联通某平台shell导致联通106短信随意发送/或可伪造任意号码发送

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079668

漏洞标题：联通某平台shell导致联通106短信随意发送/或可伪造任意号码发送

漏洞作者： s0mun5

提交时间：2014-10-16 21:52

修复时间：2014-11-30 21:54

公开时间：2014-11-30 21:54

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-10-16：细节已通知厂商并且等待厂商处理中
2014-10-20：厂商已经确认，细节仅向厂商公开
2014-10-30：细节向核心白帽子及相关领域专家公开
2014-11-09：细节向普通白帽子公开
2014-11-19：细节向实习白帽子公开
2014-11-30：细节向公众公开

简要描述：

联通某平台shell导致联通106短信随意发送
目测连接联通核心短信接口，或可伪造任意号码发送

详细说明：

http://www.ums86.com/
联通的一信通企业信息服务平台

http://wenku.baidu.com/link?url=UAxsPIr3meNd8QOFLQ-UaoBPrdGbA0X5_7X-oq5QJqq9cyNFdKZGEed4T-fjmp_AABgHGBDfXj1srqkatqCCUzPRA4zjUkhNgfQRW31Mmxu

这里是对企业短信发送接口的详细介绍
访问主站后有一个账号规则变更的提示

记下演示账号 101234
在豆丁上找到内部资料
得知企业账号开通后对应的企业编号下有一个admin用户

然后密码找回存在漏洞

http://www.ums86.com/pages/retrieveMotifyPass.jsp?spCode=101234

spCode是企业id 直接访问这个页面可以绕过验证改密码

101234用admin登陆提示用户名错误，验证码不过期，遍历id 100000-110000 匹配admin
出现大量提示密码错误的，说明id正确，admin正确。随便选一个重置密码。进入管理界面。

漏洞证明：

导入通讯录功能可上传任意文件拿shell。

有数台服务器在轮询
但是数据相同
海量配置信息备份文件共享磁盘泄露
只贴出部分以证明。

<?xml version="1.0" encoding="utf-8"?>
<!-- the proxool configuration can be embedded within your own application's.
	Anything outside the "proxool" tag is ignored. -->
<something-else-entirely>
	<proxool>
		<alias>db_common</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>         
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
		<driver-properties>
			<property name="user" value="**_common" />
			<property name="password" value="**_common" />
		</driver-properties>
		<house-keeping-sleep-time>300000</house-keeping-sleep-time>
		<simultaneous-build-throttle>20</simultaneous-build-throttle>
		<prototype-count>2</prototype-count>
		<maximum-connection-count>50</maximum-connection-count>
		<maximum-active-time>3600000</maximum-active-time>
		<minimum-connection-count>2</minimum-connection-count>
		<trace>true</trace>
		<test-before-use>false</test-before-use>
		<test-after-use>false</test-after-use>
		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
	</proxool>
	<proxool>
		<alias>db_nx</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>        
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
		<driver-properties>
			<property name="user" value="**_nx" />
			<property name="password" value="**_nx" />
		</driver-properties>
		<house-keeping-sleep-time>300000</house-keeping-sleep-time>
		<simultaneous-build-throttle>2</simultaneous-build-throttle>
		<prototype-count>2</prototype-count>
		<maximum-connection-count>15</maximum-connection-count>
		<maximum-active-time>3600000</maximum-active-time>
		<minimum-connection-count>2</minimum-connection-count>
		<trace>true</trace>
		<test-before-use>false</test-before-use>
		<test-after-use>false</test-after-use>
		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
	</proxool>
	<proxool>
		<alias>db_cq</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
		<driver-properties>
			<property name="user" value="**_cq" />
			<property name="password" value="**_cq" />
		</driver-properties>
		<house-keeping-sleep-time>300000</house-keeping-sleep-time>
		<simultaneous-build-throttle>2</simultaneous-build-throttle>
		<prototype-count>2</prototype-count>
		<maximum-connection-count>15</maximum-connection-count>
		<maximum-active-time>3600000</maximum-active-time>
		<minimum-connection-count>2</minimum-connection-count>
		<trace>true</trace>
		<test-before-use>false</test-before-use>
		<test-after-use>false</test-after-use>
		<house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
	</proxool>
	<proxool>
                <alias>db_zx</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_zx" />
                        <property name="password" value="**_zx" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>20</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>100</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
	<proxool>
                <alias>db_sh</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_sh" />
                        <property name="password" value="**_sh" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>2</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
                <alias>db_bh</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_bh" />
                        <property name="password" value="**_bh" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>2</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
                <alias>db_gd</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>              
<!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_gd" />
                        <property name="password" value="**_gd" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>10</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>50</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
                <alias>db_sd</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>               
<!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_sd" />
                        <property name="password" value="**_sd" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>5</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
                <alias>db_fj</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_fj" />
                        <property name="password" value="**_fj" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>5</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
                <alias>db_ss</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_ss" />
                        <property name="password" value="**_ss" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>2</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
		<proxool>
        <alias>db_imessage</alias>
		<driver-url>jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.223)(PORT = 1521))
			(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = orcl)))</driver-url> 
                <!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="imessage" />
                        <property name="password" value="yxt1m" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>10</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>100</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
	 <proxool>
	<alias>db_imessage1</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.235)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.234)(PORT = 1521))(LOAD_BALANCE = yes)(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ltdb) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)(RETRIES = 180) (DELAY = 5))))</driver-url>                
<!--<driver-url>jdbc:oracle:thin:@*.*.*.5:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="imessage" />
                        <property name="password" value="yxt1m" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>2</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>25</maximum-connection-count>
                <maximum-active-time>3600000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
	<proxool>
        <alias>db_union_prov</alias>
                <driver-url>jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = *.*.*.223)(PORT = 1521))
                        (CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = orcl)))</driver-url>
                <!--<driver-url>jdbc:oracle:thin:@*.*.*.223:1521:orcl</driver-url>-->
                <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                <driver-properties>
                        <property name="user" value="**_union_prov" />
                        <property name="password" value="ton9y1pl" />
                </driver-properties>
                <house-keeping-sleep-time>300000</house-keeping-sleep-time>
                <simultaneous-build-throttle>100</simultaneous-build-throttle>
                <prototype-count>2</prototype-count>
                <maximum-connection-count>200</maximum-connection-count>
                <maximum-active-time>240000</maximum-active-time>
                <minimum-connection-count>2</minimum-connection-count>
                <trace>true</trace>
                <test-before-use>false</test-before-use>
                <test-after-use>false</test-after-use>
                <house-keeping-test-sql>SELECT SYSDATE FROM DUAL</house-keeping-test-sql>
        </proxool>
</something-else-entirely>

至于内部短信接口，数不胜数。
这是联通官方业务，所以猜测最终接口可以伪造任意号码发送。
顾忌影响业务，不深入测试。
还有一个http://ibss.ums86.com/
业务支撑系统用户名存在注入。

库名CSP。

修复方案：

内部信息不对外。优化逻辑。

版权声明：转载请注明来源 s0mun5@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2014-10-20 13:33

厂商回复：

漏洞评价：

2014-10-16 22:58 | zzR ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1：5 无限量收 [平台担保])

发短信给10086 ，成天发骚扰短信
2014-10-17 09:23 | 机器猫 ( 普通白帽子 | Rank:1141 漏洞数:253 | 爱生活、爱腾讯、爱网络！)

好像很厉害的样子！
2014-10-17 09:53 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

应该是个代理服务器吧等公开
2014-10-17 13:11 | by灰客 ( 路人 | Rank:20 漏洞数:12 )

扥公开

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079668

漏洞标题：联通某平台shell导致联通106短信随意发送/或可伪造任意号码发送

相关厂商：中国联通

漏洞作者： s0mun5

提交时间：2014-10-16 21:52

修复时间：2014-11-30 21:54

公开时间：2014-11-30 21:54

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 s0mun5@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079668

漏洞标题：联通某平台shell导致联通106短信随意发送/或可伪造任意号码发送

相关厂商：中国联通

漏洞作者： s0mun5

提交时间：2014-10-16 21:52

修复时间：2014-11-30 21:54

公开时间：2014-11-30 21:54

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-079668"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 s0mun5@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：