苏宁某边界网络设备存在弱口令（可覆盖配置文件，带SSLVPN功能）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-090533

漏洞标题：苏宁某边界网络设备存在弱口令（可覆盖配置文件，带SSLVPN功能）

漏洞作者：猪猪侠

提交时间：2015-01-07 18:01

修复时间：2015-02-21 18:02

公开时间：2015-02-21 18:02

漏洞类型：基础设施弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-01-07：细节已通知厂商并且等待厂商处理中
2015-01-07：厂商已经确认，细节仅向厂商公开
2015-01-17：细节向核心白帽子及相关领域专家公开
2015-01-27：细节向普通白帽子公开
2015-02-06：细节向实习白帽子公开
2015-02-21：细节向公众公开

简要描述：

苏宁某边界网络设备存在弱口令（带SSLVPN配置文件），深一步利用可能可以绕过边界防火墙

详细说明：

网络设备ftp服务弱口令: admin:admin

172-13-1-117:~ root$ ftp 58.213.19.168
Connected to 58.213.19.168.
220 FTP service ready.
Name (58.213.19.168:root): admin
331 Password required for admin.
Password: 
230 User logged in.
Remote system type is H3C.
ftp> ls
227 Entering Passive Mode (58,213,19,168,19,23).
125 ASCII mode data connection already open, transfer starting for /*.
drwxrwxrwx   1 noone    nogroup         0 Oct 19  2010 logfile
-rwxrwxrwx   1 noone    nogroup     16256 Oct 19  2010 p2p_default.mtd
-rwxrwxrwx   1 noone    nogroup      3751 Aug 18  2014 system.xml
-rwxrwxrwx   1 noone    nogroup      6187 Aug 18  2014 startup.cfg
-rwxrwxrwx   1 noone    nogroup  27450368 Jul 08  2014 msr30-cmw520-r2513p01-si.bin
-rwxrwxrwx   1 noone    nogroup  24621440 Jul 08  2014 msr30-cmw520-r2207-si.bin
-rwxrwxrwx   1 noone    nogroup  17449340 Jul 08  2014 msr30-cmw520-r2207p38-bi.bin
-rwxrwxrwx   1 noone    nogroup     20147 Aug 18  2014 config.cwmp
-rwxrwxrwx   1 noone    nogroup      5324 Jul 25  2014 _startup_bak.cfg
-rwxrwxrwx   1 noone    nogroup    476922 Aug 01  2014 vpn3040.diag
-rwxrwxrwx   1 noone    nogroup    188545 Aug 17  2014 default.diag
-rwxrwxrwx   1 noone    nogroup  18324480 Aug 18  2014 msr30-cmw520-r2311-bi.bin
226 Transfer complete.

基础设施的鉴权信息，确认是suning的设备

local-user suning
 password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+
 authorization-attribute level 3
 service-type ssh

对外开放了telnet和http管理端口，你懂得

suning: 内部网络架构透明

#
 dar p2p signature-file cfa0:/p2p_default.mtd
#
 port-security enable
#
 password-recovery enable
#
acl number 2000
 rule 0 permit source 10.22.9.5 0
 rule 5 permit source 10.22.9.215 0
 rule 10 permit source 10.21.160.99 0
#
acl number 3000
 rule 0 permit ip source 58.213.19.168 0 destination 221.226.125.148 0
 rule 5 permit ip source 1.1.1.1 0
 rule 10 permit ip source 221.226.125.148 0
 rule 15 permit ip source 2.2.2.2 0
acl number 3002 match-order auto
 description 2xuzhuangÏÞËÙ
 rule 0 permit ip destination 192.168.40.149 0
acl number 3303 match-order auto
 description vpn2xuzhuang
 rule 10 deny ip source 10.21.160.99 0
 rule 0 deny ip destination 10.21.160.99 0
 rule 5 permit ip
acl number 3304 match-order auto
 rule 5 permit ip source 192.168.0.0 0.0.255.255
 rule 10 permit ip source 10.19.0.0 0.0.255.255
 rule 15 permit ip source 10.24.0.0 0.0.255.255
 rule 20 permit ip source 10.22.0.0 0.0.255.255
 rule 0 deny ip destination 192.168.13.49 0
#
vlan 1
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
ike proposal 1
 encryption-algorithm 3des-cbc
#
ike peer access
 exchange-mode aggressive
 proposal 1
 pre-shared-key cipher $c$3$t6cH9TYK0j2lvziyz+VkcwnYSezftt1ugw==
 id-type name
 remote-name access
 nat traversal
#
ike peer xinjiekou
 exchange-mode aggressive
 proposal 1
 pre-shared-key cipher $c$3$fOTu6fpwl5bY1oMj/cT2stF3Ue5ED707rVdZUw==
 id-type name
 remote-name xinjiekou
 nat traversal
#
ike peer yinhe
 exchange-mode aggressive
 proposal 1
 pre-shared-key cipher $c$3$qjZO04rPk/ZAh0UJXOOG37rn958LzcHx3CZ/cuw=
 id-type name
 remote-name yinhe
 nat traversal
#
ipsec transform-set default
 encapsulation-mode tunnel
 transform esp
 esp authentication-algorithm md5
 esp encryption-algorithm 3des
#
ipsec policy-template xinjiekou 1
 ike-peer xinjiekou
 transform-set default
#
ipsec policy-template xuzhuang 1
 ike-peer access
 transform-set default
#
ipsec policy-template yinhe 1
 ike-peer yinhe
 transform-set default
#
ipsec policy ipsecdx 1 isakmp template xuzhuang
#
ipsec policy ipsecdx 2 isakmp template yinhe
#
ipsec policy ipsecdx 3 isakmp template xinjiekou
#
policy-based-route vpn2xuzhuang permit node 10
 if-match acl 3303
 apply ip-address next-hop 192.168.13.50
#
policy-based-route vpnup permit node 20
 if-match acl 3304
 apply ip-address next-hop 192.168.13.205
 apply ip-address next-hop 192.168.13.209
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password cipher $c$3$kczijeyDQHGhKbH67mwOnmOlFMY1ZeHd
 authorization-attribute level 3
 service-type telnet
 service-type ftp
local-user suning
 password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+
 authorization-attribute level 3
 service-type ssh
#
interface Aux0
 async mode flow
 link-protocol ppp
#
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#
interface Serial4/0
 link-protocol ppp
#
interface NULL0
#
interface LoopBack0
#
interface LoopBack1000
#
interface GigabitEthernet0/0
 port link-mode route
#
interface GigabitEthernet0/0.104
 description To_JS5060-1»¥Áª.025
 vlan-type dot1q vid 104
#
interface GigabitEthernet0/0.1101
 description To_C7609-1»¥Áª
 vlan-type dot1q vid 1101
 ip policy-based-route vpn2xuzhuang
#
interface GigabitEthernet0/0.1102
 description To_C7609-2»¥Áª
 vlan-type dot1q vid 1102
 ip policy-based-route vpn2xuzhuang
#
interface GigabitEthernet0/1
 port link-mode route
 description To_»¥ÁªÍø
#
interface GigabitEthernet0/1.2
 description To_CTC01
 vlan-type dot1q vid 2
 ipsec policy ipsecdx
 qos gts acl 3002 cir 50000 cbs 3125000 ebs 0 queue-length 50
#
interface Tunnel0
 description To_Ðì×¯×Ü²¿
 mtu 1524
 source LoopBack0
 destination 2.2.2.2
 ip policy-based-route vpnup
#
nqa entry 1 1
 type icmp-echo
  data-size 20
  destination ip 192.168.13.50
  frequency 1000
  probe count 2
  probe timeout 50
  reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
  source ip 192.168.13.49
  ttl 1
#
 ip route-static 0.0.0.0 0.0.0.0 58.213.19.129 preference 5
 ip route-static 10.19.250.6 255.255.255.255 192.168.13.50
 ip route-static 10.21.160.99 255.255.255.255 192.168.13.205
 ip route-static 10.21.160.99 255.255.255.255 192.168.13.209 preference 120
 ip route-static 10.21.160.245 255.255.255.255 192.168.13.205
 ip route-static 10.22.9.5 255.255.255.255 192.168.13.205
 ip route-static 10.22.9.5 255.255.255.255 192.168.13.209 preference 120
 ip route-static 10.22.9.215 255.255.255.255 192.168.13.50
 ip route-static 172.33.0.1 255.255.255.255 172.16.0.1
 ip route-static 172.33.0.2 255.255.255.255 172.16.0.2
 ip route-static 192.168.0.0 255.255.0.0 192.168.13.209 preference 120
 ip route-static 192.168.0.0 255.255.0.0 192.168.13.205
#

漏洞证明：

system.xml

<!-- XML CONFIGURATION FILE -->
<sslvpn>
<diyview>
<title-diy-table>
<row><index-title>SSL&#32;VPN</index-title><welcome-title>Welcome&#32;to&#32;SSL&#32;VPN</welcome-title><service-title>SSL&#32;VPN</service-title></row>
</title-diy-table>
<pic-save-table>
<row><service-logo>/svpn/images/h3c.gif</service-logo><service-bg>/svpn/images/top_right_01.jpg</service-bg><index-logo>/svpn/images/h3c.gif</index-logo></row>
</pic-save-table>
<all-diy-table>
<row><enable>0</enable></row>
</all-diy-table>
</diyview>
<resview>
<res-ipac-global-table>
<row><keepalive>10</keepalive><clireach>0</clireach><onlyvpn>0</onlyvpn><sevdis>0</sevdis></row>
</res-ipac-global-table>
<res-group-table>
<row><id>33890</id><name>autohome</name></row>
<row><id>17507</id><name>autostart</name></row>
</res-group-table>
</resview>
<userview>
<user-group-table>
<row><id>17408</id><name>Guests</name></row>
</user-group-table>
<user-table>
<row><id>2162688</id><name>guest</name><description>Default&#32;guest&#32;user</description><password-md5>3C943016CF71D795F741F76EED5B63AF</password-md5><public>0</public><public-limit>0</public-limit><status>0</status><period>0-0-0</period><studymac>0</studymac></row>
</user-table>
</userview>
<domainview>
<domain-policy-table>
<row><enable-sec-policy>0</enable-sec-policy><enable-verify>0</enable-verify><enable-only-client>0</enable-only-client><enable-bind-mac>0</enable-bind-mac><enable-auto-login>0</enable-auto-login><user-out-time>30</user-out-time><dft-auth-method>1</dft-auth-method><cert-sect>0</cert-sect><verify-out-time>120</verify-out-time></row>
</domain-policy-table>
<cache-policy-table>
<row><clear-cache>1</clear-cache><clear-cookie>1</clear-cookie><clear-client>0</clear-client><clear-config>1</clear-config></row>
</cache-policy-table>
<dom-loc-auth-table>
<row><cerpol>0</cerpol></row>
</dom-loc-auth-table>
<dom-radius-auth-table>
<row><ifstartauth>0</ifstartauth><cerpol>0</cerpol><ifstartcharge>0</ifstartcharge><ifupvirtualaddr>0</ifupvirtualaddr></row>
</dom-radius-auth-table>
<dom-ldap-auth-table>
<row><servport>389</servport><version>3</version><cerpol>0</cerpol><ifstartauth>0</ifstartauth><checkmethod>TEMPLATE</checkmethod></row>
</dom-ldap-auth-table>
<dom-ad-auth-table>
<row><cerpol>0</cerpol><ifstartauth>0</ifstartauth><serverectime>5</serverectime><usrnamestyle>0</usrnamestyle></row>
</dom-ad-auth-table>
<dom-comb-auth-table>
<row><ifstartcombauth>0</ifstartcombauth><cerpol>0</cerpol><ifinputpaswrdagain>0</ifinputpaswrdagain><cerpol_a>0</cerpol_a></row>
</dom-comb-auth-table>
</domainview>
<servermng>
<server-mng-table>
<row><enable>0</enable><port>443</port></row>
</server-mng-table>
</servermng>
</sslvpn>
<nat>
<nat>
<respond-table>
<row><respond-get>0</respond-get></row>
</respond-table>
</nat>
</nat>
<waninter>
<macaddress>
<macclone-table>
<row><ifindex>1048576</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1048577</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row>
<row><ifindex>1049396</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row>
<row><ifindex>1049394</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1049395</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1049393</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
</macclone-table>
</macaddress>
</waninter>
<seclanserver>
<rdserver>
<rds-auth-table>
<row><auth-enable>0</auth-enable></row>
</rds-auth-table>
</rdserver>
</seclanserver>

修复方案：

关闭外网接口

版权声明：转载请注明来源猪猪侠@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-01-07 20:03

厂商回复：

感谢提交，低级错误，把猪猪侠大材小用了。

漏洞评价：

2015-01-07 18:04 | T0ne5 ( 路人 | Rank:2 漏洞数:1 | 搬砖真的很累。)

专业术语，小菜表示不懂。
2015-01-07 18:08 | 第四维度 ( 实习白帽子 | Rank:58 漏洞数:34 | 谦谦君子，温润如玉)

求神器
2015-01-07 18:17 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了，跪着也要...)

求神器
2015-01-07 19:55 | im503 ( 路人 | Rank:16 漏洞数:8 | 失踪的路人甲| Rank:-503 漏洞数:0 |爱pyth...)

求神器.
2015-01-07 20:01 | 0x70 ( 普通白帽子 | Rank:228 漏洞数:33 | 正在输入中....)

都在用大杀器...
2015-01-07 22:42 | 流星warden ( 实习白帽子 | Rank:54 漏洞数:8 | The quieter you become,the more you are ...)

球字典。。。
2015-02-09 20:38 | 流星warden ( 实习白帽子 | Rank:54 漏洞数:8 | The quieter you become,the more you are ...)

求神器.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-090533

漏洞标题：苏宁某边界网络设备存在弱口令（可覆盖配置文件，带SSLVPN功能）

相关厂商：江苏苏宁易购电子商务有限公司

漏洞作者：猪猪侠

提交时间：2015-01-07 18:01

修复时间：2015-02-21 18:02

公开时间：2015-02-21 18:02

漏洞类型：基础设施弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源猪猪侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-090533

漏洞标题：苏宁某边界网络设备存在弱口令（可覆盖配置文件，带SSLVPN功能）

相关厂商：江苏苏宁易购电子商务有限公司

漏洞作者： 猪猪侠

提交时间：2015-01-07 18:01

修复时间：2015-02-21 18:02

公开时间：2015-02-21 18:02

漏洞类型：基础设施弱口令

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-090533"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：猪猪侠

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源猪猪侠@乌云