当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-044506

漏洞标题:联想内部员工的信息可泄漏(邮箱、名字、内部社交网络帐号密码等信息)

相关厂商:联想

漏洞作者: xlz0iza1

提交时间:2013-11-30 13:08

修复时间:2014-01-14 13:09

公开时间:2014-01-14 13:09

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-11-30: 细节已通知厂商并且等待厂商处理中
2013-12-02: 厂商已经确认,细节仅向厂商公开
2013-12-12: 细节向核心白帽子及相关领域专家公开
2013-12-22: 细节向普通白帽子公开
2014-01-01: 细节向实习白帽子公开
2014-01-14: 细节向公众公开

简要描述:

由于没有一个通用标准的防御规则保护好中间件配置信息、DNS信息、系统错误信息和敏感地址信息(后台或测试地址)的泄露,攻击者可能会通过收集这些保护不足的数据,利用这些信息对系统实施进一步的攻击。(献文参考猪猪侠)
本报告通过一系列逻辑关联,通过一个外部JS文件到注入获取内部员工信息.

详细说明:

#1:无意的一个外部JS文件引发的一系列猥琐事情的开始。
信息收集
http://lxj.ecare365.com/script/common.js
通过common.js
截取前面一部分吧,这应该是管理员的疏忽把,在里面备注了很多能看到很多相关的信息,内部网段,验证方式,判断语句。

var post_url = "userLogin.do";
var url = "action/CommonAction.php";
//http://10.123.51.83/lxjweb/service/userLogon?wsdl
//http://123.103.23.10/lxjweb/service/userLogon?wsdl
//
//测试了,不可以,需要开通 10.96.144.73 / 74 到 以下地址的权限
//123.103.23.10:80
//10.123.51.81:80
//10.123.51.82:80
//10.123.51.83:80
//10.123.51.84:80
// 
//10.99.238.35 :8080
//124.127.40.157 : 1026
var isLoginUsername = "";
$(function(){
    // 判断是否登录
	$.ajax({
		type: "post",
		//contentType: "application/json;charset=utf-8",
		url: url,
		data: {ptype:"getusercookie"},
		dataType: "json",
		cache:false,
		success: function (result) {
		    if (result != null)
			{
				if (result.result == 0)
				{
					isLoginUsername = result.info.truename;
					var val_ = "欢迎您,<a href=\"ChangeUserInfo.php\">"
					+  isLoginUsername
					+ "</a>"
					+ " / <a href=\"logout.php\">退出</a>";
					$("#logindiv").html(val_);
				}
				else
				{
				    // 判断是否存在登录cookie,没有就去登录页面
//					var loc = location + "";
//					if (
//						isLoginUsername == ""
//						&& loc != "http://lxj.ecare365.com/"
//						&& loc != "http://lxj.ecare365.com" 
//						&& loc != "lxj.ecare365.com/"
//						&& loc != "lxj.ecare365.com"
//						&& loc.indexOf("index.php") == -1 
//						&& loc.indexOf("login.php") == -1 
//						&& loc.indexOf("reg.php") == -1
//						&& loc.indexOf("Features.php") == -1
//						&& loc.indexOf("ExpertServices.php") == -1
//						&& loc.indexOf("Help_Center.php") == -1
//						&& loc.indexOf("reg_Success.php") == -1
//						&& loc.indexOf("License.php") == -1
//						)
//					{
//						location.href = "login.php";
//					}
				}
			}
			else
			{
			    // 判断是否存在登录cookie,没有就去登录页面
//				var loc = location + "";
//				if (
//						isLoginUsername == ""
//						&& loc != "http://lxj.ecare365.com/"
//						&& loc != "http://lxj.ecare365.com" 
//						&& loc != "lxj.ecare365.com/"
//						&& loc != "lxj.ecare365.com"
//						&& loc.indexOf("index.php") == -1 
//						&& loc.indexOf("login.php") == -1 
//						&& loc.indexOf("reg.php") == -1
//						&& loc.indexOf("Features.php") == -1
//						&& loc.indexOf("ExpertServices.php") == -1
//						&& loc.indexOf("Help_Center.php") == -1
//						&& loc.indexOf("reg_Success.php") == -1
//						&& loc.indexOf("License.php") == -1
//						)
//				{
//					location.href = "login.php";
//				}
			}


QQ图片20131130103326.jpg


通过上面的信息收集到其他的数据
svn源码泄露
http://street.atlenovo.com/.svn/all-wcprops
http://street.atlenovo.com/.svn/entries
http://t.atlenovo.com/.svn/all-wcprops
http://street.atlenovo.com/.svn/entries
http://ce.atlenovo.com/.svn/all-wcprops
http://ce.atlenovo.com/.svn/entries
注入漏洞:
http://ce.atlenovo.com/notice_info.php?id=1
http://ce.atlenovo.com/kb_info.php?id=1
http://ce.atlenovo.com/feedback_info.php?id=1

| `dt20130225-20130310`                         |
| `tp20130114-20130115`                         |
| `tp20130128-20130201`                         |
| `web20130107-20130203`                        |
| `web20130225-20130310`                        |
| `web20130311-20130324`                        |
| `web20130325-20130407`                        |
| `web20130408-20130421`                        |
| `web20130422-20130505`                        |
| `web20130506-20130519`                        |
| `web20130520-20130526`                        |
| `web20130527-20130602`                        |
| `web20130617-20130630`                        |
| `web20130701-20130714`                        |
| `web20130715-20130728`                        |
| asm_actions                                   |
| asm_ar                                        |
| asm_ar_security                               |
| asm_arfile                                    |
| asm_article                                   |
| asm_assets                                    |
| asm_assets_borrowhis                          |
| asm_assets_dl_security                        |
| asm_assets_security                           |
| asm_purchase_flow                             |
| asm_purchase_flow_process                     |
| asm_purchase_flow_sub1                        |
| asm_purchase_flow_sub2                        |
| asm_role_actions                              |
| asm_role_users                                |
| asm_roles                                     |
| cc_article                                    |
| cc_comments                                   |
| cc_course                                     |
| cc_feedback                                   |
| cc_teacher                                    |
| cc_type                                       |
| cc_user                                       |
| cc_video                                      |
| chat_customgroup                              |
| chat_pals                                     |
| chat_session                                  |
| chat_transfer_fileinfo                        |
| chat_txt                                      |
| chat_users                                    |
| chatroom_channel                              |
| chatroom_group                                |
| chatroom_links                                |
| chatroom_message                              |
| chatroom_robot                                |
| chatroom_users                                |
| dtindex                                       |
| dtrules                                       |
| ec_cmsarticle                                 |
| ec_cmsarticle2                                |
| ec_cmstype                                    |
| ec_cmstype2                                   |
| ec_comment                                    |
| ec_core                                       |
| ec_experience                                 |
| ec_feedback                                   |
| ec_feedlog                                    |
| ec_feedtype                                   |
| ec_function                                   |
| ec_log                                        |
| ec_products                                   |
| ec_producttype                                |
| ec_rolefunction                               |
| ec_roles                                      |
| ec_roleuser                                   |
| im_admin                                      |
| im_c2s                                        |
| im_department                                 |
| im_department_member                          |
| im_domain                                     |
| im_group                                      |
| im_group_fileshare                            |
| im_group_leaveword                            |
| im_group_leaveword_20120222                   |
| im_group_leaveword_20130307                   |
| im_group_member                               |
| im_group_member_20130307                      |
| im_group_member_bak                           |
| im_group_offlinefile                          |
| im_group_type                                 |
| im_ims_bulletin                               |
| im_ims_friend                                 |
| im_ims_friend_20120626                        |
| im_ims_friend_20120628                        |
| im_ims_friend_20120703                        |
| im_ims_friend_20121101                        |
| im_ims_group                                  |
| im_ims_info                                   |
| im_ims_leaveword                              |
| im_ims_memo                                   |
| im_ims_offlinefile                            |
| im_live                                       |
| im_mc                                         |
| im_mcu                                        |
| im_meetinggrp                                 |
| im_meetingmember                              |
| im_msg                                        |
| im_orgfile                                    |
| im_orgfile_user                               |
| im_p2pfile                                    |
| im_privilege                                  |
| im_user_fileshare                             |
| im_users                                      |
| im_users_20120530                             |
| im_vod                                        |
| im_worklog                                    |
| lxjportal_help                                |
| lxjportal_help_type                           |
| sns_ad                                        |
| sns_app                                       |
| sns_app_user                                  |
| sns_attach                                    |
| sns_blog                                      |
| sns_blog_category                             |
| sns_blog_config                               |
| sns_blog_item                                 |
| sns_blog_mention                              |
| sns_blog_outline                              |
| sns_blog_source                               |
| sns_blog_subscribe                            |
| sns_bug                                       |
| sns_bug_category                              |
| sns_bug_coopt                                 |
| sns_bug_edition                               |
| sns_bug_log                                   |
| sns_chat                                      |
| sns_chatroom                                  |
| sns_chatroom_rooms                            |
| sns_chatroom_sort                             |
| sns_comment                                   |
| sns_credit_setting                            |
| sns_credit_type                               |
| sns_edu_search                                |
| sns_event                                     |
| sns_event_config                              |
| sns_event_opts                                |
| sns_event_photo                               |
| sns_event_type                                |
| sns_event_user                                |
| sns_feed                                      |
| sns_feed_del                                  |
| sns_feed_template                             |
| sns_feedback                                  |
| sns_fg                                        |
| sns_field_name                                |
| sns_friend                                    |
| sns_friend_black                              |
| sns_friend_group                              |
| sns_friend_hide                               |
| sns_friend_ping                               |
| sns_friend_tip                                |
| sns_gift                                      |
| sns_gift_category                             |
| sns_group                                     |
| sns_group_album                               |
| sns_group_attachement                         |
| sns_group_category                            |
| sns_group_log                                 |
| sns_group_member                              |
| sns_group_photo                               |
| sns_group_post                                |
| sns_group_setting                             |
| sns_group_topic                               |
| sns_group_topic_collect                       |
| sns_info_category                             |
| sns_info_content                              |
| sns_invite                                    |
| sns_links                                     |
| sns_login_record                              |
| sns_mini                                      |
| sns_mini_config                               |
| sns_msg                                       |
| sns_network                                   |
| sns_notify                                    |
| sns_notify_relationship                       |
| sns_notify_template                           |
| sns_option                                    |
| sns_photo                                     |
| sns_photo_album                               |
| sns_photo_index                               |
| sns_photo_love                                |
| sns_photo_mark                                |
| sns_poster                                    |
| sns_poster_small_type                         |
| sns_poster_type                               |
| sns_poster_widget                             |
| sns_privacy                                   |
| sns_privacy_index                             |
| sns_report                                    |
| sns_saveemail                                 |
| sns_share                                     |
| sns_share_set                                 |
| sns_site                                      |
| sns_smile                                     |
| sns_space                                     |
| sns_system_group                              |
| sns_system_node                               |
| sns_system_popedom                            |
| sns_system_user_rank                          |
| sns_tag                                       |
| sns_tag_index                                 |
| sns_user                                      |
| sns_user_app                                  |
| sns_user_attach                               |
| sns_user_gift                                 |
| sns_user_info                                 |
| sns_user_online                               |
| sns_user_score                                |
| sns_user_search                               |
| sns_visitor                                   |
| sns_vote                                      |
| sns_vote_comment                              |
| sns_vote_config                               |
| sns_vote_opt                                  |
| sns_vote_user                                 |
| sns_wall                                      |
| sns_work_search                               |
| t_blacklist                                   |
| t_buddys                                      |
| t_credits_log                                 |
| t_credits_rule                                |
| t_credits_rule_log                            |
| t_cron                                        |
| t_failedlogins                                |
| t_group                                       |
| t_groupfields                                 |
| t_imjiqiren_client_user                       |
| t_invite                                      |
| t_ip_banned                                   |
| t_log                                         |
| t_medal                                       |
| t_media                                       |
| t_member_validate                             |
| t_memberfields                                |
| t_members                                     |
| t_my_tag                                      |
| t_my_topic_tag                                |
| t_notice                                      |
| t_onlinetime                                  |
| t_pms                                         |
| t_report                                      |
| t_robot                                       |
| t_robot_ip                                    |
| t_robot_log                                   |
| t_role                                        |
| t_role_action                                 |
| t_role_module                                 |
| t_sessions                                    |
| t_tag                                         |
| t_tag_favorite                                |
| t_task                                        |
| t_task_log                                    |
| t_topic                                       |
| t_topic_favorite                              |
| t_topic_image                                 |
| t_topic_mention                               |
| t_topic_more                                  |
| t_topic_music                                 |
| t_topic_reply                                 |
| t_topic_show                                  |
| t_topic_tag                                   |
| t_topic_video                                 |
| t_topicforwarview                             |
| t_topicview                                   |
| t_url                                         |
| t_user_tag                                    |
| t_user_tag_fields                             |
| t_validate                                    |
| t_wall                                        |
| t_wall_draft                                  |
| t_wall_material                               |
| t_wall_playlist                               |
| t_weather                                     |
| t_xwb_bind_info                               |
| t_xwb_bind_topic                              |
| tpindex                                       |
| userinfo                                      |
| webindex                                      |
| webrules                                      |
+-----------------------------------------------+


注入其中的一个table,数据庞大,因为我比较懒,所以没有进行进一步的注入测试。

Table: cc_user
[9 columns]
+-------------+---------------------+
| Column      | Type                |
+-------------+---------------------+
| create_time | int(10) unsigned    |
| dept        | varchar(300)        |
| email       | varchar(255)        |
| snsid       | varchar(100)        |
| uid         | int(11) unsigned    |
| user_name   | varchar(50)         |
| user_pass   | varchar(255)        |
| user_type   | tinyint(4) unsigned |
| weibo       | varchar(255)        |
+-------------+---------------------+


cc_user表里面发现了1500多管理员包括在内员工的帐号、密码、邮箱

QQ图片20131130125813.jpg


sns_user表里面发现了2920多管理员包括在内员工的帐号、密码、邮箱

1.jpg

漏洞证明:

#1:漏洞证明

QQ图片20131129233303.jpg


2.jpg


3.jpg


4.jpg


相关的其他信息

5.jpg


6.jpg


svn漏洞证明

QQ图片20131130130411.jpg

修复方案:

#1 安全是一个整体,保证安全不在于强大的地方有多强大,而在于真正薄弱的地方在哪里。
#2 杜绝系统配置错误
#3 妥善的对边界网络进行设置

版权声明:转载请注明来源 xlz0iza1@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-12-02 11:25

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无