当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037774

漏洞标题:一次失败的漫游腾讯内部网络过程 #1

相关厂商:腾讯

漏洞作者: 猪猪侠

提交时间:2013-09-22 15:43

修复时间:2013-11-06 15:43

公开时间:2013-11-06 15:43

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-22: 细节已通知厂商并且等待厂商处理中
2013-09-24: 厂商已经确认,细节仅向厂商公开
2013-10-04: 细节向核心白帽子及相关领域专家公开
2013-10-14: 细节向普通白帽子公开
2013-10-24: 细节向实习白帽子公开
2013-11-06: 细节向公众公开

简要描述:

安全是一个整体,保证安全不在于强大的地方有多强大,而在于真正薄弱的地方在哪里。
利用上面这个原则通过互联网收集腾讯集团相关边缘系统的信息,成功展开的一次测试案例,由于中途使用的测试方法未考虑到腾讯的入侵检测系统等相关因素,最终被系统规则检测到,暴漏了整个测试行为!
本次测试成功因素主要是:由于腾讯业务人员偷偷在自身服务器核心网络架设了一个团队网站(后续和腾讯相关人员沟通得知),相关信息未在安全中心登记备案,也就导致该服务器未被专业安全人员加固,从而被白帽子钻空成功渗透进入腾讯内部网络。
本漏洞报告会描述腾讯的相关防御机制供各大互联网公司、白帽子参考挑战之,同时规则只有经过长期的碰撞改进才能越来越强壮!
欢迎腾讯选择忽略此漏洞,让白帽子们提前围观到细节。

详细说明:

#1 获取边缘系统信息
写了个自动化python脚本,通过google搜索tencent.com公司域名,site:tencent.com 之类的原理,可参考google hacking。
#2 抽象信息细化
收集网页内容可能出现的LINK,可正则匹配或人工判断是否也属于腾讯旗下,我最终在http://isux.tencent.com/about 腾讯设计团队下面的一堆连接找到了本次测试的目标;

tecent_边缘业务.jpg


#3 目标确定、指纹分析
通过针对收集到的业务系统列表,采取老太太吃柿子的方法:“捡软的吃”!

http://isd.tencent.com/
http://impd.tencent.com/
http://isux.tencent.com/
http://flashteam.tencent.com/
http://cdc.tencent.com/
http://www.alloyteam.com

/
指纹分析结果采用了: 

Nginx 中间件
Wordpress系统


#4 针对收集到的信息自动化FUZZ
结果发现只有www.alloyteam.com这台服务器没有加固,wp-login.php wp-admin 后台均可以访问。

--------------------------------
* Checking: 
* http://www.alloyteam.com/
--------------------------------
TAT.iAzrael
pan
元彦
melody
Pel
TAT.Johnny
yussica
TAT.Kinvix
TAT.Chappell
TAT.林挺
TAT.sheran
yukin
TAT.dmyang
TAT.svenzeng
zhanglei
TAT.岑安
vienna
dingollw
TAT.Rehorn
czpae86
TAT.Cson
duwei


上面是针对Wordpress自动化的工具输出的用户列表,最终利用字典匹配到了Pel用户的密码:112***

tencent_wp-admin.jpg


恩,有人会说了,没有插件、模板编辑,你拿不到shell呀~~ ,而且还不在qq.com、tencent.com的主域下(xss类的利用都没用),傻逼了吧!
#5 不要只看到表象,尽可能将自己已知的知识、测试方法都用上
把能想的方法都测试了个遍,最后恰好服务器采用的Nginx中间件,恰好是业务人员自己搭建的服务器,恰好腾讯的安全团队对这台服务器没有备案!
Thanks God! 这就是运气(运气有时可能只属于那些一直在坚持的人们!)
恰好这台Nginx没配好,存在解析漏洞,上传附件后,直接/a.php获得SHELL
还可以目录遍历,这里是我的SHELL图片。

tencent_happy.gif.jpg


#6 个人失误导致测试失败
由于个人的一些测试习惯,喜欢将带有caidao.exe一句话的后门加载至图片中,上传到对方服务器,以确认是否测试成功。
由于腾讯在服务端采用了全量HTTP日志监控+另外的一些变态行为(监控系统程序的调用/bin/sh,/bin/bash),菜刀从客户端传入到服务端的参数名称早已列入黑名单,各种shell的cookie_name也列入黑名单。
个人的习惯疏忽,小看了这种WAF规则,也小看了腾讯的资源处理能力,最后被入侵检测规则匹配到,宣告本次测试失败。
各大互联网公司厂商可以学习腾讯的防御机制,白帽子们可以思考,遇到这种环境怎么破?
#7 对抗会持续存在
后续又对腾讯的某个基于java的边缘系统进行了测试,最终未被检测系统发现(本系列将会有续集),看来腾讯暂时只在现有擅长的维度里强悍,但以腾讯的财力来说,被他们发现是迟早的事,所以对抗将永不停息。

漏洞证明:

#1 成功获得SHELl

tencent_shell.jpg


tencent_shell2.jpg


#2 腾讯系统监控系列

tencent_monitor.jpg


tencent_monitor2.jpg


#3 bash 监控
/data/.my_history

[ Fri Aug 2 09:06:05 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:05 exit ]
[ Fri Aug 2 09:06:06 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:06 cd /tmp/tools/qqsa/ntpupdate/ && ./ntpupdate.sh --install ]
[ Fri Aug 2 09:06:07 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:06 sleep 1 ]
[ Fri Aug 2 09:06:08 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:07 exit ]
[ Fri Aug 2 09:06:09 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:09 cd /tmp/tools/qqsa/proc_monitor && ./setup.sh ]
[ Fri Aug 2 09:06:10 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:09 sleep 1 ]
[ Fri Aug 2 09:06:10 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:10 exit ]
[ Fri Aug 2 09:06:11 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:11 cd /tmp/tools/qqsa/health_check && ./setup.sh ]
[ Fri Aug 2 09:06:12 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:11 sleep 1 ]
[ Fri Aug 2 09:06:12 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:12 exit ]
[ Fri Aug 2 09:06:13 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:13 cd /tmp/tools/webbak_dir && ./add_bak.sh /data ]
[ Fri Aug 2 09:06:14 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:13 sleep 1 ]
[ Fri Aug 2 09:06:15 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:14 exit ]
[ Fri Aug 2 09:06:16 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:16 cd /tmp/tools/server_monitor && ./install.sh ]
[ Fri Aug 2 09:06:17 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:16 sleep 1 ]
[ Fri Aug 2 09:06:17 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:17 exit ]
[ Fri Aug 2 09:06:18 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:18 chmod 777 /data/.my_history ]
[ Fri Aug 2 09:06:19 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:18 sleep 1 ]
[ Fri Aug 2 09:06:19 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:19 exit ]
[ Fri Aug 2 09:06:21 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:20 cd /tmp/tools/yagent ; pgrep -f yagent || ( ./install.sh ; cd /usr/local/services/yagent-1.0/admin/ ; ./restart.sh ) ]
[ Fri Aug 2 09:06:22 2013 ][ root pts/4 Aug 2 09:06 (10.134.133.94) ][ 2013-08-02 09:06:21 sleep 1 ]
[ Fri Aug 2 10:13:03 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 09:06:22 exit ]
[ Fri Aug 2 10:13:05 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:05 cd /usr/local/services/ ]
[ Fri Aug 2 10:13:07 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:07 cd .. ]
[ Fri Aug 2 10:13:08 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:08 cd src ]
[ Fri Aug 2 10:13:08 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:08 ls ]
[ Fri Aug 2 10:13:15 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:13 tar zxf php-fpm-5.3.6.4-install.tar.gz ]
[ Fri Aug 2 10:13:16 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:16 ls ]
[ Fri Aug 2 10:13:17 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:17 cd php-fpm-5.3.6.4-install ]
[ Fri Aug 2 10:13:18 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:18 ls ]
[ Fri Aug 2 10:13:22 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:20 ./install.sh ]
[ Fri Aug 2 10:13:28 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:25 rz -be ]
[ Fri Aug 2 10:13:34 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:34 cd /usr/local/services/php-fpm-5.3.6/admin/ ]
[ Fri Aug 2 10:13:35 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:35 ./restart.sh ]
[ Fri Aug 2 10:13:41 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:40 yum search libtool ]
[ Fri Aug 2 10:14:12 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:13:58 yum install -y libtool-ltdl-devel libtool ]
[ Fri Aug 2 10:14:59 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:14:59 cd /lib64/ ]
[ Fri Aug 2 10:15:25 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:15:25 ls libltdl.so.3 ]
[ Fri Aug 2 10:15:40 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:15:40 ls /usr/lib/libltdl.so.7 -l ]
[ Fri Aug 2 10:19:17 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:17 ln /usr/lib/libltdl.so.7.2.1 /usr/lib/libltdl.so.3 ]
[ Fri Aug 2 10:19:23 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:23 cd /usr/local/services/php-fpm-5.3.6/admin/ ]
[ Fri Aug 2 10:19:28 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:25 ./restart.sh ]
[ Fri Aug 2 10:19:41 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:25 ./restart.sh ]
[ Fri Aug 2 10:19:43 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:43 ldconfig ]
[ Fri Aug 2 10:19:48 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:19:44 ./restart.sh ]
[ Fri Aug 2 10:20:17 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:17 ln /usr/lib/libltdl.so.7.2.1 /lib64/libltdl.so.3 ]
[ Fri Aug 2 10:20:22 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:19 ./restart.sh ]
[ Fri Aug 2 10:20:25 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:25 ldconfig ]
[ Fri Aug 2 10:20:34 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:34 rm usr/lib/libltdl.so.3 ]
[ Fri Aug 2 10:20:37 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:37 rm /usr/lib/libltdl.so.3 ]
[ Fri Aug 2 10:20:39 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:39 ldconfig ]
[ Fri Aug 2 10:20:44 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:40 ./restart.sh ]
[ Fri Aug 2 10:21:34 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:20:40 ./restart.sh ]
[ Fri Aug 2 10:21:40 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:21:40 cd .. ]
[ Fri Aug 2 10:21:42 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:21:42 cd sbin/ ]
[ Fri Aug 2 10:21:45 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:21:45 ldd php-fpm ]
[ Fri Aug 2 10:22:04 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:21:58 rz -be ]
[ Fri Aug 2 10:22:49 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:22:48 yum search liblt ]
[ Fri Aug 2 10:22:57 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:22:56 yum search libt ]
[ Fri Aug 2 10:23:06 2013 ][ root pts/4 Aug 2 10:13 (10.134.133.94) ][ 2013-08-02 10:23:05 yum install libtool ]
[ Fri Aug 2 11:34:38 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 09:06:22 exit ]
[ Fri Aug 2 11:34:41 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:34:41 cd tmp/ ]
[ Fri Aug 2 11:35:49 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:34:44 wget http://nodejs.org/dist/v0.8.25/node-v0.8.25.tar.gz ]
[ Fri Aug 2 11:36:22 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:21 tar -xzvf node-v0.8.25.tar.gz ]
[ Fri Aug 2 11:36:24 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:24 cd node-v0.8.25 ]
[ Fri Aug 2 11:36:28 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:27 ./configure ]
[ Fri Aug 2 11:44:14 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:30 make ]
[ Fri Aug 2 11:44:14 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:30 make ]
[ Fri Aug 2 11:44:14 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:36:30 make ]
[ Fri Aug 2 11:46:06 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:46:06 ll /usr/local/nginx/sbin/nginx ]
[ Fri Aug 2 11:46:34 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:46:34 source /etc/profile ]
[ Fri Aug 2 11:46:38 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:46:38 whereis nginx ]
[ Fri Aug 2 11:46:42 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:46:42 nginx -v ]
[ Fri Aug 2 11:46:48 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:46:48 nginx -s reload ]
[ Fri Aug 2 11:47:18 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:47:18 ps aux | grep nginx ]
[ Fri Aug 2 11:48:27 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:27 killall -9 nginx ]
[ Fri Aug 2 11:48:29 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:29 ps aux | grep nginx ]
[ Fri Aug 2 11:48:30 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:29 ps aux | grep nginx ]
[ Fri Aug 2 11:48:31 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:29 ps aux | grep nginx ]
[ Fri Aug 2 11:48:32 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:29 ps aux | grep nginx ]
[ Fri Aug 2 11:48:34 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:34 killall -9 nginx ]
[ Fri Aug 2 11:48:35 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:35 ps aux | grep nginx ]
[ Fri Aug 2 11:48:36 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:35 ps aux | grep nginx ]
[ Fri Aug 2 11:48:38 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:38 /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf ]
[ Fri Aug 2 11:49:06 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:48:52 vim /etc/nginx/nginx.conf ]
[ Fri Aug 2 11:49:07 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:49:07 /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf ]
[ Fri Aug 2 11:49:11 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:49:11 ps aux | grep nginx ]
[ Fri Aug 2 11:49:14 2013 ][ root pts/0 Aug 1 16:22 (172.16.11.162) ][ 2013-08-02 11:49:11 ps aux | grep nginx ]
[ Fri Aug 2 11:53:55 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:53:53 make install ]
[ Fri Aug 2 11:54:30 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:54:10 vim /etc/profile ]
[ Fri Aug 2 11:54:37 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:54:35 make install ]
[ Fri Aug 2 11:54:54 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:54:45 vim /etc/profile ]
[ Fri Aug 2 11:54:59 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:54:59 source /etc/profile ]
[ Fri Aug 2 11:55:03 2013 ][ root pts/5 Aug 2 11:34 (172.16.11.162) ][ 2013-08-02 11:55:03 node -v ]


#4 PHPINFO

tencent_phpinfo.png


#5 漫游内网
参考结界师出现过的内网信息:
WooYun: 我是如何漫游腾讯内部网络的
海象平台
http://10.130.74.19

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://10.130.74.19");
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
?>


.jpg


#6 最后,冲QB接口哟~

QB.jpg

修复方案:

#1 安全管理出现的缺陷(也只有腾讯这么牛的公司才能解决吧?)
#2 跟腾讯将基线配置,还是不要丢人了~
#3 写不下去了,怕被鄙视

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-09-24 11:25

厂商回复:

感谢猪猪侠同学的友情检测,我们会继续提升能力,也请各位白帽子在安全测试中注意遵守国家相关法律。

最新状态:

暂无