当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144762

漏洞标题:内蒙铁通骨干路由配置信息泄露可导致批量扫描与登录(SNMP获取密码与路由配置过程)

相关厂商:铁通公司

漏洞作者: 烤土豆

提交时间:2015-10-04 16:05

修复时间:2015-11-26 09:32

公开时间:2015-11-26 09:32

漏洞类型:网络未授权访问

危害等级:中

自评Rank:9

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-04: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

很简单啊,把我市铁通的路由器+交换机扫了一个遍,能成功的登陆上了,好像还有一个是bgp的路由器。

详细说明:

放假时候在家无聊,想想测一下我家的铁通怎么样。于是百度了一下pppoe接口的ip,没想到竟然百度到了这个
http://**.**.**.**/view/8b0f0d718e9951e79b892786.html?from=search。。

1.png


这个就是我市铁通某一个骨干路由器的配置文档。。。真是猪一样的队友。虽然这份配置文件上,什么用户名密码啥的变了,但是给了好多接口IP的网段。可以方便NMAP去扫描IP网段。而且最重要的是,他的SNMP密码没有改变,好像是全内蒙的铁通都是这个SNMP密码。。。但是通辽那边的SNMP好像做ACL限制了,外人不能随便访问。可是赤峰铁通的这个就没有做限制,可以随便访问。下载一个SNMPWALK的小工具,就可以读取路由器的各种信息了。
首先,把他所有的接口的IP读出来,用NMAP扫描一下。
只要是开放telnet 23端口的,八成都是路由器。看型号,基本上都是华为的路由器。而华为路由器之前有一个漏洞,可以通过SNMP来获取到用户名密码。根据提示,获取到了几个路由器的密码,成功登陆上去。
路由器这种基础网络设备一般没人敢随便升级去,好好的不出问题升级他干嘛啊。所以呢,当有了安全漏洞,也没有及时去修复。现在的互联网安全这么重要,你还敢吧BGP的路由器也这么干。虽然这个BGP是IBGP,但是那也挺重要的呀。而且你们做好了工程呢,不要随便吧配置文件传网上,虽然你说什么密码是都加密了。可是你知道吗,华为,华三,HP的路由器,有了那种加密的密码,是可以还原密码的。不信你去GITHUB上去搜一下就有。就算你都改了,但是你SNMP密码没改啊,间接的把内蒙铁通的路由器SNMP密码暴露了。我也就看了一下赤峰的,估计其他地方的,这个问题更加严重。。。。
不过呢,也应该感谢你们,毕竟让我学到了好多运营商架构的网络

漏洞证明:

这个是四道湾镇的路由器配置

<SiDaoWan_3300>dis current-configuration
#
 sysname SiDaoWan_3300
#
 router id **.**.**.**
#
 vlan batch 1 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411
 vlan batch 1000 to 1015 2000 to 2105 3004 3500 to 3501 3556 to 3558 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
 vlan batch 3900 to 3902 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
#
 cluster enable
 ntdp enable
 ntdp hop 16
 ndp enable
#
 voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
 voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
 voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
 voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
 voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
 voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
 voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
#
 undo http server enable
 
interface Vlanif1
#
interface Vlanif10
 description To ZhongXinJu9306_B
 ip address **.**.**.** **.**.**.**
#
interface Vlanif11
 description dianyuanjiankong
 ip address **.**.**.** **.**.**.**
#
interface Vlanif30
 mtu 1560
 description To XinHuiS3300
 ip address **.**.**.** **.**.**.**
#
interface Vlanif3556
 description me60-1-1-guanli
  ip address **.**.**.** **.**.**.**
#
interface Vlanif3558
#
interface Ethernet0/0/1
 description dongwanzi-xinmin-damuchang5615
 port trunk allow-pass vlan 3004 3901 3965 3971 3980
 port hybrid untagged vlan 50
 bpdu enable
 qinq vlan-translation enable
 port vlan-stacking vlan 1 to 400 push vlan 50 priority-inherit
 port vlan-stacking vlan 500 to 600 push vlan 50 priority-inherit
 port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
 port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
 port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
 port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
 port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
 ntdp enable
 ndp enable
#
interface Ethernet0/0/2
 description bajia_baijiadian_qujiawan_shanzui
 port trunk allow-pass vlan 3501 3900 3967 to 3968 3970 3974 3981
 port hybrid untagged vlan 51
 bpdu enable
 qinq vlan-translation enable
 port vlan-stacking vlan 1 to 500 push vlan 51 priority-inherit
 port vlan-stacking vlan 501 to 600 push vlan 51 priority-inherit
 port vlan-stacking vlan 601 to 1000 push vlan 51 priority-inherit
 port vlan-mapping external-vlan 3900 map-external-vlan 3900 priority-inherit
 port vlan-mapping external-vlan 3968 map-external-vlan 3968 priority-inherit
 port vlan-mapping external-vlan 3970 map-external-vlan 3970 priority-inherit
 port vlan-mapping external-vlan 3974 map-external-vlan 3974 priority-inherit
 port vlan-mapping external-vlan 3501 map-external-vlan 3501 priority-inherit
 port vlan-mapping external-vlan 3981 map-external-vlan 3981 priority-inherit
 port vlan-mapping external-vlan 3967 map-external-vlan 3967 priority-inherit
 ntdp enable
 ndp enable
#
interface Ethernet0/0/3
 description xiaoheyan-dongwanzi5615
 port trunk allow-pass vlan 3004 3901 to 3902 3950 3971 3980
 port hybrid untagged vlan 52
 bpdu enable
 qinq vlan-translation enable
 port vlan-stacking vlan 1 to 300 push vlan 52 priority-inherit
 port vlan-stacking vlan 301 to 1000 push vlan 52 priority-inherit
 port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
 port vlan-mapping external-vlan 3950 map-external-vlan 3950 priority-inherit
 port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
 port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
 port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
 ntdp enable
 ndp enable
#
interface Ethernet0/0/4
 description sidanwanjiliansidaowan
 port trunk allow-pass vlan 2000 3965
 port hybrid untagged vlan 59
 undo negotiation auto
 bpdu enable
 qinq vlan-translation enable
 port vlan-stacking vlan 100 to 500 push vlan 59 priority-inherit
 port vlan-mapping external-vlan 2000 map-external-vlan 2000 priority-inherit
 port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
 ntdp enable
 ndp enable
#
interface Ethernet0/0/5
 port default vlan 11
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/6
 description bajia3300
 port trunk allow-pass vlan 51 3501 3900 3955 3967 to 3968 3970 3974 3981
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/7
 description shipinjiankong
 port link-type access
 port default vlan 3801
 undo negotiation auto
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/8
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/9
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/10
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/11
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/12
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/13
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/14
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/15
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/16
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/17
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/18
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/19
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/20
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/21
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/22
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/23
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface Ethernet0/0/24
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface GigabitEthernet0/0/1
 description to BAS1-1 GE2/0/8
 port trunk allow-pass vlan 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411 1000 to 1015
 port trunk allow-pass vlan 2000 to 2015 3004 3500 to 3501 3556 to 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
 port trunk allow-pass vlan 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
 jumboframe enable 13296
 bpdu enable
 ntdp enable
 ndp enable
#
interface GigabitEthernet0/0/2
 port default vlan 1
 bpdu enable
 ntdp enable
 ndp enable
#
interface GigabitEthernet0/0/3
 description beiyong to xinhui3300 ge0/0/3
 port trunk allow-pass vlan 11 30 50 to 52 59 99 257 1000 to 1015 2000 to 2015 3004 3501
 port trunk allow-pass vlan 3801 3900 to 3902 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981
 combo-port copper
   undo negotiation auto
   speed 1000
 combo-port media type
   combo-port auto
 jumboframe enable 13296
 bpdu enable
 ntdp enable
 ndp enable
#
interface GigabitEthernet0/0/4
 description To XinHuiS3300
 port trunk allow-pass vlan 12 20 30 to 31 35 53 to 61 257 411 1000 to 1015 2001 to 2015 3500
 port trunk allow-pass vlan 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813 3902 3910 3955 3967
 port trunk allow-pass vlan 3981 4000
 combo-port media type
   combo-port auto
 jumboframe enable 13296
 bpdu enable
 ntdp enable
 ndp enable
#
interface NULL0
#
interface LoopBack0
 ip address **.**.**.** **.**.**.**
#


林东火车站的

<lindonghuochezhan3300>dis current-configuration
#
 sysname lindonghuochezhan3300
#
 vlan batch 1 3 31 to 32 100 to 101 200 300 to 301 1000 to 1020 3008 to 3050 3563 3902 to 3903
 vlan batch 4002 to 4003 4010
#
 observing-port 4 interface Ethernet0/0/9
#
 cluster enable
 ntdp enable
 ntdp hop 16
 ndp enable
#
 voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
 voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
 voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
 voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
 voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
 voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
 voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
#
 undo http server enable
#
vlan 3
 description TO DaBan-MA5200G
#
acl number 3001
 rule 5 permit icmp source **.**.**.** 0 destination **.**.**.** 0
 rule 10 permit icmp source **.**.**.** 0 destination **.**.**.** 0
 rule 15 permit icmp source **.**.**.** 0 destination **.**.**.** 0
 rule 20 permit icmp source **.**.**.** 0 destination **.**.**.** 0
#
traffic classifier test
traffic classifier tongji
 if-match acl 3001
#
traffic behavior test
traffic behavior tongji
 count
#
traffic policy test
 classifier test behavior test
traffic policy tongji
 classifier tongji behavior tongji
#
interface Vlanif200
 ip address **.**.**.** **.**.**.**
#
interface Vlanif3563
 description daban5200g-guanli
 ip address **.**.**.** **.**.**.**
#
interface Vlanif4002
 ip address **.**.**.** **.**.**.**
#
interface Vlanif4003
 ip address **.**.**.** **.**.**.**
#
interface Vlanif4010
 ip address **.**.**.** **.**.**.**
#
interface Ethernet0/0/1
 description lindong8220
 port link-type dot1q-tunnel
 port default vlan 300
 undo negotiation auto
#


大阪的路由器,注意,这个可是个BGP

interface NULL0
#
interface LoopBack1
 ip address **.**.**.** **.**.**.**
 isis enable 1
 isis circuit-level level-2
#
bgp 64611
 group IBGP-Group internal
 peer IBGP-Group description To-CF-RR1-Server-IBGP-Group
 peer IBGP-Group connect-interface LoopBack1
 peer **.**.**.** as-number 64611
 peer **.**.**.** group IBGP-Group
 peer **.**.**.** as-number 64611
 peer **.**.**.** group IBGP-Group
 #
 ipv4-family unicast
  undo synchronization
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
  network **.**.**.**
  network **.**.**.**
  network **.**.**.**
  network **.**.**.**
  peer IBGP-Group enable
  peer IBGP-Group next-hop-local
  peer **.**.**.** enable
  peer **.**.**.** group IBGP-Group
  peer **.**.**.** enable
  peer **.**.**.** group IBGP-Group
 #
 ipv4-family vpnv4
  reflector cluster-id **.**.**.**
  policy vpn-target
  peer **.**.**.** enable
  peer **.**.**.** enable
 #
 ipv4-family vpn-instance VPN_IP_MGMT
  network **.**.**.** **.**.**.**
  network **.**.**.** **.**.**.**
 #


对了,还有一个通辽华为放火墙,哈哈哈,你们这帮猪一样的队友,吧人家通辽那边的都连累了

sysname TL-FIREWALL-EUDEMON1000E
#
 ftp server enable
#
 web-manager enable
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction inbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound
#
 firewall statistic system enable 
 firewall log stream enable 
#


还有一部分拓扑,就不给你们啦,画得太差,自己上学慢慢研究去啦

修复方案:

你们肯定比我专业,我才是一个学生

版权声明:转载请注明来源 烤土豆@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-10-12 09:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-04 16:06 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    洞主,私信联系你了,希望能补充点有趣的细节给白帽子分享:)

  2. 2015-10-04 16:42 | 烤土豆 ( 路人 | Rank:15 漏洞数:2 | 烤土豆很好吃的)

    @疯狗 嗯嗯好的,我再好好完善一下,头一次发这个

  3. 2015-10-04 17:42 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @烤土豆 赞

  4. 2015-10-05 07:47 | 1c3z ( 普通白帽子 | Rank:246 漏洞数:50 | #)

    洞主教我配vpn