当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169973

漏洞标题:利安人寿某处命令执行root权限直入内网

相关厂商:利安人寿

漏洞作者: sqlfeng

提交时间:2016-01-15 02:34

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:命令执行

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-15: 细节已通知厂商并且等待厂商处理中
2016-01-19: 厂商已经确认,细节仅向厂商公开
2016-01-29: 细节向核心白帽子及相关领域专家公开
2016-02-08: 细节向普通白帽子公开
2016-02-18: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

利安人寿某处命令执行,root权限,直入内网

详细说明:

**.**.**.**/
weblogic java反序列化命令执行

漏洞证明:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 **.**.**.**:13782               **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:22                  **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:631               **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:49143               **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:25           **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:13724               **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:111                 **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:35952             **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:1556                **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:1557              **.**.**.**:*                   LISTEN      
tcp        0      0 **.**.**.**:54242             **.**.**.**:35952             ESTABLISHED 
tcp        0      0 **.**.**.**:54244             **.**.**.**:35952             ESTABLISHED 
tcp        0      0 **.**.**.**:22           **.**.**.**:59681          ESTABLISHED 
tcp        0      0 **.**.**.**:58735        **.**.**.**:445           ESTABLISHED 
tcp        0      0 **.**.**.**:35952             **.**.**.**:54244             ESTABLISHED 
tcp        0      0 **.**.**.**:35952             **.**.**.**:54242             ESTABLISHED 
tcp        0      0 :::22                       :::*                        LISTEN      
tcp        0      0 ::1:631                     :::*                        LISTEN      
tcp        0      0 ::1:25                      :::*                        LISTEN      
tcp        0      0 :::36218                    :::*                        LISTEN      
tcp        0      0 :::40001                    :::*                        LISTEN      
tcp        0      0 ::1:9002                    :::*                        LISTEN      
tcp        0      0 ::ffff:**.**.**.**:9002       :::*                        LISTEN      
tcp        0      0 fe80::9e8e:99ff:fe31:3:9002 :::*                        LISTEN      
tcp        0      0 fe80::9e8e:99ff:fe31:3:9002 :::*                        LISTEN      
tcp        0      0 ::ffff:**.**.**.**:9002  :::*                        LISTEN      
tcp        0      0 :::111                      :::*                        LISTEN      
tcp        0      0 fe80::9e8e:99ff:fe31:3bc:80 :::*                        LISTEN      
tcp        0      0 ::ffff:**.**.**.**:80    :::*                        LISTEN      
tcp        0      0 ::1:80                      :::*                        LISTEN      
tcp        0      0 fe80::9e8e:99ff:fe31:3bc:80 :::*                        LISTEN      
tcp        0      0 ::ffff:**.**.**.**:80         :::*                        LISTEN      
tcp        0      0 :::1556                     :::*                        LISTEN      
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46666 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41039 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46685 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46704 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46723 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46799 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41153 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:57433 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41096 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**00:44989 ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:57426 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:57430 ::ffff:**.**.**.**:1521    TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46761 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:53184   ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:57423 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41115 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41001 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:37466 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:37458 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41020 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:33858 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:57434 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41077 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**00:3403  ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46837 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:57428 ::ffff:**.**.**.**:1521    TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41134 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:37454 ::ffff:**.**.**.**:1521    TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41191 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46818 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**00:37038 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46856 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41172 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:58465 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46742 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:58464 ::ffff:**.**.**.**:1521    ESTABLISHED 
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:46780 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**:41058 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:57432 ::ffff:**.**.**.**:1521    TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:80    ::ffff:**.**.**.**00:56166 TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:58456 ::ffff:**.**.**.**:1521    TIME_WAIT   
tcp        0      0 ::ffff:**.**.**.**:37457 ::ffff:**.**.**.**:1521    ESTABLISHED


QQ截图20160114004518.png


QQ截图20160114035520.png

修复方案:

版权声明:转载请注明来源 sqlfeng@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-19 11:49

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价