当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164397

漏洞标题:支付安全之普天银通某系统存在java反序列化漏洞(root权限)

相关厂商:普天银通支付有限公司

漏洞作者: Martial

提交时间:2015-12-25 10:00

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-25: 细节已通知厂商并且等待厂商处理中
2015-12-29: 厂商已经确认,细节仅向厂商公开
2016-01-08: 细节向核心白帽子及相关领域专家公开
2016-01-18: 细节向普通白帽子公开
2016-01-28: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

关于钱的问题

详细说明:

普天银通支付有限公司
**.**.**.**/index/index.action
java反序列化漏洞
查看了下 是root权限

1.jpg


查看下配置文件

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://**.**.**.**/weblogic/domain" xmlns:sec="http://**.**.**.**/weblogic/security" xmlns:wls="http://**.**.**.**/weblogic/security/wls" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xsi:schemaLocation="http://**.**.**.**/weblogic/security/xacml http://**.**.**.**/weblogic/security/xacml/1.0/xacml.xsd http://**.**.**.**/weblogic/security/providers/passwordvalidator http://**.**.**.**/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://**.**.**.**/weblogic/domain http://**.**.**.**/weblogic/1.0/domain.xsd http://**.**.**.**/weblogic/security http://**.**.**.**/weblogic/1.0/security.xsd http://**.**.**.**/weblogic/security/wls http://**.**.**.**/weblogic/security/wls/1.0/wls.xsd">
<name>polypay</name>
<domain-version>**.**.**.**</domain-version>
<security-configuration>
<name>polypay</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://**.**.**.**/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}/7Ik7oTKxi65RwkFuZBEsbosju+lwSGpUXlb0hdnVvyDcHfXAAkFS3tZwkRAOqNDHVvYyzdnxnGyl9C/rg2rHN2W0d4gzIG+5nREvkNEnxZWAU8MFfHPaWq/0D3vLA4k</credential-encrypted>
<node-manager-username>8hLwWVJXEL</node-manager-username>
<node-manager-password-encrypted>{AES}84nf+IHhuCTZyHTH9+eqMiHyZYZ2xOtvvoc7mJmjQmA=</node-manager-password-encrypted>
</security-configuration>
<log>
<number-of-files-limited>true</number-of-files-limited>
<file-min-size>500</file-min-size>
<rotate-log-on-startup>true</rotate-log-on-startup>
</log>
<server>
<name>AdminServer</name>
<listen-port>80</listen-port>
<listen-address></listen-address>
</server>
<production-mode-enabled>true</production-mode-enabled>
<embedded-ldap>
<name>polypay</name>
<credential-encrypted>{AES}flystwnqS/j46LjhFpkiyquPwKvmeWE7QYS/aUDucixuFqOCfXaY+F9wohBOGhUm</credential-encrypted>
</embedded-ldap>
<administration-port-enabled>true</administration-port-enabled>
<administration-port>9080</administration-port>
<configuration-version>**.**.**.**</configuration-version>
<app-deployment>
<name>ptyt</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>/web/webapps/ptyt/web</source-path>
<plan-dir xsi:nil="true"></plan-dir>
<plan-path>/web/webapps/ptyt/web/Plan.xml</plan-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>**.**.**.**</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>/web/webapps/polypay/web</source-path>
<plan-dir xsi:nil="true"></plan-dir>
<plan-path>/web/webapps/polypay/web/Plan.xml</plan-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>gateway</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>/web/webapps/gatewayrtn/web</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
<internal-apps-deploy-on-demand-enabled>true</internal-apps-deploy-on-demand-enabled>
</domain>


2.jpg


3.jpg

漏洞证明:

2.jpg


3.jpg

修复方案:

升级

版权声明:转载请注明来源 Martial@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-29 18:27

厂商回复:

CNVD确认所述漏洞情况,已经转由CNCERT下发上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价