当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-044506

漏洞标题:联想内部员工的信息可泄漏(邮箱、名字、内部社交网络帐号密码等信息)

相关厂商:联想

漏洞作者: xlz0iza1

提交时间:2013-11-30 13:08

修复时间:2014-01-14 13:09

公开时间:2014-01-14 13:09

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-30: 细节已通知厂商并且等待厂商处理中
2013-12-02: 厂商已经确认,细节仅向厂商公开
2013-12-12: 细节向核心白帽子及相关领域专家公开
2013-12-22: 细节向普通白帽子公开
2014-01-01: 细节向实习白帽子公开
2014-01-14: 细节向公众公开

简要描述:

由于没有一个通用标准的防御规则保护好中间件配置信息、DNS信息、系统错误信息和敏感地址信息(后台或测试地址)的泄露,攻击者可能会通过收集这些保护不足的数据,利用这些信息对系统实施进一步的攻击。(献文参考猪猪侠)
本报告通过一系列逻辑关联,通过一个外部JS文件到注入获取内部员工信息.

详细说明:

#1:无意的一个外部JS文件引发的一系列猥琐事情的开始。
信息收集
http://lxj.ecare365.com/script/common.js
通过common.js
截取前面一部分吧,这应该是管理员的疏忽把,在里面备注了很多能看到很多相关的信息,内部网段,验证方式,判断语句。

var post_url = "userLogin.do";
var url = "action/CommonAction.php";
//http://10.123.51.83/lxjweb/service/userLogon?wsdl
//http://123.103.23.10/lxjweb/service/userLogon?wsdl
//
//测试了,不可以,需要开通 10.96.144.73 / 74 到 以下地址的权限
//123.103.23.10:80
//10.123.51.81:80
//10.123.51.82:80
//10.123.51.83:80
//10.123.51.84:80
//
//10.99.238.35 :8080
//124.127.40.157 : 1026
var isLoginUsername = "";
$(function(){
// 判断是否登录
$.ajax({
type: "post",
//contentType: "application/json;charset=utf-8",
url: url,
data: {ptype:"getusercookie"},
dataType: "json",
cache:false,
success: function (result) {
if (result != null)
{
if (result.result == 0)
{
isLoginUsername = result.info.truename;
var val_ = "欢迎您,<a href=\"ChangeUserInfo.php\">"
+ isLoginUsername
+ "</a>"
+ " / <a href=\"logout.php\">退出</a>";
$("#logindiv").html(val_);
}
else
{
// 判断是否存在登录cookie,没有就去登录页面
// var loc = location + "";
// if (
// isLoginUsername == ""
// && loc != "http://lxj.ecare365.com/"
// && loc != "http://lxj.ecare365.com"
// && loc != "lxj.ecare365.com/"
// && loc != "lxj.ecare365.com"
// && loc.indexOf("index.php") == -1
// && loc.indexOf("login.php") == -1
// && loc.indexOf("reg.php") == -1
// && loc.indexOf("Features.php") == -1
// && loc.indexOf("ExpertServices.php") == -1
// && loc.indexOf("Help_Center.php") == -1
// && loc.indexOf("reg_Success.php") == -1
// && loc.indexOf("License.php") == -1
// )
// {
// location.href = "login.php";
// }
}
}
else
{
// 判断是否存在登录cookie,没有就去登录页面
// var loc = location + "";
// if (
// isLoginUsername == ""
// && loc != "http://lxj.ecare365.com/"
// && loc != "http://lxj.ecare365.com"
// && loc != "lxj.ecare365.com/"
// && loc != "lxj.ecare365.com"
// && loc.indexOf("index.php") == -1
// && loc.indexOf("login.php") == -1
// && loc.indexOf("reg.php") == -1
// && loc.indexOf("Features.php") == -1
// && loc.indexOf("ExpertServices.php") == -1
// && loc.indexOf("Help_Center.php") == -1
// && loc.indexOf("reg_Success.php") == -1
// && loc.indexOf("License.php") == -1
// )
// {
// location.href = "login.php";
// }
}


QQ图片20131130103326.jpg


通过上面的信息收集到其他的数据
svn源码泄露
http://street.atlenovo.com/.svn/all-wcprops
http://street.atlenovo.com/.svn/entries
http://t.atlenovo.com/.svn/all-wcprops
http://street.atlenovo.com/.svn/entries
http://ce.atlenovo.com/.svn/all-wcprops
http://ce.atlenovo.com/.svn/entries
注入漏洞:
http://ce.atlenovo.com/notice_info.php?id=1
http://ce.atlenovo.com/kb_info.php?id=1
http://ce.atlenovo.com/feedback_info.php?id=1

| `dt20130225-20130310`                         |
| `tp20130114-20130115` |
| `tp20130128-20130201` |
| `web20130107-20130203` |
| `web20130225-20130310` |
| `web20130311-20130324` |
| `web20130325-20130407` |
| `web20130408-20130421` |
| `web20130422-20130505` |
| `web20130506-20130519` |
| `web20130520-20130526` |
| `web20130527-20130602` |
| `web20130617-20130630` |
| `web20130701-20130714` |
| `web20130715-20130728` |
| asm_actions |
| asm_ar |
| asm_ar_security |
| asm_arfile |
| asm_article |
| asm_assets |
| asm_assets_borrowhis |
| asm_assets_dl_security |
| asm_assets_security |
| asm_purchase_flow |
| asm_purchase_flow_process |
| asm_purchase_flow_sub1 |
| asm_purchase_flow_sub2 |
| asm_role_actions |
| asm_role_users |
| asm_roles |
| cc_article |
| cc_comments |
| cc_course |
| cc_feedback |
| cc_teacher |
| cc_type |
| cc_user |
| cc_video |
| chat_customgroup |
| chat_pals |
| chat_session |
| chat_transfer_fileinfo |
| chat_txt |
| chat_users |
| chatroom_channel |
| chatroom_group |
| chatroom_links |
| chatroom_message |
| chatroom_robot |
| chatroom_users |
| dtindex |
| dtrules |
| ec_cmsarticle |
| ec_cmsarticle2 |
| ec_cmstype |
| ec_cmstype2 |
| ec_comment |
| ec_core |
| ec_experience |
| ec_feedback |
| ec_feedlog |
| ec_feedtype |
| ec_function |
| ec_log |
| ec_products |
| ec_producttype |
| ec_rolefunction |
| ec_roles |
| ec_roleuser |
| im_admin |
| im_c2s |
| im_department |
| im_department_member |
| im_domain |
| im_group |
| im_group_fileshare |
| im_group_leaveword |
| im_group_leaveword_20120222 |
| im_group_leaveword_20130307 |
| im_group_member |
| im_group_member_20130307 |
| im_group_member_bak |
| im_group_offlinefile |
| im_group_type |
| im_ims_bulletin |
| im_ims_friend |
| im_ims_friend_20120626 |
| im_ims_friend_20120628 |
| im_ims_friend_20120703 |
| im_ims_friend_20121101 |
| im_ims_group |
| im_ims_info |
| im_ims_leaveword |
| im_ims_memo |
| im_ims_offlinefile |
| im_live |
| im_mc |
| im_mcu |
| im_meetinggrp |
| im_meetingmember |
| im_msg |
| im_orgfile |
| im_orgfile_user |
| im_p2pfile |
| im_privilege |
| im_user_fileshare |
| im_users |
| im_users_20120530 |
| im_vod |
| im_worklog |
| lxjportal_help |
| lxjportal_help_type |
| sns_ad |
| sns_app |
| sns_app_user |
| sns_attach |
| sns_blog |
| sns_blog_category |
| sns_blog_config |
| sns_blog_item |
| sns_blog_mention |
| sns_blog_outline |
| sns_blog_source |
| sns_blog_subscribe |
| sns_bug |
| sns_bug_category |
| sns_bug_coopt |
| sns_bug_edition |
| sns_bug_log |
| sns_chat |
| sns_chatroom |
| sns_chatroom_rooms |
| sns_chatroom_sort |
| sns_comment |
| sns_credit_setting |
| sns_credit_type |
| sns_edu_search |
| sns_event |
| sns_event_config |
| sns_event_opts |
| sns_event_photo |
| sns_event_type |
| sns_event_user |
| sns_feed |
| sns_feed_del |
| sns_feed_template |
| sns_feedback |
| sns_fg |
| sns_field_name |
| sns_friend |
| sns_friend_black |
| sns_friend_group |
| sns_friend_hide |
| sns_friend_ping |
| sns_friend_tip |
| sns_gift |
| sns_gift_category |
| sns_group |
| sns_group_album |
| sns_group_attachement |
| sns_group_category |
| sns_group_log |
| sns_group_member |
| sns_group_photo |
| sns_group_post |
| sns_group_setting |
| sns_group_topic |
| sns_group_topic_collect |
| sns_info_category |
| sns_info_content |
| sns_invite |
| sns_links |
| sns_login_record |
| sns_mini |
| sns_mini_config |
| sns_msg |
| sns_network |
| sns_notify |
| sns_notify_relationship |
| sns_notify_template |
| sns_option |
| sns_photo |
| sns_photo_album |
| sns_photo_index |
| sns_photo_love |
| sns_photo_mark |
| sns_poster |
| sns_poster_small_type |
| sns_poster_type |
| sns_poster_widget |
| sns_privacy |
| sns_privacy_index |
| sns_report |
| sns_saveemail |
| sns_share |
| sns_share_set |
| sns_site |
| sns_smile |
| sns_space |
| sns_system_group |
| sns_system_node |
| sns_system_popedom |
| sns_system_user_rank |
| sns_tag |
| sns_tag_index |
| sns_user |
| sns_user_app |
| sns_user_attach |
| sns_user_gift |
| sns_user_info |
| sns_user_online |
| sns_user_score |
| sns_user_search |
| sns_visitor |
| sns_vote |
| sns_vote_comment |
| sns_vote_config |
| sns_vote_opt |
| sns_vote_user |
| sns_wall |
| sns_work_search |
| t_blacklist |
| t_buddys |
| t_credits_log |
| t_credits_rule |
| t_credits_rule_log |
| t_cron |
| t_failedlogins |
| t_group |
| t_groupfields |
| t_imjiqiren_client_user |
| t_invite |
| t_ip_banned |
| t_log |
| t_medal |
| t_media |
| t_member_validate |
| t_memberfields |
| t_members |
| t_my_tag |
| t_my_topic_tag |
| t_notice |
| t_onlinetime |
| t_pms |
| t_report |
| t_robot |
| t_robot_ip |
| t_robot_log |
| t_role |
| t_role_action |
| t_role_module |
| t_sessions |
| t_tag |
| t_tag_favorite |
| t_task |
| t_task_log |
| t_topic |
| t_topic_favorite |
| t_topic_image |
| t_topic_mention |
| t_topic_more |
| t_topic_music |
| t_topic_reply |
| t_topic_show |
| t_topic_tag |
| t_topic_video |
| t_topicforwarview |
| t_topicview |
| t_url |
| t_user_tag |
| t_user_tag_fields |
| t_validate |
| t_wall |
| t_wall_draft |
| t_wall_material |
| t_wall_playlist |
| t_weather |
| t_xwb_bind_info |
| t_xwb_bind_topic |
| tpindex |
| userinfo |
| webindex |
| webrules |
+-----------------------------------------------+


注入其中的一个table,数据庞大,因为我比较懒,所以没有进行进一步的注入测试。

Table: cc_user
[9 columns]
+-------------+---------------------+
| Column | Type |
+-------------+---------------------+
| create_time | int(10) unsigned |
| dept | varchar(300) |
| email | varchar(255) |
| snsid | varchar(100) |
| uid | int(11) unsigned |
| user_name | varchar(50) |
| user_pass | varchar(255) |
| user_type | tinyint(4) unsigned |
| weibo | varchar(255) |
+-------------+---------------------+


cc_user表里面发现了1500多管理员包括在内员工的帐号、密码、邮箱

QQ图片20131130125813.jpg


sns_user表里面发现了2920多管理员包括在内员工的帐号、密码、邮箱

1.jpg

漏洞证明:

#1:漏洞证明

QQ图片20131129233303.jpg


2.jpg


3.jpg


4.jpg


相关的其他信息

5.jpg


6.jpg


svn漏洞证明

QQ图片20131130130411.jpg

修复方案:

#1 安全是一个整体,保证安全不在于强大的地方有多强大,而在于真正薄弱的地方在哪里。
#2 杜绝系统配置错误
#3 妥善的对边界网络进行设置

版权声明:转载请注明来源 xlz0iza1@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-12-02 11:25

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无


漏洞评价:

评论

  1. 2014-01-14 16:23 | Ivan ( 实习白帽子 | Rank:81 漏洞数:9 | 小菜逼一个)

    爆出的名单上……有些我还认识