/login.jsp
/usr/local/src/passport/web/sso/login.jsp
/usr/local/src/passport/web/login.jsp
/usr/local/src/mailRecommend/web/login.jsp
/usr/local/src/mail_help/web/activity/newyear/login.jsp
/usr/local/src/mail_help.201105201733/web/activity/newyear/login.jsp
/usr/local/src/score_admin/web/login.jsp
/usr/local/src/mail_csm/web/vote/login.jsp
/usr/local/src/mail_csm/web/login.jsp
/usr/local/src/mail_csm.201204101604/web/vote/login.jsp
/usr/local/src/mail_csm.201204101604/web/login.jsp
/usr/local/src/my_mail_help/web/activity/newyear/login.jsp
/usr/local/resin3/webapps/resin-doc/examples/security-basic/login.jsp
/usr/local/resin3/doc/score/login.jsp
/usr/local/resin3/doc/score_web/login.jsp
/usr/local/resin3/doc/mailRecommend/login.jsp
/usr/local/resin3/doc/mail_help/activity/newyear/login.jsp
/usr/local/resin3/doc/mail_csm/vote/login.jsp
/usr/local/resin3/doc/mail_csm/login.jsp
/usr/local/src/activity/web/help/mail/help1.jsp
/usr/local/src/activity/help/mail/help1.jsp
/usr/local/src/passport/web/help/help1.jsp
/usr/local/src/mail_help/web/help/mail/help1.jsp
/usr/local/src/mail_help.201105201733/web/help/mail/help1.jsp
/usr/local/src/mail_help_0108/web/help/mail/help1.jsp
/usr/local/src/my_mail_help/web/help/mail/help1.jsp
/usr/local/resin3/doc/activity/help/mail/sogou/help1.jsp
/usr/local/resin3/doc/activity/help/mail/chinaren/help1.jsp
/usr/local/resin3/doc/activity/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help_12/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help_11/help/mail/help1.jsp
/usr/local/resin3/doc/activity_20090916/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help-1/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help-1/mail_help_bak/help/mail/help1.jsp
/usr/local/resin3/doc/mail_help_0108/help/mail/help1.jsp
/usr/local/src/mail_help/web/help/mail/dream/help_udiskkehu.jsp
/usr/local/src/mail_help.201105201733/web/help/mail/dream/help_udiskkehu.jsp
/usr/local/resin3/doc/mail_help/help/mail/dream/help_udiskkehu.jsp
/opt/log/score/score.log
/opt/log/resinlog/log4j/activity.log
/opt/log/resinlog/vipmail_log4j.log
/opt/work/address_new_vip/log/6940.log
/opt/work/address_new_vip/log/6942.log
/opt/work/address_new_vip/log/6941.log
/opt/work/address_new_vip/log/6943.log
/opt/work/address_new_enterprise/log/6952.log
/opt/work/address_new_enterprise/log/6953.log
/opt/work/address_new_enterprise/log/6950.log
/opt/work/address_new_enterprise/log/6951.log
/usr/local/resin3/log1/log4j/activity.log
-rw-r--r--  1 root root 12216 2011-09-15  app-default.xml
-rw-r--r--  1 root root 12216 2009-05-14  app-default.xml.orig
-rw-r--r--  1 root root 10413 2010-04-28  recommendreg_resin.conf
-rw-r--r--  1 root root 11253  4 19 12:08 resin.conf
-rw-r--r--  1 root root 11252 2010-01-30  resin.conf.bak
-rw-r--r--  1 root root 10119 2009-05-14  resin.conf.ori
-rw-r--r--  1 root root  9970 2009-05-14  resin.conf.orig
-rw-r--r--  1 root root 11277  4 19 12:08 resin_csm.conf
-rw-r--r--  1 root root 11275  4 10 14:32 resin_csm.conf.bak
-rw-r--r--  1 root root 11307 2010-04-20  test_csm_resin.conf
drwxr-xr-x   2 root root 4096 2009-05-14  admin
drwxr-xr-x   3 root root 4096  5 10 14:22 bin
drwxr-xr-x   2 root root 4096  8 20 10:51 conf
drwxr-xr-x  15 root root 4096  4 19 12:38 doc
drwxr-xr-x   4 root root 4096 2009-05-14  ext-webapp-lib
drwxr-xr-x   2 root root 4096 2009-12-11  lib
drwxr-xr-x   2 root root 4096 2009-12-11  lib_backup
drwxr-xr-x   2 root root 4096 2009-05-14  libexec64
lrwxrwxrwx   1 root root   18 2010-01-26  log -> /opt/log/resinlog/
drwxr-xr-x   3 root root 4096 2010-01-26  log1
drwxr-xr-x   2 root root 4096 2009-10-27  logs
drwxr-xr-x   4 root root 4096 2010-01-07  mailRecommend
drwxr-xr-x   4 root root 4096 2009-05-14  php
drwxr-xr-x   4 root root 4096 2009-05-14  plugins
drwxr-xr-x   4 root root 4096 2009-05-14  webapps
eth0      Link encap:Ethernet  HWaddr 00:23:7D:35:C4:96  
          inet addr:192.168.95.26  Bcast:192.168.95.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20730868738 errors:0 dropped:129089 overruns:0 frame:0
          TX packets:24810410341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5684562052843 (5.1 TiB)  TX bytes:5237783993708 (4.7 TiB)
          Interrupt:185 Memory:f8000000-f8012100 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1019797259 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1019797259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1096004216925 (1020.7 GiB)  TX bytes:1096004216925 (1020.7 GiB)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
htt:x:100:101:IIIMF Htt:/usr/lib64/im:/sbin/nologin
postfix:x:500:501::/home/postfix:/bin/bash
git:x:501:503::/home/git:/bin/bash
mysql:x:502:504::/home/mysql:/bin/bash
memcached:x:503:505::/home/memcached:/bin/bash
hpsmh:x:504:506::/opt/hp/hpsmh:/sbin/nologin
<!--
   - Resin 3.1 configuration file.
  -->
<resin xmlns="http://caucho.com/ns/resin"
       xmlns:resin="http://caucho.com/ns/resin/core">
  <!-- adds all .jar files under the resin/lib directory -->
  <class-loader>
    <tree-loader path="${resin.home}/ext-lib"/>
    <tree-loader path="${resin.root}/ext-lib"/>
    <tree-loader path="${resin.home}/lib"/>
    <tree-loader path="${resin.root}/lib"/>
  </class-loader>
  <!--
     - Management configuration
     -
     - Remote management requires at least one enabled admin user.
    -->
  <management path="${resin.root}/admin">
    <user name="admin" password="password" disable="true"/>
    <resin:if test="${resin.professional}">
      <deploy-service/>
      <jmx-service/>
      <log-service/>
      <xa-log-service/>
    </resin:if>
  </management>
  <!--
     - Logging configuration for the JDK logging API.
    -->
  <log name="" level="info" path="stdout:"
       timestamp="[%H:%M:%S.%s] {%{thread}} "/>
  <!--
     - 'info' for production
     - 'fine' or 'finer' for development and troubleshooting
    -->
  <logger name="com.caucho" level="info"/>
  <logger name="com.caucho.java" level="config"/>
  <logger name="com.caucho.loader" level="config"/>
  <!--
     - For production sites, change dependency-check-interval to something
     - like 600s, so it only checks for updates every 10 minutes.
    -->
  <dependency-check-interval>2s</dependency-check-interval>
  <!--
     - SMTP server for sending mail notifications
    -->
  <system-property mail.smtp.host="127.0.0.1"/>
  <system-property mail.smtp.port="25"/>
  <!--
     - Sets the default character encoding to utf-8
     -
     - <character-encoding>utf-8</character-encoding>
    -->
  <!--
     - You can change the compiler to "javac", "eclipse" or "internal".
    -->
  <!--javac compiler="internal" args="-source 1.5"/-->
  <javac compiler="javac" />
  <!-- Security providers.
     - <security-provider>
     -    com.sun.net.ssl.internal.ssl.Provider
     - </security-provider>
    -->
  <!-- Uncomment to use Resin's XML implementations
     -
     - <system-property javax.xml.parsers.DocumentBuilderFactory
     -                 ="com.caucho.xml.parsers.XmlDocumentBuilderFactory"/>
     - <system-property javax.xml.parsers.SAXParserFactory
     -                 ="com.caucho.xml.parsers.XmlSAXParserFactory"/>
    -->
  <cluster id="app-tier">
    <!-- sets the content root for the cluster, relative to server.root -->
    <root-directory>.</root-directory>
    <server-default>
      <!-- The http port -->
      <http address="*" port="8080"/>
      <!--
         - SSL port configuration:
         -
         - <http address="*" port="8443">
         -   <openssl>
         -     <certificate-file>keys/gryffindor.crt</certificate-file>
         -     <certificate-key-file>keys/gryffindor.key</certificate-key-file>
         -     <password>test123</password>
         -   </openssl>
         - </http>
        -->
      <!--
         - The JVM arguments
        -->
      <jvm-arg>-Xmx1024m</jvm-arg>
      <jvm-arg>-Xss1m</jvm-arg>
      <jvm-arg>-Xdebug</jvm-arg>
      <jvm-arg>-Dcom.sun.management.jmxremote</jvm-arg>
      <!--
         - Uncomment to enable admin heap dumps
         - <jvm-arg>-agentlib:resin</jvm-arg>
        -->
      <!--
         - arguments for the watchdog process
        -->
      <watchdog-jvm-arg>-Dcom.sun.management.jmxremote</watchdog-jvm-arg>
      <watchdog-port>6600</watchdog-port>
      <!--
         - Configures the minimum free memory allowed before Resin
         - will force a restart.
        -->
      <memory-free-min>1M</memory-free-min>
      <!-- Maximum number of threads. -->
      <thread-max>256</thread-max>
      <!-- Configures the socket timeout -->
      <socket-timeout>65s</socket-timeout>
      <!-- Configures the keepalive -->
      <keepalive-max>128</keepalive-max>
      <keepalive-timeout>15s</keepalive-timeout>
      <!--
         - If starting bin/resin as root on Unix, specify the user name
         - and group name for the web server user.
         -
         - <user-name>resin</user-name>
         - <group-name>resin</group-name>
        -->
    </server-default>
    <!-- define the servers in the cluster -->
    <server id="" address="127.0.0.1" port="6800"/>
    <!--
       - Configures the persistent store for single-server or clustered
       - in Resin professional.
      -->
    <resin:if test="${resin.professional}">
      <persistent-store type="cluster">
        <init path="session"/>
      </persistent-store>
    </resin:if>
    <!--
       - For security, use a different cookie for SSL sessions.
       - <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie>
      -->
    <!--
       - Enables the cache (available in Resin Professional) 
      -->
    <resin:if test="${resin.professional}">
      <cache path="cache" memory-size="64M">
        <!-- Vary header rewriting for IE -->
        <rewrite-vary-as-private/>
      </cache>
    </resin:if>
    <!--
       - Enables periodic checking of the server status and
       - check for deadlocks..
       -
       - All servers can add <url>s to be checked.
      -->
    <resin:if test="${resin.professional}">
      <ping>
        <!-- <url>http://localhost:8080/test-ping.jsp</url> -->
      </ping>
    </resin:if>
    <!--
       - Defaults applied to each web-app.
      -->
    <web-app-default>
      <prologue>
        <!--
           - Extension library for common jar files.  The ext is safe
           - even for non-classloader aware jars.  The loaded classes
           - will be loaded separately for each web-app, i.e. the class
           - itself will be distinct.
          -->
        <class-loader>
          <tree-loader path="${resin.root}/ext-webapp-lib"/>
        </class-loader>
        <!--
           - Enable EL expressions in Servlet and Filter init-param
          -->
        <allow-servlet-el/>
      </prologue>
      
      <!--
         - Sets timeout values for cacheable pages, e.g. static pages.
        -->
      <cache-mapping url-pattern="/" expires="5s"/>
      <cache-mapping url-pattern="*.gif" expires="60s"/>
      <cache-mapping url-pattern="*.jpg" expires="60s"/>
      <cache-mapping url-pattern="*.png" expires="60s"/>
      <!--
         - for security, disable session URLs by default.
        -->
      <session-config>
        <enable-url-rewriting>false</enable-url-rewriting>
      </session-config>
      <!--
         - For security, set the HttpOnly flag in cookies.
         - <cookie-http-only/>
        -->
      <!--
         - Some JSP packages have incorrect .tld files.  It's possible to
         - set validate-taglib-schema to false to work around these packages.
        -->
        <jsp>
          <validate-taglib-schema>true</validate-taglib-schema>
          <fast-jstl>true</fast-jstl>
          <fast-jsf>false</fast-jsf>
        </jsp>
    </web-app-default>
    <!-- includes the app-default for default web-app behavior -->
    <resin:import path="${resin.home}/conf/app-default.xml"/>
    <!--
       - Sample database pool configuration
       -
       - The JDBC name is java:comp/env/jdbc/test
         <database>
           <jndi-name>jdbc/mysql</jndi-name>
           <driver type="org.gjt.mm.mysql.Driver">
             <url>jdbc:mysql://localhost:3306/test</url>
             <user></user>
             <password></password>
            </driver>
            <prepared-statement-cache-size>8</prepared-statement-cache-size>
            <max-connections>20</max-connections>
            <max-idle-time>30s</max-idle-time>
          </database>
      -->
    <database>
        <jndi-name>jdbc/mail_app</jndi-name>
        <driver type="com.mysql.jdbc.Driver">
            <url>jdbc:mysql://192.168.95.xxx:3306/mail_app?useServerPrepStmts=true&amp;useUnicode=true&amp;characterEncoding=utf8</url>
            <user>mail</user>
            <password>mail_@pp!?</password>
        </driver>
        <prepared-statement-cache-size>8</prepared-statement-cache-size>
        <max-connections>20</max-connections>
        <max-idle-time>30s</max-idle-time>
    </database>
    <database>
           <jndi-name>jdbc/mail_app_58</jndi-name>
           <driver type="com.mysql.jdbc.Driver">
             <url>jdbc:mysql://192.168.95.xx:3307/mail_app?useServerPrepStmts=true&amp;useUnicod
e=true&amp;characterEncoding=gbk</url>
             <user>mailapp</user>
             <password>maiL@))?</password>
            </driver>
            <prepared-statement-cache-size>8</prepared-statement-cache-size>
            <max-connections>20</max-connections>
            <max-idle-time>30s</max-idle-time>
    </database>
    <!--
       - Default host configuration applied to all virtual hosts.
      -->
    <host-default>
      <!--
         - With another web server, like Apache, this can be commented out
         - because the web server will log this information.
        -->
      <!-- access-log path="logs/access.log" 
            format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"'
            rollover-period="1W"/ -->
      <!-- creates the webapps directory for .war expansion -->
      <web-app-deploy path="webapps"/>
      <!-- creates the deploy directory for .ear expansion -->
      <ear-deploy path="deploy">
        <ear-default>
          <ejb-server>
            <config-directory>WEB-INF</config-directory>
          </ejb-server>
        </ear-default>
      </ear-deploy>
      <!-- creates the deploy directory for .rar expansion -->
      <resource-deploy path="deploy"/>
    </host-default>
    <!-- configures a deployment directory for virtual hosts -->
    <host-deploy path="hosts">
      <host-default>
        <resin:import path="host.xml" optional="true"/>
      </host-default>
    </host-deploy>
    <!-- configures the default host, matching any host name -->
    
    <host id="" root-directory=".">
      <!--
         - configures an explicit root web-app matching the
         - webapp's ROOT
        -->
      <stdout-log path='log/activity/stdout.log' rollover-period='1W' />
      <stderr-log path='log/activity/stderr.log' rollover-period='1W' />
      <web-app id="/" root-directory="doc/mail_help"/>
      <web-app id="/resin-admin" root-directory="${resin.home}/php/admin">
        <!--
           - Administration application /resin-admin
          -->
        <prologue>
          <resin:set var="resin_admin_external" value="false"/>
          <resin:set var="resin_admin_insecure" value="true"/>
        </prologue>
      </web-app>
    </host>
  </cluster>
  <!--
     - Configuration for the web-tier/load-balancer
    -->
  <resin:if test="${resin.professional}">
    <cluster id="web-tier">
      <server-default>
        <!-- The http port -->
        <http address="*" port="9080"/>
      </server-default>
      <server id="web-a" address="127.0.0.1" port="6700"/>
      <cache path="cache" memory-size="64M"/>
      <host id="">
        <web-app id="/">
           <rewrite-dispatch>
             <load-balance regexp="" cluster="app-tier"/>
           </rewrite-dispatch>
        </web-app>
      </host>
    </cluster>
  </resin:if>
</resin>

修复方案:

已修复。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-09-07 10:46

厂商回复:

thanks

最新状态:

暂无

漏洞评价:

评论

  1. 2012-09-07 02:34 | Henry:bobo ( 普通白帽子 | Rank:104 漏洞数:22 | 本胖吊!~又高又肥2个奶奶像地雷)

    搜狐还有这个?

  2. 2012-09-07 11:06 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    这。。。。。。。。。。。

  3. 2012-09-07 12:43 | tmp ( 路人 | Rank:15 漏洞数:1 | 此人很懒)

    这.........................

  4. 2012-09-07 14:18 | iiiiiiiii ( 普通白帽子 | Rank:680 漏洞数:89 | )

    ....

  5. 2012-09-07 14:22 | tenzy ( 普通白帽子 | Rank:176 漏洞数:21 | Need not to know)

    这。。。。。。。。。15分不足以表示事情的严重性啊

  6. 2012-10-22 01:27 | popok ( 普通白帽子 | Rank:117 漏洞数:24 | nothing)

    幸亏是sohu,要是360buy的话就。。。

  7. 2012-10-24 15:51 | wokao ( 路人 | Rank:8 漏洞数:1 | 郁闷)

    神一样的“路人甲”

  8. 2012-11-20 18:00 | hack2012 ( 实习白帽子 | Rank:31 漏洞数:3 | 关注信息安全 http://www.waitalone.cn/)

    完蛋了,还好我的邮箱不有太重要的在搜狐。