当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103151

漏洞标题:中国联通某省份WLAN认证计费系统存在命令执行(疑似被境外人员利用)

相关厂商:中国联通

漏洞作者: MyKings

提交时间:2015-03-23 12:32

修复时间:2015-05-11 13:56

公开时间:2015-05-11 13:56

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向核心白帽子及相关领域专家公开
2015-04-16: 细节向普通白帽子公开
2015-04-26: 细节向实习白帽子公开
2015-05-11: 细节向公众公开

简要描述:

RT~

详细说明:

http://202.96.74.3:8081/loginAction.action


uid=502(dhcp) gid=501(pin) ?=501(pin) ??=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 202.96.74.3:22              103.41.124.121:55181        ESTABLISHED -                   
tcp        0      0 202.96.74.3:22              103.41.124.115:52093        ESTABLISHED -                   
tcp        0      0 202.96.74.3:22              182.100.67.113:54314        ESTABLISHED -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      1 202.96.74.3:60286           107.160.159.92:46463        SYN_SENT    -                   
tcp        0      0 202.96.74.3:22              182.100.67.113:44473        ESTABLISHED -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 202.96.74.3:22              42.121.111.24:15282         ESTABLISHED -                   
tcp        0      1 202.96.74.3:44491           107.160.159.92:46463        SYN_SENT    -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -


发现如下可以ip,都是链接的ssh的22端口,美国的这最可疑,所有链接都是晚上22-23点的时间段:
107.160.159.92:46463  -->  本站主数据:美国, 参考数据一:ARIN
182.100.67.113:44473  -->  本站主数据:江西省新余市 电信, 参考数据一:江西省 电信
42.121.111.24:15282   -->  本站主数据:浙江省杭州市 阿里云计算有限公司 阿里巴巴, 参考数据一:浙江省杭州市 阿里软件有限公司
107.160.159.92:46463  -->  本站主数据:美国, 参考数据一:ARIN
103.41.124.121:55181  -->  本站主数据:香港特别行政区, 参考数据一:APNIC
103.41.124.115:52093  -->   本站主数据:香港特别行政区,参考数据一:APNIC


硬盘空间还是蛮大的,
????	      ??  ??  ?? ??%% ???
/dev/mapper/VolGroup-lv_root
                       50G   21G   26G  45% /
tmpfs                 127G  804K  127G   1% /dev/shm
/dev/sda1             485M   40M  420M   9% /boot
/dev/mapper/VolGroup-lv_home
                      3.8T  3.2G  3.6T   1% /home


四块HBA卡,使用了NFS
-+-[0000:70]-+-00.0-[71-75]--+-00.0-[72-74]--
 |           |               \-00.1-[75]--
 |           +-01.0-[79-7b]--
 |           +-02.0-[87]--
 |           +-03.0-[84-86]--+-00.0  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           |               \-00.1  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           +-04.0-[88]--
 |           +-05.0-[89]--
 |           +-06.0-[8a]--
 |           +-07.0-[76-78]--+-00.0  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           |               \-00.1  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           +-08.0-[8b]--
 |           +-09.0-[8c]--
 |           +-0a.0-[8d]--
 |           \-14.0  Intel Corporation 5520/5500/X58 I/O Hub System Management Registers
 \-[0000:00]-+-00.0  Intel Corporation 5520/5500/X58 I/O Hub to ESI Port
             +-01.0-[0e-10]--
             +-02.0-[14]--
             +-03.0-[04]--+-00.0  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            +-00.1  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            +-00.2  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            \-00.3  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             +-04.0-[15]--
             +-05.0-[11-13]--
             +-06.0-[16]--
             +-07.0-[0b-0d]--
             +-08.0-[17]--
             +-09.0-[08-0a]--
             +-0a.0-[05-07]--
             +-14.0  Intel Corporation 5520/5500/X58 I/O Hub System Management Registers
             +-1c.0-[03]----00.0  Hewlett-Packard Company Smart Array G6 controllers
             +-1c.4-[02]--+-00.0  Hewlett-Packard Company Integrated Lights-Out Standard Slave Instrumentation & System Support
             |            +-00.2  Hewlett-Packard Company Integrated Lights-Out Standard Management Processor Support and Messaging
             |            \-00.4  Hewlett-Packard Company Integrated Lights-Out Standard Virtual USB Controller
             +-1d.0  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #1
             +-1d.1  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #2
             +-1d.2  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #3
             +-1d.3  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #6
             +-1d.7  Intel Corporation 82801JI (ICH10 Family) USB2 EHCI Controller #1
             +-1e.0-[01]----03.0  Advanced Micro Devices [AMD] nee ATI ES1000
             +-1f.0  Intel Corporation 82801JIB (ICH10) LPC Interface Controller
             \-1f.2  Intel Corporation 82801JI (ICH10 Family) 4 port SATA IDE Controller #1

漏洞证明:

====================================================================================================================================
eth0      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C4  
          inet addr:202.96.74.3  Bcast:202.96.74.31  Mask:255.255.255.224
          inet6 addr: fe80::da9d:67ff:fe77:79c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39175926 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30504733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7603077388 (7.0 GiB)  TX bytes:5867632669 (5.4 GiB)
          Interrupt:88 
eth1      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C5  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:92 
eth2      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C6  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:96 
eth3      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C7  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:100 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:191051048 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191051048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9978430086 (9.2 GiB)  TX bytes:9978430086 (9.2 GiB)


还有一台数据库机器,Oracle对外开放了1521端口
202.96.74.2:1521

修复方案:

1.升级
2.查查内网是不是被渗透了吧~

版权声明:转载请注明来源 MyKings@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-27 13:54

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给辽宁分中心,由辽宁分中心后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-23 21:08 | 李宇航的小柠檬 ( 路人 | Rank:5 漏洞数:1 | 小柠檬甜不甜)

    diao吊

  2. 2015-03-27 14:19 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    厉害。

  3. 2015-05-11 15:04 | 晏子 ( 路人 | Rank:6 漏洞数:4 | 无)

    疑似被境外人员利用

  4. 2015-05-14 10:58 | 小卖部部长 ( 路人 | Rank:24 漏洞数:3 | 别拿部长不当干部!)

    哗~~~境外。。。好害怕