当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190343

漏洞标题:中兴某企业业务网关系统设备任意文件删除&任意命令执行(无需登录)

相关厂商:中兴通讯股份有限公司

漏洞作者: YY-2012

提交时间:2016-03-29 12:22

修复时间:2016-06-27 15:10

公开时间:2016-06-27 15:10

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-29: 细节已通知厂商并且等待厂商处理中
2016-03-29: 厂商已经确认,细节仅向厂商公开
2016-04-01: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-05-23: 细节向核心白帽子及相关领域专家公开
2016-06-02: 细节向普通白帽子公开
2016-06-12: 细节向实习白帽子公开
2016-06-27: 细节向公众公开

简要描述:

rt

详细说明:

任意文件删除/modules/system/sys_restore_local.be.php:

<?php
//require_once('../../validate.php');//add by quentin at 2009-03-19 - modify quentin 2009-05-13
require_once("../../mainfile.php");
$res=new res_ajax();
$action=isset($_POST['action'])?$_POST['action']:(isset($_GET['action'])?$_GET['action']:null);
if(is_null($action)) {
	$res->set_resultcode('-1');
	$res->set_resultstr($lang['hackat']);
	$res->output();
	exit;
}
switch($action) {
	case 'backup':
		sys_backup($_POST);
		break;
	case 'restore':
		sys_restore($_POST);
	    break;
	case 'delete':
		cfg_delete($_POST);
	    break;
	case 'initconfig':
	    sys_initconfig($_POST);
	    break;
	case 'getUSB':
	    sys_getusb($_POST);
	    break;
}
$res->output();
exit;
function sys_backup($post) {
	global $db;
	global $res;
	global $lang;
    $filename=$post['filename'];
    if($post['rad_dir']=='fs') {
		$backup_dir=$post['dir_fs'];
	} else {
		$backup_dir=$post['dir_u'];
	}
    $filename_len = strlen($filename);
    if($filename_len == 0 || $filename_len > 20 || !preg_match("/^[0-9a-zA-Z_]*$/" , $filename)) {
		$res->set_resultcode('-2');
		$res->set_resultstr($lang['err_filepath']);
		return;
	}
	/*$count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='4'");
	if($count>0) {
		$res->set_resultcode('-1');
	    $res->set_resultstr($lang['tasking']);
		return;
	}*/
	$cc=$db->countof('fms_local_backup_process', "backup_dir='".$backup_dir."' and filename='".$filename.".cfg'");
    if($cc>0) {
		$res->set_resultcode('-1');
	    $res->set_resultstr($lang['dupfiles']);
		return;
	}
	/*$sqlb="insert into fms_task_info set task_name_id='4', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'";
    if(!$db->execute($sqlb)) {
		$db->execute('rollback');
		$res->set_resultcode('-4');
		$res->set_resultstr($lang['dberr']);
		return;
	}*/
    //$id=mysql_insert_id();
    $id = 0;
	$sql="insert into fms_local_backup_process set task_serial='".$id."', backup_dir='".$backup_dir."', filename='".$filename.".cfg', system_data='1', log_data='1', process='0', task_status='0'";
	$db->execute('start transaction');
	if(!$db->execute($sql)) {
		$db->execute('rollback');
		$res->set_resultcode('-4');
		$res->set_resultstr($lang['dberr']);
		return;
	}
	$id=mysql_insert_id();
	$db->execute("commit");
	$res->set_resultcode('0');
	$res->set_resultstr($id);
	$resa = service_action('Backup_Config');
}
function sys_restore($post) {
	global $db;
	global $res;
	global $lang;
	$count=$db->countof('fms_task_info', "execute_status<>'3' and task_name_id='5'");
	if($count>0) {
		$res->set_resultcode('-1');
	    $res->set_resultstr($lang['tasking']);
		return;
	}
    /*$sqlb="insert into fms_task_info set task_name_id='5', task_type_id='1', priority_id='1', start_time='".mktime()."', execute_status='1', operator='".$_SESSION['user']."'";
	if(!$db->execute($sqlb)) {
		$db->execute('rollback');
		$res->set_resultcode('-4');
		$res->set_resultstr($lang['dberr']);
		return;
	}
	$id=mysql_insert_id();*/
	$id = 0;
    $sqla=array();
	$sqla[]="insert into fms_backup_special_file_process set task_serial='".$id."', filename='".$post['hidd_file']."', process='0', task_status='0', operate_mode='0'";
	//$sqla[]="update wms_restore_filelist set resume_id='".$id."' where id='".$post['hidd_id']."'";
	$db->execute('start transaction');
	foreach($sqla as $sqlstr) {
		if(!$db->execute($sqlstr)) {
			$db->execute('rollback');
			$res->set_resultcode('-4');
			$res->set_resultstr($lang['dberr']);
			return;
		}	
	}
	$id=mysql_insert_id();
	$db->execute("commit");
	$res->set_resultcode('0');
	$res->set_resultstr($id);
	$resa = service_action('Restore_Config');
}
function cfg_delete($post) {
	global $res;
	global $lang;
	global $db;
	$filepath=str_replace('//', '/', $post['hid_name']);
	if(!@unlink($filepath)) {
		$res->set_resultcode('-4');
		$res->set_resultstr($lang['err_delfile']);
		return;
	}
	$sql="delete from wms_restore_filelist where id='".$post['hid_id']."'";
	$db->execute('start transaction');
	if(!$db->execute($sql)) {
		$db->execute('rollback');
		$res->set_resultcode('-4');
		$res->set_resultstr($lang['dberr']);
		return;
	}
	$db->execute("commit");
	$res->set_resultcode('0');
	$res->set_resultstr($lang['success']);
}
function sys_initconfig($post) {
	global $res;
	$resa=service_action('Restore_FactoryConfig');
	$res->set_result($resa[0], $resa[1]);
}
function sys_getusb($post) {
	global $res;
	$resa=service_action('reload_usb_mount');
	$res->set_result($resa[0], $resa[1]);
}
?>


aaaaaaaaaaaaaaaaa111111111111111111111.jpg


任意命令/modules/system/local_rollback.php

<?php
require_once('../../validate.php');
require_once("../../mainfile.php");
$sel_dir = $_GET['sel_dir'];
$sql = "select * from lcm_globals where  variable='MODULE_VER' and category='system'";
$rs = $db->query($sql);
while ($data = $db->fetchNextObject($rs)){
    $up[$data->variable] = $data->value;
}
$smarty->assign('ver_system', $up['MODULE_VER']);
$command = '/usr/upgrade/'.$sel_dir.'/rollback.sh '. $sel_dir .' &';
$actions=array();
$actions[]="Action: action_rollback";
$actions[]="Command: ".$command;//Add/Mod/Del
$result = action_array_cms($actions);
echo $command;exit;
?>


aaaaaaaaaaaaaaaaaaaaa222222222222222222222.jpg

漏洞证明:

aaaaaaaaaaaaaaaaa3333333333333333333333.jpg


aaaaaaaaaaaaaaaa4444444444444444444.jpg


aaaaaaaaaaaaaaaaa555555555555555555555.jpg


案例参考http://**.**.**.**/bugs/wooyun-2016-0189550:

**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**/

修复方案:

你们懂的。

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-03-29 15:09

厂商回复:

感谢关注~

最新状态:

暂无