当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091383

漏洞标题:21CN邮箱某服务器RSYNC可匿名访问(DEBUG日志中包含用户密码)

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 猪猪侠

提交时间:2015-01-12 15:24

修复时间:2015-02-26 15:26

公开时间:2015-02-26 15:26

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-12: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-22: 细节向核心白帽子及相关领域专家公开
2015-02-01: 细节向普通白帽子公开
2015-02-11: 细节向实习白帽子公开
2015-02-26: 细节向公众公开

简要描述:

21CN邮箱某服务器RSYNC可匿名访问,全是邮件服务端产生的日志,邮箱的数据库信息就不说了,有一些脚本,一些日志啥的,要是有一些Cookie就不得了是吧?没错,里面的DEBUG日志记录了用户的密码

详细说明:

可能有些日志里面带有cookie,由于测试原因,就不看了

rsync 121.14.129.31:: -av
kbaslog        	kbaslog
kbaslogfjbnet  	kbaslog
kbaslogfree    	kbaslogfree
hermeslogent   	hermeslogent
aimclog        	aimclog
kbaslogent     	kbaslogent
kbaslogpay     	kbaslogpay
hermeslogfjbnet	hermeslog
hermeslogfree  	hermeslogfree
hermeslogpay   	hermeslog for mta
medusalog      	kbas log
medusalogsmtp  	kbas log
medusalogweb   	kbas log
medusalogmta   	kbas log
enthermeslogguid	hermeslogent
enthermesloglmtp	hermeslogent
enthermeslogimap	hermeslogent
enthermeslogmta	hermeslogent
enthermeslogms 	hermeslogent
enthermeslogpop3	hermeslogent
enthermeslogud 	hermeslogent
enthermeslogwebmail	hermeslogent
enthermeslogwebadmin	hermeslogent
sync_as_log    	realtime antispam log
maillog1       	
maillog2       	
maillog3       	
maillog4       	
maillog5       	
zhenghe        	data zhenghe


webmail的日志

[2014-08-27 13:00:23,020] [INFO ] resin-tcp-connection-*:8081-79 MailListService - mail list: getLabelList end acc=yamamoto@108628,labelId=1,orderfield=0,orderway=68,page=1,lableList=[{summaryInfo,0,0,null}, {,1,0,{summaryInfo,0,0,null}}, {,2,0,{summaryInfo,0,0,null}}, {,3,0,{summaryInfo,0,0,null}}, {,4,0,{summaryInfo,0,0,null}}, {,5,0,{summaryInfo,0,0,null}}, {,6,0,{summaryInfo,0,0,null}}, {,7,0,{summaryInfo,0,0,null}}, {,8,0,{summaryInfo,0,0,null}}]
[2014-08-27 13:00:23,144] [INFO ] resin-tcp-connection-*:8081-45 ContactService - [cn21-contact-service : ContactService] -> account[spray@iktoy.com], password[spray2005], isWithoutAuth[false] ip[10.28.10.84], type[0] get contact.
[2014-08-27 13:07:17,695] [INFO ] resin-tcp-connection-*:8081-37 ContactService - [cn21-contact-service : ContactService] -> 


mask 区域


*****1], isWithoutAuth[false] ip*****


21cnmail.jpg


DEBUG日志中包含用户密码

[2015-01-12 13:04:00,145] [DEBUG] tcpConnection-8080-5 HMMUdServer - execute UD command:emailAccount=chenjf32@1269,udId=46,commandId=1,param=AUTO_FORWARD=&OPERATION_FLAG=&LANGUAGE_ID=&IP=10.28.10.84&MAILBOX_MAX_SIZE=&WHITELIST=&MAIL_PER_PAGE=&TEMPLATE_ID=8&POP_SETTING=&CONTACT=&BLACKLIST=&FONT_ID=&AUTO_REPLY_MSG=&SIGNATURE=&SECRET_ANSWER=&COLOR_ID=&WARNING_QUOTA=&SEND_MAIL_NAME=&PASSWORD=&SECRET_QUESTION=,managerAccount=null,ret=AUTO_FORWARD=&SEND_MAIL_NAME=&CONTACT=&IP=&FONT_ID=0&SIGNATURE=&LANGUAGE_ID=0&SECRET_ANSWER=&TEMPLATE_ID=39&WARNING_QUOTA=0&BLACKLIST=&OPERATION_FLAG=8&POP_SETTING=&AUTO_REPLY_MSG=&WHITELIST=&MAIL_PER_PAGE=20&SECRET_QUESTION=&PASSWORD=%7BMD5%7D607d3b7eb6f521f22c7856df720a8462&MAILBOX_MAX_SIZE=1073741824&COLOR_ID=0
[2015-01-12 13:28:40,606] [DEBUG] tcpConnection-8080-6 UdAccoutManager - add usr sb=DEPARTMENT_ID=10040966&CITY_ID=0&CUSTOMER_NAME=tang.yanling%40jstars.cn&OPERATION_FLAG=216&ACCOUNT_STATUS=0&LANGUAGE_ID=0&MAILBOX_MAX_SIZE=1024&REMARK=&MAIL_PER_PAGE=20&TEMPLATE_ID=39&CONTACT_ADDRESS=&COMPANY_PHONE_NUMBER=&OU_ID=10040966&WARNING_QUOTA=0&PASSWORD=tangabc&BIRTHDAY=&OCCUPATION_NAME=&IP=10.28.10.84&PROVINCE_ID=0&ORG_ID=10111306&INVISIBLE=0&AGE_SESSION_ID=0&GENDER=0&CUSTOMER_SN=ÌÆÑÞÁá&GSM_NUMBER=&SEND_MAIL_NAME=ÌÆÑÞÁá&DOMAIN_ID=113083
[2015-01-12 13:27:30,347] [DEBUG] tcpConnection-8080-4 HMMUdServer - execute UD command:emailAccount=frank.han@15164,udId=38,commandId=1,param=AUTO_FORWARD=&OPERATION_FLAG=&LANGUAGE_ID=&IP=10.28.10.88&MAILBOX_MAX_SIZE=&WHITELIST=&MAIL_PER_PAGE=&TEMPLATE_ID=8&POP_SETTING=&CONTACT=&BLACKLIST=&FONT_ID=&A&IP=&FONT_ID=0&SIGNATURE=&LANGUAGE_ID=0&SECRET_ANSWER=&TEMPLATE_ID=39&WARNING_QUOTA=0&BLACKLIST=&OPERATION_FLAG=216&POP_SETTING=&AUTO_REPLY_MSG=&WHITELIST=&MAIL_PER_PAGE=20&SECRET_QUESTION=&PASSWORD=%7BMD5%7Dfa1105eab2c3cfefc46f478d083070b7&MAILBOX_MAX_SIZE=1073741824&COLOR_ID=0
LogonWebmailService - templateId ==== >39
[2015-01-12 13:27:30,363] [DEBUG] tcpConnection-8080-4 LogonWebmailService - Integer.toString(acc.getTemplateId())39
[2015-01-12 13:27:30,364] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,364] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,COLOR_ID,0) ret:1
[2015-01-12 13:27:30,365] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,366] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,FONT_ID,0) ret:1
[2015-01-12 13:27:30,367] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,368] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,WARNING_QUOTA,0) ret:1
[2015-01-12 13:27:30,428] [DEBUG] tcpConnection-8080-4 HMMSessionServer - HMMSessionServer.setObjectValue(CONTACT) use time: 51 ms
[2015-01-12 13:27:30,428] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,437] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,CONTACT,com.cn21.util.Contact@5d7f9a29) ret:1
[2015-01-12 13:27:30,438] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,439] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,OPERATION_FLAG,216) ret:1
[2015-01-12 13:27:30,440] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,440] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,MAILBOX_MAX_SIZE,1073741824) ret:1
[2015-01-12 13:27:30,441] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,442] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,DEF_CHARSET,gb2312) ret:1
[2015-01-12 13:27:30,443] [DEBUG] tcpConnection-8080-4 JedisService - get redis  successed in time 0
[2015-01-12 13:27:30,443] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,PASSWORD,{MD5}fa1105eab2c3cfefc46f478d083070b7) ret:1


邮箱服务端的数据库连接信息

[2015-01-12 11:00:01,683] [INFO ] 3086404160 ApplicationContext - name:ms-index-


mask 区域


*****r:=hermes;password:=quy*****








[2015-01-12 11:02:02,079] [INFO ] 3086559808 ApplicationContext - name:hermes,server:=HERMES-DG-FP;


mask 区域


*****pmail_0958;driver:=oracle;ch*****







[2015-01-12 11:02:02,080] [INFO ] 3086559808 ApplicationContext - name:,server:=;database:=;user:=;password:=;driver:=;charset:=
[2015-01-12 11:02:02,081] [INFO ] 3086559808 ApplicationContext - 





mask 区域


*****rd:=pwd_liyang_1234;driver:=oracle;c*****







<code>-rw-r-----      225598 2015/01/02 11:32:10 pop3.2015010210.ent-ssl3.log
-rw-r-----    26487483 2015/01/02 11:08:03 pop3.2015010210.ent13.log
-rw-r-----    26864900 2015/01/02 11:07:11 pop3.2015010210.ent14.log
-rw-r-----     1137000 2015/01/02 11:23:29 pop3.2015010210.ent15.log
-rw-r-----     1150282 2015/01/02 11:24:29 pop3.2015010210.ent16.log
-rw-r-----     8295510 2015/01/02 11:23:30 pop3.2015010210.ent3.log
-rw-r-----     8287110 2015/01/02 11:15:20 pop3.2015010210.ent7.log
-rw-r-----     2529009 2015/01/02 11:14:03 pop3.2015010210.zment-mta1.log
-rw-r-----     1333687 2015/01/02 11:14:09 pop3.2015010210.zment-mta2.log
-rw-r-----     1813795 2015/01/02 11:14:03 pop3.2015010210.zment-mta3.log
-rw-r-----     1398126 2015/01/02 11:14:02 pop3.2015010210.zment-mua1.log
-rw-r-----     3335943 2015/01/02 11:14:04 pop3.2015010210.zment-mua2.log
-rw-r-----     1506940 2015/01/02 11:14:05 pop3.2015010210.zment-mua3.log
-rw-r-----    26560591 2015/01/02 12:29:04 pop3.2015010211.ent-pop1.log
-rw-r-----    26761625 2015/01/02 12:33:04 pop3.2015010211.ent-pop2.log
-rw-r-----    26613621 2015/01/02 12:36:05 pop3.2015010211.ent-pop3.log
-rw-r-----    26745745 2015/01/02 12:20:04 pop3.2015010211.ent-pop4.log
-rw-r-----    26528333 2015/01/02 12:23:03 pop3.2015010211.ent-pop5.log
-rw-r-----    27186101 2015/01/02 12:27:26 pop3.2015010211.ent-pop6.log
-rw-r-----    26893325 2015/01/02 12:27:25 pop3.2015010211.ent-pop7.log
-rw-r-----    27015790 2015/01/02 12:27:28 pop3.2015010211.ent-pop8.log
-rw-r-----      372101 2015/01/02 12:32:10 pop3.2015010211.ent-ssl1.log
-rw-r-----       78252 2015/01/02 12:32:10 pop3.2015010211.ent-ssl2.log
-rw-r-----      225263 2015/01/02 12:32:11 pop3.2015010211.ent-ssl3.log


-rwxr-xr-x       49966 2014/08/21 05:18:01 webmail.2014082104.ent-web2.log.gz
-rwxr-xr-x       58232 2014/08/21 05:21:01 webmail.2014082104.ent-web3.log.gz
-rwxr-xr-x       44895 2014/08/21 05:20:01 webmail.2014082104.ent-web4.log.gz
-rwxr-xr-x       60459 2014/08/21 05:17:01 webmail.2014082104.ent-web5.log.gz
-rwxr-xr-x       36185 2014/08/21 05:19:01 webmail.2014082104.ent-web6.log.gz
-rwxr-xr-x          49 2014/08/21 05:15:11 webmail.2014082104.ent13.log.gz
-rwxr-xr-x        3643 2014/08/21 05:18:20 webmail.2014082104.ent14.log.gz
-rwxr-xr-x       78131 2014/08/21 06:19:01 webmail.2014082105.ent-web1.log.gz
-rwxr-xr-x       42267 2014/08/21 06:18:01 webmail.2014082105.ent-web2.log.gz
-rwxr-xr-x       66315 2014/08/21 06:21:01 webmail.2014082105.ent-web3.log.gz
-rwxr-xr-x       60599 2014/08/21 06:20:01 webmail.2014082105.ent-web4.log.gz
-rwxr-xr-x       28964 2014/08/21 06:17:01 webmail.2014082105.ent-web5.log.gz
-rwxr-xr-x       67922 2014/08/21 06:19:01 webmail.2014082105.ent-web6.log.gz
-rwxr-xr-x          49 2014/08/21 06:15:11 webmail.2014082105.ent13.log.gz
-rwxr-xr-x        3611 2014/08/21 06:15:11 webmail.2014082105.ent14.log.gz
-rwxr-xr-x      166159 2014/08/21 07:19:01 webmail.2014082106.ent-web1.log.gz
-rwxr-xr-x       80258 2014/08/21 07:18:01 webmail.2014082106.ent-web2.log.gz
-rwxr-xr-x       94664 2014/08/21 07:21:01 webmail.2014082106.ent-web3.log.gz
-rwxr-xr-x       86146 2014/08/21 07:20:02 webmail.2014082106.ent-web4.log.gz
-rwxr-xr-x       51431 2014/08/21 07:17:01 webmail.2014082106.ent-web5.log.gz
-rwxr-xr-x       79683 2014/08/21 07:19:01 webmail.2014082106.ent-web6.log.gz
-rwxr-xr-x          49 2014/08/21 07:15:11 webmail.2014082106.ent13.log.gz
-rwxr-xr-x        3639 2014/08/21 07:15:11 webmail.2014082106.ent14.log.gz
-rwxr-xr-x      306795 2014/08/21 08:19:02 webmail.2014082107.ent-web1.log.gz
-rwxr-xr-x      255794 2014/08/21 08:18:02 webmail.2014082107.ent-web2.log.gz
-rwxr-xr-x      244959 2014/08/21 08:21:02 webmail.2014082107.ent-web3.log.gz
-rwxr-xr-x      286663 2014/08/21 08:20:01 webmail.2014082107.ent-web4.log.gz
-rwxr-xr-x      207918 2014/08/21 08:17:02 webmail.2014082107.ent-web5.log.gz
-rwxr-xr-x      235922 2014/08/21 08:19:01 webmail.2014082107.ent-web6.log.gz


[2014-08-21 07:59:27,456] [INFO ] resin-tcp-connection-*:8081-104 MtaServerConfig - func[getMTAConnection] heloMta[60.21.200.227] MtaServerConfig[{smtpent-web.inner-hermes.com,2027,smtp,1}] desc[reconect using helo ip success]
[2014-08-21 07:59:34,868] [INFO ] resin-tcp-connection-*:8081-42 LoginActionAjax - func[singinajax] account[weihong5@cnweihong.com] jsoncallback[jQuery171027891063959938317_1408579316062] action[start login]
[2014-08-21 07:59:34,904] [INFO ] resin-tcp-connection-*:8081-42 LoginActionAjax - func[singinajax] account[weihong5@cnweihong.com] jsoncallback[jQuery171027891063959938317_1408579316062] action[start end]
[2014-08-21 07:59:34,910] [INFO ] resin-tcp-connection-*:8081-104 HMMMtaServer - func[sendJavaMail] heloMta[60.21.200.227] MtaServerConfig[{smtpent-web.inner-hermes.com,2027,smtp,1}] mailInfo[{subject:Re: LN014·¿×â²î¼þ, fromList:jason.yang@vmartcn.com, toList:"wen.zhang" <wen.zhang@vmartcn.com>, size:1202555, attachmentList:[ÉÌÒµ×âÁÞÊý¾Ý±í_LN014.pdf, Liao_Ning_LN014_ÃÉÏéºì_B_to_A.pdf, ·¿ÎÝ×âÁÞºÏͬ¶þ.pdf, ·¿ÎÝ×âÁÞºÏͬһ.pdf], hashCode:11065350}] transPort[smtp://hermes@smtpent-web.inner-hermes.com] desc[send mail success]
[2014-08-21 07:59:34,914] [WARN ] resin-tcp-connection-*:8081-104 SendMailService - func[deleteAutoSaveDraft] oldMessageId[] oldMsId[] emailAccount[jason.yang@119040] udId[38] transId[10.28.10.87:147f5dc8201:7715]
[2014-08-21 07:59:35,023] [INFO ] resin-tcp-connection-*:8081-104 SendMailService - save sended mail size=1652629
[2014-08-21 07:59:35,031] [INFO ] resin-tcp-connection-*:8081-104 HMMUdServer - nativeUdCreateMail mail:Re: LN014·¿×â²î¼þreturn:<0>
[2014-08-21 07:59:35,031] [INFO ] resin-tcp-connection-*:8081-104 SendMailService - save sended mail:ACC=<jason.yang@119040>,MID=<200.10.28.10.87.14085791749140.jason.yang@119040>,MSID=<37>,TID=<10.28.10.87:147f5dc8201:7715>,RDN=<0>
[2014-08-21 07:59:35,439] [INFO ] resin-tcp-connection-*:8081-104 SendMailFlashAction - jason.yang@119040 action end.
[2014-08-21 07:59:35,820] [ERROR] resin-tcp-connection-*:8081-108 GetMailListAction - com.cn21.hermes.exception.SessionException: <SESSION>:8153(error code=8153)
[2014-08-21 07:59:36,363] [INFO ] resin-tcp-connection-*:8081-80 MailReadStatusService - func[getMailStatusById] messageId=<<434954191.6641408577882022.JavaMail.hermes@ent-web3>>,mailAuthor=<xiangliping@leaderchina.cn>,chgTime=<2014-08-21 07:38:05.0>,clientIp=<10.28.10.88>
[2014-08-21 07:59:36,364] [INFO ] resin-tcp-connection-*:8081-80 TrackMailDBPool - -----------TrackMailDBPool.getConnection getTotalCreatedConnections:8 getTotalFree:8 getTotalLeased:0
[2014-08-21 07:59:38,830] [ERROR] resin-tcp-connection-*:8081-80 GetMailListAction - com.cn21.hermes.exception.SessionException: <SESSION>:8153(error code=8153)
[2014-08-21 07:59:39,875] [INFO ] resin-tcp-connection-*:8081-108 SignOnAction - Could not get sid from Cookies
[2014-08-21 07:59:39,875] [INFO ] resin-tcp-connection-*:8081-108 cn21 - 10.28.10.87 session timeout!
[2014-08-21 07:59:41,291] [INFO ] resin-tcp-connection-*:8081-42 chk - check service begin ...
[2014-08-21 07:59:41,360] [INFO ] resin-tcp-connection-*:8081-42 chk - echeck service ok.
[2014-08-21 07:59:41,375] [INFO ] resin-tcp-connection-*:8081-36 LoginServlet - func<parserUrlGetDomain> cookieDomain<.21cn.com>
[2014-08-21 07:59:41,375] [INFO ] resin-tcp-connection-*:8081-36 LoginServlet - customer_url_domain<>
[2014-08-21 07:59:41,390] [INFO ] resin-tcp-connection-*:8081-36 MailMigrationManager - yyhfm.com not need to pop or imap verify
[2014-08-21 07:59:41,391] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - logon: acc=hfmould@yyhfm.com
[2014-08-21 07:59:41,391] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - get GUID.acc=<hfmould@yyhfm.com>,ip=<101.71.150.246>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - accWithDomainId<hfmould@126861> webFlag<1>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - acc=<hfmould@126861>,domainStatus=<1>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - auth UD.acc=<hfmould@126861>,udId=<37>, ip=<101.71.150.246>
[2014-08-21 07:59:41,443] [WARN ] resin-tcp-connection-*:8081-36 MobileSecurityDAO - func[getMobileSecurityInfo] not find record! msg : <UD>DataNotFound.
[2014-08-21 07:59:41,457] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - SSOLogon corp.webmail.21cn.com], referer:[http://corp.webmail.21cn.com/webmail/signOn.do], sslLogin:[null]
[2014-08-21 07:59:41,458] [INFO ] resin-tcp-connection-*:8081-36 CookieUtils -  userDatauid =< 111111> userDatauid oldUserName =<hfmould@yyhfm.com>,result=<1>
[2014-08-21 07:59:41,458] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - logon: sid=<000002050480448-20140820235941440958-020> EmailAccountName : hfmould DomainName : yyhfm.com DomainId : 126861 UdId : 37 cookies : .21cn.com
[2014-08-21 07:59:41,463] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - domain:===============ent-web1_mailhost
[2014-08-21 07:59:41,463] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - iAddr =<ent-web1/127.0.0.1>,host=< ent-web1>, URL=< http://corp.webmail.21cn.com/webmail/forwardlogin.jsp>, account =<hfmould@yyhfm.com> redirectUrl : http://corp.webmail.21cn.com/webmail/forwardlogin.jsp
[2014-08-21 07:59:41,779] [INFO ] resin-tcp-connection-*:8081-128 LogonAction - logging on from ip=<10.28.10.87>,accountName=null
[2014-08-21 07:59:41,779] [INFO ] resin-tcp-connection-*:8081-128 LogonAction - uudSessionId ====================== 000002050480448-20140820235941440958-020
[2014-08-21 07:59:41,782] [INFO ] resin-tcp-connection-*:8081-128 LogonService - alanstart==1408579181782
[2014-08-21 07:59:41,782] [INFO ] resin-tcp-connection-*:8081-128 LogonService - logon: acc=hfmould@yyhfm.com
[2014-08-21 07:59:41,785] [INFO ] resin-tcp-connection-*:8081-128 LogonService - getDefaultTemplateId == 39
[2014-08-21 07:59:41,785] [INFO ] resin-tcp-connection-*:8081-128 LogonService - set UD TemplateId =>> 39


[2015-01-12 11:00:01,300] [INFO ] 3086404160 config - parse /opt/hermes/bin/../conf/corpmail_edf.xml
[2015-01-12 11:00:01,315] [INFO ] 3086404160 config - parse end
[2015-01-12 11:00:01,315] [INFO ] 3086404160 ApplicationContext - init,args[/opt/hermes/bin/../libexec/hmm_pop3_app -t server -a pop3 -s pop3-svr7 -c /opt/hermes/bin/../conf/corpmail_edf.xml -l /opt/hermes/bin/../conf/pop3_log.xml ] begin

漏洞证明:

10.27.10.232
10.27.10.226


服务器密码也泄露了
cat scp_block.sh

#!/bin/sh
list_file=/opt/chenlh/tuixintongzhi/host.txt
username=root
password="!@*****()"
#src_file=/opt/idns/local.dat
dest_file=/opt/chenlh/
line=result
cat $list_file | while read host
do
./expect_scp $host $username $password $line $dest_file$line
done


cat 1.sh

#!/bin/sh
WORKPATH=/maillog1/hermeslog/ent/mta
time1=`date -d "+1 days ago" +%Y%m%d`
cat /dev/null > tuixin.log
cat /dev/null > deferred.tmp
cat /dev/null > bounce.total
for i in  7 8 9 10 11 12 17 18 19 20
do
cat $WORKPATH/mta.$time1*ent$i.log* >> tuixin.log
done
grep "status=deferred" tuixin.log  >deferred.log
cat /dev/null > bounce.total
grep "deferred"  tuixin.log | grep -E "lost connection|time out|timed out"|grep -v "127.0.0.1" | awk -F: '{print $4}' |  sed 's/^ //'| sort -u >> deferred.tmp
grep "bounce mail"  tuixin.log | grep -oP '(?<=queue_id\[)[^]]+' | sort -u >> bounce.total
grep -xFf deferred.tmp bounce.total  >> total.net
while read queue_id
do
grep "$queue_id"  deferred.log| grep -E "lost connect|time out|timed out"|grep -vE "21cn.com|127.0.0.1" |  sort -u -k 6,6 >>  net.log
done < total.net
grep "status=bounced" tuixin.log | grep -E "not allowed to connect|blocked using|refused to talk to|rejected due to the sending|is listed in|blacklist|Client host rejected" | grep -vE "127.0.0.1|trace_id"  >>  rbl.log

修复方案:

IP授权

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-12 23:22

厂商回复:

已确认

最新状态:

暂无

漏洞评价:

评论

  1. 2015-01-12 15:28 | 黑暗游侠 ( 普通白帽子 | Rank:1780 漏洞数:268 | 123)

    猪哥加油!!!突破3000虐飞他们。为你加油!!

  2. 2015-01-12 15:32 | _Thorns ( 普通白帽子 | Rank:882 漏洞数:157 | 收wb 1:5 无限量收 [平台担保]))

    猪哥加油!!!突破3000虐飞他们。为你加油!!

  3. 2015-01-12 15:46 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    都邮箱了,还某服务器,我猜这标题被改过,依萍你怎么看?

  4. 2015-01-12 16:11 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    @白非白 首先你要知道21cn有邮箱的产品

  5. 2015-01-12 16:11 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了,跪着也要...)

    猪哥加油!!!突破3000虐飞他们。为你加油!!

  6. 2015-01-12 16:13 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @浩天 当我没说过。。。

  7. 2015-01-12 16:35 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1044 漏洞数:106 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    话说前段时间弄了个21CN的zibbx,忘了扔哪了.....

  8. 2015-01-12 16:37 | 杀器王子 认证白帽子 ( 普通白帽子 | Rank:1532 漏洞数:121 | 磨刀霍霍向猪羊)

    不厚道

  9. 2015-01-12 16:39 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @杀器王子 你这几天都去哪里了啊?

  10. 2015-01-12 16:41 | 杀器王子 认证白帽子 ( 普通白帽子 | Rank:1532 漏洞数:121 | 磨刀霍霍向猪羊)

    @猪猪侠 搬家

  11. 2015-01-12 16:56 | 炯炯虾 ( 路人 | Rank:2 漏洞数:1 | 我来自地球)

    @猪猪侠 猪哥 为什么你提交的漏洞貌似都很简单

  12. 2015-01-12 16:59 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @炯炯虾 简单,但是影响的数据大啊,一家7-11的便利店晚上门没关,最多零食不见了,一家银行金库晚上门没关呢?都是门没关,差别却大多了!

  13. 2015-01-12 17:09 | 炯炯虾 ( 路人 | Rank:2 漏洞数:1 | 我来自地球)

    @猪猪侠 你是用你自己开发的扫描器24小时在扫吧 平时有研究些漏洞吗

  14. 2015-01-12 17:14 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @炯炯虾 没开扫描器呢,开一次成本很高的,平时会看知识库和乌云的漏洞案例学习,学习算是研究吗?如果不算,就是没研究。

  15. 2015-01-12 17:19 | 黑暗游侠 ( 普通白帽子 | Rank:1780 漏洞数:268 | 123)

    @猪猪侠 猪哥以后如果我去北京的话可以问你要合影和签名嘛

  16. 2015-01-12 17:22 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @黑暗游侠 我还想去北京和 @杀器王子 合影呢!要是杀器王子不给我合影,那我也没办法和你合影了。

  17. 2015-01-12 17:30 | 胡小树 ( 实习白帽子 | Rank:60 漏洞数:11 | 我是一颗小小树)

    @猪猪侠 @炯炯虾 高手往往用最基础的招式就秒杀各大厂商了

  18. 2015-01-12 17:32 | 黑暗游侠 ( 普通白帽子 | Rank:1780 漏洞数:268 | 123)

    @猪猪侠 可是你不在北京嘛?

  19. 2015-01-12 18:49 | 小潘达 ( 路人 | Rank:8 漏洞数:1 | 找漏洞的小熊猫)

    @猪猪侠 15号杭州求合影求签名

  20. 2015-01-12 23:09 | 从容 ( 普通白帽子 | Rank:221 漏洞数:75 | Enjoy Hacking Just Because It's Fun :) ...)

    猪哥专注用户数据三十年

  21. 2015-01-12 23:42 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @小潘达 长得太磕碜,不敢和大哥合影。

  22. 2015-01-13 17:55 | c0nt ( 路人 | Rank:1 漏洞数:7 )

    15号杭州没机会去,不能一睹猪哥风采- -

  23. 2015-01-15 16:30 | 小潘达 ( 路人 | Rank:8 漏洞数:1 | 找漏洞的小熊猫)

    @猪猪侠 猪哥你是赤裸裸的嘲讽 这么帅!! 我旁边的妹子口水都下来了

  24. 2015-01-15 19:53 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @小潘达 我都这么大的人了,还读过一箩筐书,你好意骗我吗?

  25. 2015-02-27 23:37 | BeenQuiver ( 普通白帽子 | Rank:101 漏洞数:26 | 专注而高效,坚持好的习惯千万不要放弃)

    @猪猪侠 笑哈哈

  26. 2015-09-13 17:13 | Mark0smith ( 路人 | Rank:12 漏洞数:6 | 我更像是一个小松鼠)

    都是大神啊