国家互联网应急中心某外部探测系统配置不当可命令执行

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109129

漏洞标题：国家互联网应急中心某外部探测系统配置不当可命令执行

漏洞作者： fuckadmin

提交时间：2015-04-20 08:30

修复时间：2015-06-08 09:18

公开时间：2015-06-08 09:18

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-20：细节已通知厂商并且等待厂商处理中
2015-04-24：厂商已经确认，细节仅向厂商公开
2015-05-04：细节向核心白帽子及相关领域专家公开
2015-05-14：细节向普通白帽子公开
2015-05-24：细节向实习白帽子公开
2015-06-08：细节向公众公开

简要描述：

不小心发现的，深入看了下，还挺严重了。

详细说明：

一、基本信息
系统名：基于云计算的网络安全风险探知系统
IP：111.205.121.12(还有IPV6地址哦)

tcp        0      0 111.205.121.12:49170        193.0.202.245:443           ESTABLISHED 
tcp        0      0 111.205.121.12:34465        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:54542        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:59601        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:48729        193.0.202.24:443            ESTABLISHED 
tcp        0      0 ::ffff:111.205.121.12:80    ::ffff:219.128.219.1:2069   ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42664      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42718      ::ffff:127.0.0.1:15006      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42612      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42665      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:38577      ::ffff:127.0.0.1:15005      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42636      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:15006      ::ffff:127.0.0.1:42718      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42612      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42637      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:55379 2001:da8:a0:102::f002:30000 ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42665      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:60806 2001:da8:a0:102::f128:61616 ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:58106 2001:da8:a0:102::f128:61616 ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:15005      ::ffff:127.0.0.1:38577      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42636      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42637      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42664      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:60807 2001:da8:a0:102::f128:61616 ESTABLISHED

开发商：天融信（稍后给出分析）
二、存在的问题
根据深入分析后，该系统应该是天融信为cncert独立开发（网上找不到该系统说明）。
由于该系统采用了Jboss做为通信中间件，同时invoker/JMXInvokerServlet又对外开放，也未进行访问限制。

三、getshell深入

部署人员的参考手册

证实了我的想法
天融信的模板文件

<?xml version="1.0" encoding="utf-8"?>
<configs xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns="http://www.topsec.com.cn"
xsi:schemaLocation="http://www.topsec.com.cn config.xsd">
	<global>
		<injects>
			<!-- inject key="sysmailserver" springbean="testinject"/ -->
			<inject key="sysmailserver" class="com.topsec.tsm.tal.response.respimp.mail.MailCfgCatcher"/>
			<inject key="sysbackuppath" class="com.topsec.tsm.tal.response.respimp.archive.BackupCfgCatcher"/>
		</injects>
		<blocks>
		     <block key="connectport" name="璇烽??╅?璁???? desc="杩???扮‖浠剁???>
				<item key="smscomport" value="COM3" name="杩???朵娇??N)" itemtype="SelectItem" showArgs="COM1=:COM1;;COM2=:COM2;;COM3=:COM3;;COM4=:COM4"/>
				<item key="smsbaudrate" value="9600" name="姣??浣??(B)" itemtype="SelectItem" showArgs="9600=:9600;;57600=:57600;;115200=:115200"/>
			</block>
			<block key="msgnotify" name="???娑??" desc="???娑??">
				<item key="title" value="" name="???" valuetype="string" itemtype="InputItem" notnull="true" size="100"/>
				<item key="content" value="" name="???" valuetype="special_str" itemtype="EditItem" notnull="true" size="100"/>
			</block>
			<block key="mailserver" name="??欢????? type="hide" inject_class="sysmailserver"/>
			<block key="backuppath" name="澶?唤璺??" type="hide" inject_class="sysbackuppath"/>
		</blocks>
	</global>
	
	<!-- 绯荤???疆锛??浠舵??″? -->
	<config key="sys_cfg_mailserver" name="??欢????? desc="??欢???浠ュ?璁″??ヨ〃涓???????欢??娇?ㄧ???欢????ㄤ俊?? type="action.type.system" subType="system">
		<defaultblock>
			<item key="serverip" value="" name="??欢?????P" valuetype="ip" itemtype="InputItem"/>
			<item key="serverport" value="" name="??欢????ㄧ??? valuetype="num" itemtype="InputItem" size="65535"/>
			<item key="mailsender" value="" name="??欢???浜? valuetype="mail" itemtype="InputItem" size="100"/>
			<item key="loginaccount" value="" name="?ㄦ??? itemtype="InputItem" size="100"/>
			<item key="loginpwd" value="" name="?ｄ护" itemtype="PasswordItem" size="100"/>
		</defaultblock>
	</config>
	
</configs>

四、某些重要的配置文件
1.Mysql数据库配置文件

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
  <local-tx-datasource>
    <jndi-name>SIM_DS</jndi-name>
    <connection-url><![CDATA[jdbc:mysql://127.0.0.1:53306/sim?useUnicode=true&characterEncoding=utf8]]></connection-url>
    <driver-class>com.mysql.jdbc.Driver</driver-class>
    <user-name>root</user-name>
    <password>talent123</password>
    <min-pool-size>5</min-pool-size>
    <max-pool-size>50</max-pool-size>
  </local-tx-datasource>
</datasources>

2.节点配置文件

topsec.tsm.node.id=Linux-Service
topsec.tsm.node.name=service
topsec.tsm.node.type=Service
topsec.tsm.node.autonomy=false
topsec.tsm.node.ip=[2001:da8:a0:102::f125]
topsec.tsm.node.commandTimeout=5000
topsec.tsm.node.superip=[2001:da8:1:fffe::f128]
topsec.tsm.node.superport=61616
topsec.tsm.node.localip=[2001:da8:1:fffe::f128]
topsec.tsm.node.basepath=../conf/node
topsec.tsm.node.local.jms.type=ACTIVEMQ_CONNECTOR
topsec.tsm.node.local.jms.url=failover:(tcp://%s:61616?wireFormat.maxInactivityDuration=300000)
topsec.tsm.node.local.jms.ip=[2001:da8:1:fffe::f128]
topsec.tsm.node.local.jms.keystore.file=./node/myclient.ks
topsec.tsm.node.local.jms.keystore.pass=password
topsec.tsm.node.local.jms.truststore.file=./node/myclient.ts
topsec.tsm.node.local.jms.truststore.pass=password
topsec.tsm.node.superior.jms.type=ACTIVEMQ_CONNECTOR
topsec.tsm.node.superior.jms.url=failover:(tcp://%s:61616?wireFormat.maxInactivityDuration=300000)
topsec.tsm.node.superior.jms.ip=[2001:da8:1:fffe::f128]
topsec.tsm.node.superior.jms.keystore.file=./node/myclient.ks
topsec.tsm.node.superior.jms.keystore.pass=password
topsec.tsm.node.superior.jms.truststore.file=./node/myclient.ts
topsec.tsm.node.superior.jms.truststore.pass=password

messageconfiguration.xml

<?xml version="1.0" encoding="utf-8" ?> 
<messageconfiguration>
  <placeholderlocations>
	  <placeholderlocation location="../conf/node/node.properties"/>
  </placeholderlocations>
  <sessions>
  	<session name="Local">	 
  		<destination type="TOPIC" name="LOCAL_COMMAND" realname="com.topsec.tsm.topic.smpcommand" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_KEEPALIVE" realname="com.topsec.tsm.topic.smpkeepalive" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_RAWEVENT" realname="com.topsec.tsm.topic.smpsecurityevent" isrecv="true" />
  		<destination type="TOPIC" name="LOCAL_COMPRESSRAWEVENT" realname="com.topsec.tsm.topic.smpcompresssecurityevent" isrecv="true"/>
  		<destination type="TOPIC" name="LOCAL_AUDIT" realname="com.topsec.tsm.topic.audit" isrecv="false" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_LOG" realname="com.topsec.tsm.topic.smplog" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_ALARM" realname="com.topsec.tsm.topic.smpalarm" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_MONITOR" realname="com.topsec.tsm.topic.smpmonitor" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_DEVMONITOR" realname="com.topsec.tsm.topic.smpdevmonitor" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_LICENSE" realname="com.topsec.tsm.topic.smplicense" isrecv="true"/>
  		<!--destination type="TOPIC" name="LU_LOCAL_KEEPALIVE" realname="com.topsec.tsm.topic.smplukeepalive" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/-->
  	</session>
  </sessions>
  <connectors>
  	<connector type="ACTIVEMQ_CONNECTOR" name="Local" ip="localhost" urlpattern="tcp://${topsec.tsm.node.local.jms.ip}:61616?wireFormat.maxInactivityDuration=300000" testtimes="3" testinterval="5"  user="admin" pass="secretjms">
  		<session name="Local"/>
  	</connector>
  	<!--
  	<connector type="ACTIVEMQ_CONNECTOR" name="Local" ip="localhost" urlpattern="vm://localhost" testtimes="3" testinterval="5"  user="admin" pass="secretjms">
  		<session name="Local"/>
  	</connector>
  	<connector type="ACTIVEMQ_SSL_CONNECTOR" name="AQ_72.112" ip="192.168.72.229" urlpattern="ssl://%s:61617" testtimes="3" testinterval="5">
  		<context>
  			keystore.file=../server/default/conf/myclient.ks
  			keystore.password=password
  			truststore.file=../server/default/conf/myclient.ts
  			truststore.password=password
  		</context>
  		<session name="AQ_72.112"/>
  	</connector>
		-->
  </connectors>
  <channelgroup>
  	<cluster type="SEQUENCE_EQUALIZER_BACKUP">
  		<connector name="Local"/>
  	</cluster>
  	<channel name="LOCAL_COMMAND" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_KEEPALIVE" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_RAWEVENT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_MONITOR" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_COMPRESSRAWEVENT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_AUDIT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_ALARM" messagetype="OBJECT_MESSAGE"/>
  	<!--channel name="LU_LOCAL_COMMAND" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LU_LOCAL_KEEPALIVE" messagetype="OBJECT_MESSAGE"/-->
  </channelgroup>
</messageconfiguration>

还有好多配置文件呢，夜深了，不挖了。

漏洞证明：

一、基本信息
系统名：基于云计算的网络安全风险探知系统
IP：111.205.121.12(还有IPV6地址哦)

tcp        0      0 111.205.121.12:49170        193.0.202.245:443           ESTABLISHED 
tcp        0      0 111.205.121.12:34465        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:54542        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:59601        193.0.202.24:443            ESTABLISHED 
tcp        0      0 111.205.121.12:48729        193.0.202.24:443            ESTABLISHED 
tcp        0      0 ::ffff:111.205.121.12:80    ::ffff:219.128.219.1:2069   ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42664      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42718      ::ffff:127.0.0.1:15006      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42612      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42665      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:38577      ::ffff:127.0.0.1:15005      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42636      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:15006      ::ffff:127.0.0.1:42718      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42612      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42637      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:55379 2001:da8:a0:102::f002:30000 ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42665      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:60806 2001:da8:a0:102::f128:61616 ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:58106 2001:da8:a0:102::f128:61616 ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:15005      ::ffff:127.0.0.1:38577      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42636      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:53306      ::ffff:127.0.0.1:42637      ESTABLISHED 
tcp        0      0 ::ffff:127.0.0.1:42664      ::ffff:127.0.0.1:53306      ESTABLISHED 
tcp        0      0 2001:da8:a0:102::f125:60807 2001:da8:a0:102::f128:61616 ESTABLISHED

三、getshell深入

部署人员的参考手册

证实了我的想法
天融信的模板文件

<?xml version="1.0" encoding="utf-8"?>
<configs xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns="http://www.topsec.com.cn"
xsi:schemaLocation="http://www.topsec.com.cn config.xsd">
	<global>
		<injects>
			<!-- inject key="sysmailserver" springbean="testinject"/ -->
			<inject key="sysmailserver" class="com.topsec.tsm.tal.response.respimp.mail.MailCfgCatcher"/>
			<inject key="sysbackuppath" class="com.topsec.tsm.tal.response.respimp.archive.BackupCfgCatcher"/>
		</injects>
		<blocks>
		     <block key="connectport" name="璇烽??╅?璁???? desc="杩???扮‖浠剁???>
				<item key="smscomport" value="COM3" name="杩???朵娇??N)" itemtype="SelectItem" showArgs="COM1=:COM1;;COM2=:COM2;;COM3=:COM3;;COM4=:COM4"/>
				<item key="smsbaudrate" value="9600" name="姣??浣??(B)" itemtype="SelectItem" showArgs="9600=:9600;;57600=:57600;;115200=:115200"/>
			</block>
			<block key="msgnotify" name="???娑??" desc="???娑??">
				<item key="title" value="" name="???" valuetype="string" itemtype="InputItem" notnull="true" size="100"/>
				<item key="content" value="" name="???" valuetype="special_str" itemtype="EditItem" notnull="true" size="100"/>
			</block>
			<block key="mailserver" name="??欢????? type="hide" inject_class="sysmailserver"/>
			<block key="backuppath" name="澶?唤璺??" type="hide" inject_class="sysbackuppath"/>
		</blocks>
	</global>
	
	<!-- 绯荤???疆锛??浠舵??″? -->
	<config key="sys_cfg_mailserver" name="??欢????? desc="??欢???浠ュ?璁″??ヨ〃涓???????欢??娇?ㄧ???欢????ㄤ俊?? type="action.type.system" subType="system">
		<defaultblock>
			<item key="serverip" value="" name="??欢?????P" valuetype="ip" itemtype="InputItem"/>
			<item key="serverport" value="" name="??欢????ㄧ??? valuetype="num" itemtype="InputItem" size="65535"/>
			<item key="mailsender" value="" name="??欢???浜? valuetype="mail" itemtype="InputItem" size="100"/>
			<item key="loginaccount" value="" name="?ㄦ??? itemtype="InputItem" size="100"/>
			<item key="loginpwd" value="" name="?ｄ护" itemtype="PasswordItem" size="100"/>
		</defaultblock>
	</config>
	
</configs>

四、某些重要的配置文件
1.Mysql数据库配置文件

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
  <local-tx-datasource>
    <jndi-name>SIM_DS</jndi-name>
    <connection-url><![CDATA[jdbc:mysql://127.0.0.1:53306/sim?useUnicode=true&characterEncoding=utf8]]></connection-url>
    <driver-class>com.mysql.jdbc.Driver</driver-class>
    <user-name>root</user-name>
    <password>talent123</password>
    <min-pool-size>5</min-pool-size>
    <max-pool-size>50</max-pool-size>
  </local-tx-datasource>
</datasources>

2.节点配置文件

topsec.tsm.node.id=Linux-Service
topsec.tsm.node.name=service
topsec.tsm.node.type=Service
topsec.tsm.node.autonomy=false
topsec.tsm.node.ip=[2001:da8:a0:102::f125]
topsec.tsm.node.commandTimeout=5000
topsec.tsm.node.superip=[2001:da8:1:fffe::f128]
topsec.tsm.node.superport=61616
topsec.tsm.node.localip=[2001:da8:1:fffe::f128]
topsec.tsm.node.basepath=../conf/node
topsec.tsm.node.local.jms.type=ACTIVEMQ_CONNECTOR
topsec.tsm.node.local.jms.url=failover:(tcp://%s:61616?wireFormat.maxInactivityDuration=300000)
topsec.tsm.node.local.jms.ip=[2001:da8:1:fffe::f128]
topsec.tsm.node.local.jms.keystore.file=./node/myclient.ks
topsec.tsm.node.local.jms.keystore.pass=password
topsec.tsm.node.local.jms.truststore.file=./node/myclient.ts
topsec.tsm.node.local.jms.truststore.pass=password
topsec.tsm.node.superior.jms.type=ACTIVEMQ_CONNECTOR
topsec.tsm.node.superior.jms.url=failover:(tcp://%s:61616?wireFormat.maxInactivityDuration=300000)
topsec.tsm.node.superior.jms.ip=[2001:da8:1:fffe::f128]
topsec.tsm.node.superior.jms.keystore.file=./node/myclient.ks
topsec.tsm.node.superior.jms.keystore.pass=password
topsec.tsm.node.superior.jms.truststore.file=./node/myclient.ts
topsec.tsm.node.superior.jms.truststore.pass=password

messageconfiguration.xml

<?xml version="1.0" encoding="utf-8" ?> 
<messageconfiguration>
  <placeholderlocations>
	  <placeholderlocation location="../conf/node/node.properties"/>
  </placeholderlocations>
  <sessions>
  	<session name="Local">	 
  		<destination type="TOPIC" name="LOCAL_COMMAND" realname="com.topsec.tsm.topic.smpcommand" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_KEEPALIVE" realname="com.topsec.tsm.topic.smpkeepalive" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_RAWEVENT" realname="com.topsec.tsm.topic.smpsecurityevent" isrecv="true" />
  		<destination type="TOPIC" name="LOCAL_COMPRESSRAWEVENT" realname="com.topsec.tsm.topic.smpcompresssecurityevent" isrecv="true"/>
  		<destination type="TOPIC" name="LOCAL_AUDIT" realname="com.topsec.tsm.topic.audit" isrecv="false" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_LOG" realname="com.topsec.tsm.topic.smplog" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/>
  		<destination type="TOPIC" name="LOCAL_ALARM" realname="com.topsec.tsm.topic.smpalarm" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_MONITOR" realname="com.topsec.tsm.topic.smpmonitor" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_DEVMONITOR" realname="com.topsec.tsm.topic.smpdevmonitor" isrecv="true" selector="MDNd='.' OR MDNd='SMP'" />
  		<destination type="TOPIC" name="LOCAL_LICENSE" realname="com.topsec.tsm.topic.smplicense" isrecv="true"/>
  		<!--destination type="TOPIC" name="LU_LOCAL_KEEPALIVE" realname="com.topsec.tsm.topic.smplukeepalive" isrecv="true" selector="MDNd='.' OR MDNd='SMP'"/-->
  	</session>
  </sessions>
  <connectors>
  	<connector type="ACTIVEMQ_CONNECTOR" name="Local" ip="localhost" urlpattern="tcp://${topsec.tsm.node.local.jms.ip}:61616?wireFormat.maxInactivityDuration=300000" testtimes="3" testinterval="5"  user="admin" pass="secretjms">
  		<session name="Local"/>
  	</connector>
  	<!--
  	<connector type="ACTIVEMQ_CONNECTOR" name="Local" ip="localhost" urlpattern="vm://localhost" testtimes="3" testinterval="5"  user="admin" pass="secretjms">
  		<session name="Local"/>
  	</connector>
  	<connector type="ACTIVEMQ_SSL_CONNECTOR" name="AQ_72.112" ip="192.168.72.229" urlpattern="ssl://%s:61617" testtimes="3" testinterval="5">
  		<context>
  			keystore.file=../server/default/conf/myclient.ks
  			keystore.password=password
  			truststore.file=../server/default/conf/myclient.ts
  			truststore.password=password
  		</context>
  		<session name="AQ_72.112"/>
  	</connector>
		-->
  </connectors>
  <channelgroup>
  	<cluster type="SEQUENCE_EQUALIZER_BACKUP">
  		<connector name="Local"/>
  	</cluster>
  	<channel name="LOCAL_COMMAND" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_KEEPALIVE" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_RAWEVENT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_MONITOR" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_COMPRESSRAWEVENT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_AUDIT" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LOCAL_ALARM" messagetype="OBJECT_MESSAGE"/>
  	<!--channel name="LU_LOCAL_COMMAND" messagetype="OBJECT_MESSAGE"/>
  	<channel name="LU_LOCAL_KEEPALIVE" messagetype="OBJECT_MESSAGE"/-->
  </channelgroup>
</messageconfiguration>

还有好多配置文件呢，夜深了，不挖了。

修复方案：

1.删除接口
2.限制访问

版权声明：转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-04-24 09:17

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT协调内部部门处置。

漏洞评价：

2015-04-20 08:34 | 孤独行者 ( 普通白帽子 | Rank:110 漏洞数:44 | 时光如水，总是无言。你若安好，便是晴天)

前排。。沙发
2015-04-20 08:47 | 一只猿 ( 普通白帽子 | Rank:463 漏洞数:89 | 硬件与无线通信研究方向)

命令执行....这~
2015-04-20 09:18 | 圣路西法 ( 路人 | Rank:4 漏洞数:3 | 围观大神ส็็็็็็ ̷̸̨̀͒̏̃ͦ...)

围观
2015-04-20 09:55 | 茜茜公主 ( 普通白帽子 | Rank:2360 漏洞数:406 | 家里二宝出生，这几个月忙着把屎把尿...忒...)

这个ip段值得扫一下
2015-04-20 10:33 | JotPot ( 实习白帽子 | Rank:61 漏洞数:10 | 小菜)

大哥被搞了
2015-04-24 11:35 | f4ck ( 实习白帽子 | Rank:42 漏洞数:7 | 有些人很牛B，一个漏洞能刷成N个。)

叼
2015-06-01 15:08 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

显然我来晚了。。。。。吊

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109129

漏洞标题：国家互联网应急中心某外部探测系统配置不当可命令执行

相关厂商：国家互联网应急中心

漏洞作者： fuckadmin

提交时间：2015-04-20 08:30

修复时间：2015-06-08 09:18

公开时间：2015-06-08 09:18

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109129

漏洞标题：国家互联网应急中心某外部探测系统配置不当可命令执行

相关厂商：国家互联网应急中心

漏洞作者： fuckadmin

提交时间：2015-04-20 08:30

修复时间：2015-06-08 09:18

公开时间：2015-06-08 09:18

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0109129"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 fuckadmin@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：