当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-024389

漏洞标题:某省科学技术厅存在多项严重漏洞(远程破解连接VNC),可沦陷!

相关厂商:山西省科学技术厅

漏洞作者: xsleaf

提交时间:2013-05-24 10:38

修复时间:2013-07-08 10:39

公开时间:2013-07-08 10:39

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-05-24: 细节已通知厂商并且等待厂商处理中
2013-05-25: 厂商已经确认,细节仅向厂商公开
2013-06-04: 细节向核心白帽子及相关领域专家公开
2013-06-14: 细节向普通白帽子公开
2013-06-24: 细节向实习白帽子公开
2013-07-08: 细节向公众公开

简要描述:

山西省科学技术厅网站存在jeecms、FCKeditor、Struts2执行等诸多漏洞,已拿到管理权,可沦陷~~

详细说明:

ping www.sxinfo.gov.cn 得到IP地址 218.26.227.165
扫端口 得到
218.26.227.165: 80
218.26.227.165: 5357
218.26.227.165: 8009
218.26.227.165: 8021 FTP
218.26.227.165: 8090 VNC
观察网站特征 发现是jeecms
搜索 .do?
得到http://218.26.227.165/book/topic/vote/Com_content.do?label=2012news&id=8a8a899b3d803908013d80a578e10016
测试 存在Struts2执行漏洞

QQ截图sxinfo00.jpg


执行命令 whoami 得到是nt authority\system
执行 命令导出 VNC4注册表

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\]
"UpdateMethod"=dword:00000002
"HTTPPortNumber"="7990"
"PortNumber"="8090"
"AllowHTTP"="0"
"UserPasswdVerifier"="VncAuth"
"Password"="f2c4e23faa4fbb480125ac29043183b7"


解密VNC4密码得到 sxinfo165VNC
接着寻找有价值的信息,得到FileZilla Server.xml内容

<FileZillaServer>
    <Settings>
        <Item name="Serverports" type="string">8021</Item>
        <Item name="Number of Threads" type="numeric">2</Item>
        <Item name="Maximum user count" type="numeric">0</Item>
        <Item name="Timeout" type="numeric">120</Item>
        <Item name="No Transfer Timeout" type="numeric">600</Item>
        <Item name="Allow Incoming FXP" type="numeric">0</Item>
        <Item name="Allow outgoing FXP" type="numeric">0</Item>
        <Item name="No Strict In FXP" type="numeric">0</Item>
        <Item name="No Strict Out FXP" type="numeric">0</Item>
        <Item name="Login Timeout" type="numeric">60</Item>
        <Item name="Show Pass in Log" type="numeric">0</Item>
        <Item name="Custom PASV IP type" type="numeric">0</Item>
        <Item name="Custom PASV IP" type="string" />
        <Item name="Custom PASV min port" type="numeric">0</Item>
        <Item name="Custom PASV max port" type="numeric">0</Item>
        <Item name="Initial Welcome Message" type="string">%v&#x0D;&#x0A;written by Tim Kosse (Tim.Kosse@gmx.de)&#x0D;&#x0A;Please visit http://sourceforge.net/projects/filezilla/</Item>
        <Item name="Admin port" type="numeric">14147</Item>
        <Item name="Admin Password" type="string" />
        <Item name="Admin IP Bindings" type="string" />
        <Item name="Admin IP Addresses" type="string" />
        <Item name="Enable logging" type="numeric">1</Item>
        <Item name="Logsize limit" type="numeric">100</Item>
        <Item name="Logfile type" type="numeric">0</Item>
        <Item name="Logfile delete time" type="numeric">0</Item>
        <Item name="Use GSS Support" type="numeric">0</Item>
        <Item name="GSS Prompt for Password" type="numeric">0</Item>
        <Item name="Download Speedlimit Type" type="numeric">0</Item>
        <Item name="Upload Speedlimit Type" type="numeric">0</Item>
        <Item name="Download Speedlimit" type="numeric">10</Item>
        <Item name="Upload Speedlimit" type="numeric">10</Item>
        <Item name="Buffer Size" type="numeric">32768</Item>
        <Item name="Custom PASV IP server" type="string">http://ip.filezilla-project.org/ip.php</Item>
        <Item name="Use custom PASV ports" type="numeric">0</Item>
        <Item name="Mode Z Use" type="numeric">0</Item>
        <Item name="Mode Z min level" type="numeric">1</Item>
        <Item name="Mode Z max level" type="numeric">9</Item>
        <Item name="Mode Z allow local" type="numeric">0</Item>
        <Item name="Mode Z disallowed IPs" type="string" />
        <Item name="IP Bindings" type="string">*</Item>
        <Item name="IP Filter Allowed" type="string" />
        <Item name="IP Filter Disallowed" type="string" />
        <Item name="Hide Welcome Message" type="numeric">0</Item>
        <Item name="Enable SSL" type="numeric">0</Item>
        <Item name="Allow explicit SSL" type="numeric">1</Item>
        <Item name="SSL Key file" type="string" />
        <Item name="SSL Certificate file" type="string" />
        <Item name="Implicit SSL ports" type="string">990</Item>
        <Item name="Force explicit SSL" type="numeric">0</Item>
        <Item name="Network Buffer Size" type="numeric">65536</Item>
        <Item name="Force PROT P" type="numeric">0</Item>
        <Item name="SSL Key Password" type="string" />
        <Item name="Allow shared write" type="numeric">0</Item>
        <Item name="No External IP On Local" type="numeric">1</Item>
        <Item name="Active ignore local" type="numeric">1</Item>
        <Item name="Autoban enable" type="numeric">1</Item>
        <Item name="Autoban attempts" type="numeric">20</Item>
        <Item name="Autoban type" type="numeric">0</Item>
        <Item name="Autoban time" type="numeric">1</Item>
        <Item name="Service name" type="string" />
        <Item name="Service display name" type="string" />
        <Item name="Enable HASH" type="numeric">0</Item>
        <Item name="Disable IPv6" type="numeric">0</Item>
        <SpeedLimits>
            <Download />
            <Upload />
        </SpeedLimits>
    </Settings>
    <Groups>
        <Group Name="admin">
            <Option Name="Bypass server userlimit">0</Option>
            <Option Name="User Limit">0</Option>
            <Option Name="IP Limit">0</Option>
            <Option Name="Enabled">1</Option>
            <Option Name="Comments"></Option>
            <Option Name="ForceSsl">0</Option>
            <IpFilter>
                <Disallowed />
                <Allowed />
            </IpFilter>
            <Permissions>
                <Permission Dir="D:">
                    <Option Name="FileRead">1</Option>
                    <Option Name="FileWrite">1</Option>
                    <Option Name="FileDelete">1</Option>
                    <Option Name="FileAppend">1</Option>
                    <Option Name="DirCreate">1</Option>
                    <Option Name="DirDelete">1</Option>
                    <Option Name="DirList">1</Option>
                    <Option Name="DirSubdirs">1</Option>
                    <Option Name="IsHome">1</Option>
                    <Option Name="AutoCreate">0</Option>
                </Permission>
            </Permissions>
            <SpeedLimits DlType="1" DlLimit="10" ServerDlLimitBypass="0" UlType="1" UlLimit="10" ServerUlLimitBypass="0">
                <Download />
                <Upload />
            </SpeedLimits>
        </Group>
    </Groups>
    <Users>
        <User Name="zgy">
            <Option Name="Pass">7b3c2b91f989a63886b58738c9a1eb69</Option>
            <Option Name="Group">admin</Option>
            <Option Name="Bypass server userlimit">2</Option>
            <Option Name="User Limit">0</Option>
            <Option Name="IP Limit">0</Option>
            <Option Name="Enabled">2</Option>
            <Option Name="Comments"></Option>
            <Option Name="ForceSsl">2</Option>
            <IpFilter>
                <Disallowed />
                <Allowed />
            </IpFilter>
            <Permissions />
            <SpeedLimits DlType="0" DlLimit="10" ServerDlLimitBypass="2" UlType="0" UlLimit="10" ServerUlLimitBypass="2">
                <Download />
                <Upload />
            </SpeedLimits>
        </User>
        <User Name="jiay">
            <Option Name="Pass">8f14519f5b3a5205512b0457a9348a0c</Option>
            <Option Name="Group"></Option>
            <Option Name="Bypass server userlimit">0</Option>
            <Option Name="User Limit">0</Option>
            <Option Name="IP Limit">0</Option>
            <Option Name="Enabled">1</Option>
            <Option Name="Comments"></Option>
            <Option Name="ForceSsl">0</Option>
            <IpFilter>
                <Disallowed />
                <Allowed />
            </IpFilter>
            <Permissions>
                <Permission Dir="D:\tomcat7\webapps">
                    <Option Name="FileRead">1</Option>
                    <Option Name="FileWrite">1</Option>
                    <Option Name="FileDelete">1</Option>
                    <Option Name="FileAppend">1</Option>
                    <Option Name="DirCreate">1</Option>
                    <Option Name="DirDelete">1</Option>
                    <Option Name="DirList">1</Option>
                    <Option Name="DirSubdirs">1</Option>
                    <Option Name="IsHome">1</Option>
                    <Option Name="AutoCreate">0</Option>
                </Permission>
                <Permission Dir="E:">
                    <Option Name="FileRead">1</Option>
                    <Option Name="FileWrite">0</Option>
                    <Option Name="FileDelete">0</Option>
                    <Option Name="FileAppend">0</Option>
                    <Option Name="DirCreate">0</Option>
                    <Option Name="DirDelete">0</Option>
                    <Option Name="DirList">1</Option>
                    <Option Name="DirSubdirs">1</Option>
                    <Option Name="IsHome">0</Option>
                    <Option Name="AutoCreate">0</Option>
                </Permission>
            </Permissions>
            <SpeedLimits DlType="0" DlLimit="10" ServerDlLimitBypass="0" UlType="0" UlLimit="10" ServerUlLimitBypass="0">
                <Download />
                <Upload />
            </SpeedLimits>
        </User>
        <User Name="kjtweback">
            <Option Name="Pass">59b90f920e73ad5fd73835c3e34b5125</Option>
            <Option Name="Group"></Option>
            <Option Name="Bypass server userlimit">0</Option>
            <Option Name="User Limit">0</Option>
            <Option Name="IP Limit">0</Option>
            <Option Name="Enabled">1</Option>
            <Option Name="Comments"></Option>
            <Option Name="ForceSsl">0</Option>
            <IpFilter>
                <Disallowed />
                <Allowed />
            </IpFilter>
            <Permissions>
                <Permission Dir="D:">
                    <Option Name="FileRead">1</Option>
                    <Option Name="FileWrite">0</Option>
                    <Option Name="FileDelete">0</Option>
                    <Option Name="FileAppend">0</Option>
                    <Option Name="DirCreate">1</Option>
                    <Option Name="DirDelete">0</Option>
                    <Option Name="DirList">1</Option>
                    <Option Name="DirSubdirs">1</Option>
                    <Option Name="IsHome">1</Option>
                    <Option Name="AutoCreate">0</Option>
                </Permission>
            </Permissions>
            <SpeedLimits DlType="0" DlLimit="10" ServerDlLimitBypass="0" UlType="0" UlLimit="10" ServerUlLimitBypass="0">
                <Download />
                <Upload />
            </SpeedLimits>
        </User>
        <User Name="wangzz">
            <Option Name="Pass">0566a3e064b7bbd689e6c94e74bdf248</Option>
            <Option Name="Group"></Option>
            <Option Name="Bypass server userlimit">0</Option>
            <Option Name="User Limit">0</Option>
            <Option Name="IP Limit">0</Option>
            <Option Name="Enabled">1</Option>
            <Option Name="Comments"></Option>
            <Option Name="ForceSsl">0</Option>
            <IpFilter>
                <Disallowed />
                <Allowed />
            </IpFilter>
            <Permissions>
                <Permission Dir="D:">
                    <Option Name="FileRead">1</Option>
                    <Option Name="FileWrite">1</Option>
                    <Option Name="FileDelete">1</Option>
                    <Option Name="FileAppend">1</Option>
                    <Option Name="DirCreate">0</Option>
                    <Option Name="DirDelete">0</Option>
                    <Option Name="DirList">1</Option>
                    <Option Name="DirSubdirs">1</Option>
                    <Option Name="IsHome">1</Option>
                    <Option Name="AutoCreate">0</Option>
                </Permission>
            </Permissions>
            <SpeedLimits DlType="0" DlLimit="10" ServerDlLimitBypass="0" UlType="0" UlLimit="10" ServerUlLimitBypass="0">
                <Download />
                <Upload />
            </SpeedLimits>
        </User>
    </Users>
</FileZillaServer>


破解MD5得到
zgy
7b3c2b91f989a63886b58738c9a1eb69
1984922
wangzz
0566a3e064b7bbd689e6c94e74bdf248
791215
等等~
继续导出sam等,破解windows登陆密码
最终拿下服务器~~~

漏洞证明:

QQ截图sxinfo1.jpg


QQ截图sxinfo2.jpg


QQ截图sxinfo3.jpg


QQ截图sxinfo4.jpg


QQ截图sxinfo5.jpg


QQ截图sxinfo6.jpg


QQ截图sxinfo7.jpg

修复方案:

亲,我真的不会修复~~~
所有操作都没有进行任何破坏行为,拒收顺丰~拒绝查水表~~
送礼物 发圆通~~~嘿嘿

版权声明:转载请注明来源 xsleaf@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2013-05-25 21:11

厂商回复:

CNVD确认并复现所述远程代码执行漏洞情况(后续情况未直接复现),已在24日转由CNCERT下发山西分中心,由其后续协调网站管理方处置。
按通用软件漏洞进行评分,rank 6

最新状态:

暂无

漏洞评价:

评论

  1. 2013-05-24 14:22 | ╰╃清風 ( 实习白帽子 | Rank:89 漏洞数:9 | 这家伙很懒,什么都没有留下)

    补不完

  2. 2013-05-26 12:53 | xsleaf ( 实习白帽子 | Rank:52 漏洞数:5 | 探索无尽的网海~)

    坑啊~ 才rank 6 早知这样,就不报啦,养肉鸡玩了

  3. 2013-07-08 11:17 | Ivan ( 实习白帽子 | Rank:81 漏洞数:9 | 小菜逼一个)

    这才6分啊……