当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-047371

漏洞标题:记一次失败的渗透从4年前的老文章到监控录像机最终直捅某敏感部门内网

相关厂商:某部门

漏洞作者: safe121

提交时间:2013-12-30 11:29

修复时间:2014-02-13 11:30

公开时间:2014-02-13 11:30

漏洞类型:服务弱口令

危害等级:低

自评Rank:1

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-30: 细节已通知厂商并且等待厂商处理中
2014-01-04: 厂商已经确认,细节仅向厂商公开
2014-01-14: 细节向核心白帽子及相关领域专家公开
2014-01-24: 细节向普通白帽子公开
2014-02-03: 细节向实习白帽子公开
2014-02-13: 细节向公众公开

简要描述:

某敏感部门内部监控系统外网开房并且弱口令,可TELNET。

详细说明:

今天闲的蛋蛋疼,看了ChinaGFW.Org的一篇老文章,发现了几个牛逼的IP地址
219.142.121.211 —— Ministry-Of-Public-Security-Information-Communication-Agency
222.66.235.172 —— BAOSHAN-POLICE
121.10.215.35 以及 218.66.36.226
这些牛逼的IP地址有什么特点呢?

User-Agent 统一为 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	
Accept 统一为 text/*,*/*	
Accept-Language

统一为 en-us
不过当我看到第一个IP地址的WHOIS信息居然为Ministry-Of-Public-Security-Information-Communication-Agency的时候,我——震惊了。
收好震碎的蛋,拿起了古董箱里的X-Scan对219.142.121.208 - 219.142.121.223一顿扫描过后,得到了一个牛逼的IP地址219.142.121.212
这个IP地址开了80端口,23端口,于是在web端尝试了admin / admin成功了(密码我改成了admin / admins 因为让别人帮忙渗透结果他乱发密码来的~)
于是尽最大可能收集信息

Screenshot from 2013-12-29 04:39:03.png


(这个看起来像采集中心服务器的IP地址,不过因为对这种协议不太了解,无法进行下一步渗透)

Screenshot from 2013-12-29 04:41:06.png


(网关地址)
然后又尝试对telnet端口进行进入,试了admin/admin admin/12345 admin/123456
admin/[null] 都不对,怎么办呢?既然连web默认口令都没改肯定是telnet都没改,那么来找下厂家~
打开web后,查看源代码,居然连个copyright都没有,js文件中注释里也没有copyright,这厂商是多么的大无畏精神啊~
突然想起,加载这个监控系统要一个ActiveX插件,那么来看看插件名称吧~

Screenshot from 2013-12-29 15:37:10.png


谷歌了一下DHSurveillanceCtrl居然没有,于是又谷歌了一下webrec.cab
根据谷歌牛逼的结果,老夫找到了该监控系统叫大华硬盘录像机
也找到了密码 用户名:root 密码:vizxv
多么牛逼的密码?还好当初老夫没爆破,不然这辈子也破不开。
于是果断尝试ssh转发,弹出了ssh命令不存在,不过老夫也没很震惊,因为这种busybox-based系统很少有ssh命令,于是老夫又进行了
于是netstat -l 没开ftp端口,之后
telnet x.x.x.x >> /tmp/1.sh , wget , ftp , curl , scp , ………… 最终在尝试tftp的时候终于有了反应,诶?怎么是系统信息。
之后才发现busybox可以看指定的函数的。。

Currently defined functions:
        [, [[, arping, ash, awk, cat, chmod, cp, date, du, echo,
        egrep, fdisk, fgrep, find, free, fsck, ftpget, ftpput,
        getty, grep, hwclock, ifconfig, inetd, init, insmod, kill,
        killall, linuxrc, ln, login, ls, lsmod, makedevs, mdev,
        mkdir, mkfs.minix, mknod, modprobe, mount, mv, netstat,
        ping, printenv, ps, pwd, readlink, rm, rmdir, rmmod, route,
        sed, sh, sync, telnetd, test, top, touch, traceroute,
        umount, xargs


Screenshot from 2013-12-29 15:44:55.png


不管了,先找个服务器搭建个tftp
搭建好之后,tftp获取ssh以及ssh_config,诶?还是系统信息,看来这个tftp是被阉割过了。
怎么办呢?凉拌炒鸡蛋吧~
之后又收集了一圈信息
# cat Account1
// 默认的帐户配置,默认的组包含组名和组描述等必填项,默认的用户包含用户名,用户
// 描述,所属组名,密码,是否共享等必填项。default用户不用写在下表中。
{

"Groups" : [
      {
         "AuthorityList" : [
            "ShutDown",
            "Monitor_01",
            "Replay_01",
            "Record",
            "Backup",
            "MHardisk",
            "MPTZ",
            "Account",
            "Alarm",
            "QueryLog",
            "DelLog",
            "SysUpdate",
            "AutoMaintain",
            "GeneralConf",
            "EncodeConf",
            "RecordConf",
            "ComConf",
            "NetConf",
            "AlarmConf",
            "VideoConfig",
            "PtzConfig",
            "DefaultConfig",
            "VideoInputConfig"
         ],
         "Id" : 1,
         "Memo" : "administrator group",
         "Name" : "admin"
      },
      {
         "AuthorityList" : [ "Monitor_01", "Replay_01" ],
         "Id" : 2,
         "Memo" : "user group",
         "Name" : "user"
      }
   ],
   "Users" : [
      {
         "AuthorityList" : [
            "ShutDown",
            "Monitor_01",
            "Replay_01",
            "Record",
            "Backup",
            "MHardisk",
            "MPTZ",
            "Account",
            "Alarm",
            "QueryLog",
            "DelLog",
            "SysUpdate",
            "AutoMaintain",
            "GeneralConf",
            "EncodeConf",
            "RecordConf",
            "ComConf",
            "NetConf",
            "AlarmConf",
            "VideoConfig",
            "PtzConfig",
            "DefaultConfig",
            "VideoInputConfig"
         ],
         "Group" : "admin",
         "Id" : 1,
         "Memo" : "admin 's account",
         "Name" : "admin",
         "Password" : "XDc1JPnF",
         "Reserved" : true,
         "Sharable" : true
      },
      {
         "AuthorityList" : [
            "ShutDown",
            "Monitor_01",
            "Replay_01",
            "Record",
            "Backup",
            "MHardisk",
            "MPTZ",
            "Account",
            "Alarm",
            "QueryLog",
            "DelLog",
            "SysUpdate",
            "AutoMaintain",
            "GeneralConf",
            "EncodeConf",
            "RecordConf",
            "ComConf",
            "NetConf",
            "AlarmConf",
            "VideoConfig",
            "PtzConfig",
            "DefaultConfig",
            "VideoInputConfig"
         ],
         "Group" : "admin",
         "Id" : 2,
         "Memo" : "888888 's account",
         "Name" : "888888",
         "Password" : "4WzwxXxM",
         "Reserved" : true,
         "Sharable" : true
      },
      {
         "AuthorityList" : [ "Monitor_01", "Replay_01" ],
         "Group" : "user",
         "Id" : 3,
         "Memo" : "666666 's account",
         "Name" : "666666",
         "Password" : "sh15yfFM",
         "Reserved" : true,
         "Sharable" : true
      },
      {
         "AuthorityList" : [ "Monitor_01", "Replay_01" ],
         "Group" : "user",
         "Id" : 4,
         "Memo" : "default account",
         "Name" : "default",
         "Password" : "OxhlwSG8",
         "Reserved" : true,
         "Sharable" : false
      }
   ]
}


密码不知什么方式加密的

#
ARP表
# arping -f 219.142.121.209
ARPING to 219.142.121.209 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.209 [28:6e:d4:95:fd:57] 4.770ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.210
ARPING to 219.142.121.210 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.210 [0:65:11:0:42:bb] 0.539ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.211
ARPING to 219.142.121.211 from 219.142.121.212 via eth0
Sent 3 probe(s) (3 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.212
ARPING to 219.142.121.212 from 219.142.121.212 via eth0
^[[ASent 4 probe(s) (4 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.213
ARPING to 219.142.121.213 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.213 [0:10:db:57:94:41] 2.050ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.214
ARPING to 219.142.121.214 from 219.142.121.212 via eth0
Unicast reply from 219.142.121.214 [0:95:10:91:13:fb] 1.374ms
Sent 1 probe(s) (1 broadcast(s))
Received 1 replies (0 request(s), 0 broadcast(s))
# arping -f 219.142.121.215
ARPING to 219.142.121.215 from 219.142.121.212 via eth0
Sent 15 probe(s) (15 broadcast(s))
Received 0 reply (0 request(s), 0 broadcast(s))
#
# traceroute 202.102.110.2
traceroute to 202.102.110.2 (202.102.110.2), 30 hops max, 40 byte packets
 1  219.142.121.209 (219.142.121.209)  3.689 ms  3.602 ms  5.440 ms
 2  219.141.131.157 (219.141.131.157)  2.705 ms *  2.755 ms
 3  202.97.53.89 (202.97.53.89)  7.431 ms  5.628 ms  3.694 ms
 4  202.97.37.70 (202.97.37.70)  5.646 ms  3.470 ms  3.970 ms
 5  202.97.65.202 (202.97.65.202)  29.059 ms  102345.869 ms  27.525 ms
 6  221.231.146.249 (221.231.146.249)  25.425 ms  25.928 ms  25.388 ms
 7  202.102.110.78 (202.102.110.78)  26.846 ms  27.270 ms  26.786 ms
 8  202.102.110.68 (202.102.110.68)  103030.110 ms  27.307 ms  26.972 ms
 9  * * *
# traceroute 121.189.57.81
traceroute to 121.189.57.81 (121.189.57.81), 30 hops max, 40 byte packets
 1  219.142.121.209 (219.142.121.209)  4.131 ms  3.186 ms  3.604 ms
 2  219.141.142.81 (219.141.142.81)  5.481 ms  3.923 ms  3.156 ms
 3  118.84.3.21 (118.84.3.21)  6.906 ms 202.97.57.209 (202.97.57.209)  6.462 ms
 13600.153 ms
 4  202.97.53.166 (202.97.53.166)  3.596 ms 202.97.53.86 (202.97.53.86)  4.916 m
s 202.97.53.166 (202.97.53.166)  3.458 ms
 5  202.97.53.238 (202.97.53.238)  18.263 ms 202.97.58.94 (202.97.58.94)  3.897
ms 202.97.53.238 (202.97.53.238)  4.007 ms
 6  202.97.58.81 (202.97.58.81)  3.808 ms  256304.746 ms  3.697 ms
 7  202.97.5.98 (202.97.5.98)  55.685 ms  55.249 ms  55.465 ms
 8  112.174.84.233 (112.174.84.233)  43.193 ms  43.191 ms  43.055 ms


看起来这个出口是直接接入电信骨干网的
公安部,你为何这么屌?

漏洞证明:

Screenshot from 2013-12-29 04:39:03.png


Screenshot from 2013-12-29 04:41:06.png

修复方案:

改密码,收回外网访问权限~BTW:如果有的话求送个无GFW的国内VPN(括弧笑~)

版权声明:转载请注明来源 safe121@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-01-04 10:51

厂商回复:

对于服务器所属方,CNVD暂未能直接认定,不过已经转由CNCERT向国家某信息安全协调机构上报,由其后续尝试通报可能的网站管理单位。

最新状态:

暂无