当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190343

漏洞标题:中兴某企业业务网关系统设备任意文件删除&任意命令执行(无需登录)

相关厂商:中兴通讯股份有限公司

漏洞作者: YY-2012

提交时间:2016-03-29 12:22

修复时间:2016-06-27 15:10

公开时间:2016-06-27 15:10

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-29: 细节已通知厂商并且等待厂商处理中
2016-03-29: 厂商已经确认,细节仅向厂商公开
2016-04-01: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-23: 细节向核心白帽子及相关领域专家公开
2016-06-02: 细节向普通白帽子公开
2016-06-12: 细节向实习白帽子公开
2016-06-27: 细节向公众公开

简要描述:

rt

详细说明:

任意文件删除/modules/system/sys_restore_local.be.php:

<?php
//require_once('../../validate.php');//add by quentin at 2009-03-19 - modify quentin 2009-05-13
require_once("../../mainfile.php");
$res=new res_ajax();
$action=isset($_POST['action'])?$_POST['action']:(isset($_GET['action'])?$_GET['action']:null);
if(is_null($action)) {
$res->set_resultcode('-1');
$res->set_resultstr($lang['hackat']);
$res->output();
exit;
}
switch($action) {
case 'backup':
sys_backup($_POST);
break;
case 'restore':
sys_restore($_POST);
break;
case 'delete':
cfg_delete($_POST);
break;
case 'initconfig':
sys_initconfig($_POST);
break;
case 'getUSB':
sys_getusb($_POST);
break;
}
$res->output();
exit;
function sys_backup($post) {
global $db;
global $res;
global $lang;
$filename=$post['filename'];
if($post['rad_dir']=='fs') {
$backup_dir=$post['dir_fs'];
} else {
$backup_dir=$post['dir_u'];
}
$filename_len = strlen($filename);
if($filename_len == 0 || $filename_len > 20 || !preg_match("/^[0-9a-zA-Z_]*$/" , $filename)) {
$res->set_resultcode('-2');
$res->set_resultstr($lang['err_filepath']);
return;
}
/*$count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='4'");
if($count>0) {
$res->set_resultcode('-1');
$res->set_resultstr($lang['tasking']);
return;
}*/
$cc=$db->countof('fms_local_backup_process', "backup_dir='".$backup_dir."' and filename='".$filename.".cfg'");
if($cc>0) {
$res->set_resultcode('-1');
$res->set_resultstr($lang['dupfiles']);
return;
}
/*$sqlb="insert into fms_task_info set task_name_id='4', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'";
if(!$db->execute($sqlb)) {
$db->execute('rollback');
$res->set_resultcode('-4');
$res->set_resultstr($lang['dberr']);
return;
}*/
//$id=mysql_insert_id();
$id = 0;
$sql="insert into fms_local_backup_process set task_serial='".$id."', backup_dir='".$backup_dir."', filename='".$filename.".cfg', system_data='1', log_data='1', process='0', task_status='0'";
$db->execute('start transaction');
if(!$db->execute($sql)) {
$db->execute('rollback');
$res->set_resultcode('-4');
$res->set_resultstr($lang['dberr']);
return;
}
$id=mysql_insert_id();
$db->execute("commit");
$res->set_resultcode('0');
$res->set_resultstr($id);
$resa = service_action('Backup_Config');
}
function sys_restore($post) {
global $db;
global $res;
global $lang;
$count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='5'");
if($count>0) {
$res->set_resultcode('-1');
$res->set_resultstr($lang['tasking']);
return;
}
/*$sqlb="insert into fms_task_info set task_name_id='5', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'";
if(!$db->execute($sqlb)) {
$db->execute('rollback');
$res->set_resultcode('-4');
$res->set_resultstr($lang['dberr']);
return;
}
$id=mysql_insert_id();*/
$id = 0;
$sqla=array();
$sqla[]="insert into fms_backup_special_file_process set task_serial='".$id."', filename='".$post['hidd_file']."', process='0', task_status='0', operate_mode='0'";
//$sqla[]="update wms_restore_filelist set resume_id='".$id."' where id='".$post['hidd_id']."'";
$db->execute('start transaction');
foreach($sqla as $sqlstr) {
if(!$db->execute($sqlstr)) {
$db->execute('rollback');
$res->set_resultcode('-4');
$res->set_resultstr($lang['dberr']);
return;
}
}
$id=mysql_insert_id();
$db->execute("commit");
$res->set_resultcode('0');
$res->set_resultstr($id);
$resa = service_action('Restore_Config');
}
function cfg_delete($post) {
global $res;
global $lang;
global $db;
$filepath=str_replace('//', '/', $post['hid_name']);
if([email protected]($filepath)) {
$res->set_resultcode('-4');
$res->set_resultstr($lang['err_delfile']);
return;
}
$sql="delete from wms_restore_filelist where id='".$post['hid_id']."'";
$db->execute('start transaction');
if(!$db->execute($sql)) {
$db->execute('rollback');
$res->set_resultcode('-4');
$res->set_resultstr($lang['dberr']);
return;
}
$db->execute("commit");
$res->set_resultcode('0');
$res->set_resultstr($lang['success']);
}
function sys_initconfig($post) {
global $res;
$resa=service_action('Restore_FactoryConfig');
$res->set_result($resa[0], $resa[1]);
}
function sys_getusb($post) {
global $res;
$resa=service_action('reload_usb_mount');
$res->set_result($resa[0], $resa[1]);
}
?>


aaaaaaaaaaaaaaaaa111111111111111111111.jpg


任意命令/modules/system/local_rollback.php

<?php
require_once('../../validate.php');
require_once("../../mainfile.php");
$sel_dir = $_GET['sel_dir'];
$sql = "select * from lcm_globals where variable='MODULE_VER' and category='system'";
$rs = $db->query($sql);
while ($data = $db->fetchNextObject($rs)){
$up[$data->variable] = $data->value;
}
$smarty->assign('ver_system', $up['MODULE_VER']);
$command = '/usr/upgrade/'.$sel_dir.'/rollback.sh '. $sel_dir .' &';
$actions=array();
$actions[]="Action: action_rollback";
$actions[]="Command: ".$command;//Add/Mod/Del
$result = action_array_cms($actions);
echo $command;exit;
?>


aaaaaaaaaaaaaaaaaaaaa222222222222222222222.jpg

漏洞证明:

aaaaaaaaaaaaaaaaa3333333333333333333333.jpg


aaaaaaaaaaaaaaaa4444444444444444444.jpg


aaaaaaaaaaaaaaaaa555555555555555555555.jpg


案例参考http://**.**.**.**/bugs/wooyun-2016-0189550:

**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-03-29 15:09

厂商回复:

感谢关注~

最新状态:

暂无