当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058014

漏洞标题:Eyou邮件系统多个安全漏洞打包

相关厂商:cncert国家互联网应急中心

漏洞作者: fate0

提交时间:2014-04-22 09:16

修复时间:2014-07-23 18:34

公开时间:2014-07-23 18:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-22: 细节已通知厂商并且等待厂商处理中
2014-04-27: 厂商已经确认,细节仅向厂商公开
2014-04-30: 细节向第三方安全合作伙伴开放
2014-06-21: 细节向核心白帽子及相关领域专家公开
2014-07-01: 细节向普通白帽子公开
2014-07-11: 细节向实习白帽子公开
2014-07-23: 细节向公众公开

简要描述:

邮件系统作为APT定向攻击中的一个重要场景,其安全性一直受各方密切关注.
所以我们选取了目前在国内高校、政府、企业使用率非常高的著名邮箱系统"亿
邮Eyou"进行简单的审计,以及对全国的80端口的web服务进行了一次探测,发现
受上面列出漏洞影响的机构达上千家,结果非常可观,但是现象不乐观.
可获取系统权限,获取所有邮件信息,受影响版本v5.0.0 - v5.0.4 , v4 all
请cncert国家互联网应急中心进行处理

详细说明:

请直接下pdf,下面请无视,谢谢。
下载: http://www.fatezero.org/download/eyou_mail_system_analysis.zip
密码: 9crimes
Eyou Mail System multiple vulnerabilities
===========================
About the vendor:
Eyou Mail System is the biggest mail system in China, providing solution for more than 3500 industries.
===========================
Detail:
-------------------------------------------------------------
0x1 Eyou Mail System V5 SQL injection vulnerability (fixed in v5.0.6)
file: /web/php/user/em_controller_action_help.class.php

77      public function action_default() 
78 {
79
83 $type = $request_obj->get_query('type', 'hot');
84 $key_words = $request_obj->get_query('kw', '');
85 $current_lang = $request_obj->get_query('lang', '');
// ... ...
217 if (!empty($key_words)) {
218 //$columns_arr[] = 'doc_text';
219 $doc_condition->set_is_count(true);
220 $doc_condition->set_where('doc_title LIKE "%' . $key_words . '%" OR doc_text LIKE "%' . $key_words . '%"');
221
222 if (empty($doc_id)) {
223 try {
224 $doc_total_count = $filter_opt->get_doc_lang($doc_condition);
225 } catch (em_exception $e) {


The "kw" variable(line 84) get into SQL statement (line 220) without any escape. What is more serious is that Eyou V5 use PDO to access MySQL!!! Attacker can use Stacked based SQL injection to hack your mail system easily.
-------------------------------------------------------------
0x2 Eyou Mail System V4 SQL injection vulnerability (unfix)
file: /php/report/search_lastlogin.php

50      mysql_select_db("email_user");
51 if(isset($_GET['time']) && isset($_GET['stime'])){
52 $time = stripcslashes($_GET['time']);
53 $stime = stripcslashes($_GET['stime']);
54 }else{
55 $time = sprintf("'%04d-%02d-%02d'", $szYear, $szMonth, $szDay);
56 $stime = sprintf("'%04d-%02d-%02d'", $syear, $smonth, $sday);
57 }
58 if(2 == $szPlay)
59 {
60 // $query = "SELECT uid, lastlogintime, log_type FROM user_lastlogin WHERE date_format(lastlogintime,'%Y-%m-%d') <= ".$time." AND domain = '".$default_domain."'";
61 $query = "SELECT uid, lastlogintime, log_type FROM user_lastlogin WHERE (date_format(lastlogintime,'%Y-%m-%d') between ".$stime." and $time) AND domain = '".$default_domain."'";
62 }
63 else
64 {
65 $query = "SELECT uid, lastlogintime, log_type FROM user_lastlogin WHERE date_format(lastlogintime,'%Y-%m-%d') <= ".$time." AND domain = '".$default_domain."' AND lastlogintime = '0000-00-00 00:00:00' ";
66 }


The "time" and "stime" variable(line 52, 53) get int SQL statement (line 61 or 65) without proper escape. What is more serious is that line 52 use "stripcslashes" function to handling "time", So the attacker can use MySQL build-in function "into outfile" to pwn the system.(mysqld run by system root)
-------------------------------------------------------------
0x3 Eyou Mail System V4 Bypass Authentication (unfix)
file: /php/bill/include/cookie.php

71  		function isLogin()
72 {
73 if ( $this->forAdmin )
74 {
75 if ( strlen( $_COOKIE['cookie'] ) == 0 && ! $this->ValidateCookie() )
76 {
77 return false;
78 }
79 }
80 else if ( strlen( $_COOKIE['USER'] ) == 0 )
81 {
82 return false;
83 }
84
85 return true;
86 }
//.........
97 function getCurrentAdmin(&$adminid, &$oid)
98 {
99 if ( ! $this->forAdmin )
100 {
101 return;
102 }
103
104 if( strlen( ($p = $_COOKIE['cookie']) ) == 0 )
105 {
106 $this->cookieError();
107 exit();
108 }
109
110 $validated = $this->ValidateCookie();
111
112 if ( strlen( $_SESSION['oid'] ) != 0 && false != strstr( $p, $_SESSION['oid'] ) &&
113 strlen( $_SESSION['adminid'] ) != 0 &&
114 strlen( $_SESSION['perm'] ) != 0 )
115 {
116 $adminid = $_SESSION['adminid'];
117 $oid = $_SESSION['oid'];
118
119 return;
120 }
121
122 $cookies = explode( ' ', $p );
123 $adminName = $cookies[0];
124
125 $eyouSql = new eyousql();
126 $sql = "SELECT admin_id,perm from admininfo WHERE oid='$adminName'";
127 $eyouSql->query($sql);
128 //print( $sql."<br>" );
129
130 $row = $eyouSql->fetch();
131 if ( ! $validated && ! $row )
132 {
133 $message = new Message();
134 $message->error( null, null, null, "��Ч����Ա", "/admin/index.html" );
135
136 $eyouSql->free();
137 $eyouSql->close();
138 exit();
139 }
140
141 $adminid = $row[0];
142 $oid = $adminName;
143 $perm = $row[1];
144
145 $eyouSql->free();
146 $eyouSql->close();
147
148 $_SESSION['adminid'] = $adminid;
149 $_SESSION['perm'] = $perm;
150 $_SESSION['oid'] = $oid;
151 }


"isLogin" and "getCurrentAdmin" function check the COOKIE has the "cookie" or not.
Attacker can forge the COOKIE to get access more sensitive function.
-------------------------------------------------------------
0x3 Eyou Mail System V4 arbitrary file delete (maybe unfix)
file: /user/send_queue/del_addition.php

<?
17 $ToRemove = post('ToRemove');
18 $size = @filesize($ToRemove);
19 if(is_array($_SESSION['tmpName']))
20 {
21 $key = array_search($ToRemove,$_SESSION['tmpName']);
22 }else
23 {
24 $key = null;
25 }
26
27 if(file_exists($ToRemove))
28 {
29 $res = @unlink($ToRemove);
30 if($res == 1)
31 {
32 if($size != false)
33 {
34 $_SESSION['size'] -= $size;
35 if($_SESSION['size'] < 0 )
36 {
37 $_SESSION['size'] = 0;
38 }
39 }
40 unset($_SESSION['upload'][$key],$_SESSION['tmpName'][$key]);
41 }
?>


just post "ToRemove=/file/to/delete" to this page
poc: http://www.fatezero.org/download/eyou_mail_system_analysis.zip
password: 9crimes

漏洞证明:

cncert 的同学如果有需要,可以找我要受影响的ip列表 :)

修复方案:

升级到亿邮五版V8版本,该版本在安全性和易用性上有着质的飞越,代码的逻辑和美感也上了几个层次。

版权声明:转载请注明来源 fate0@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-04-27 08:27

厂商回复:

CNVD确认并复现所述两个漏洞情况(只认定01+03为首报漏洞),其中,对01漏洞进行了重点案例测试(基于fate0提供的脚本改写,微调参数),确认尚有230余个实例受到影响。漏洞详情已经在22日直接转报CNVD用户组单位亿中邮公司,后续按流程协助厂商以及协调各省分中心处置用户案例。
rank 20

最新状态:

暂无