当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100956

漏洞标题:皮皮网某服务配置不当(导致可从服务端替换客户端更新文件植入后门)

相关厂商:皮皮网

漏洞作者: 路人甲

提交时间:2015-03-12 16:43

修复时间:2015-04-26 16:44

公开时间:2015-04-26 16:44

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-12: 细节已通知厂商并且等待厂商处理中
2015-03-12: 厂商已经确认,细节仅向厂商公开
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-26: 细节向公众公开

简要描述:

皮皮网某服务配置不当(导致可从服务端替换客户端更新文件植入后门)

详细说明:

5台更新配置服务器的rsync服务可匿名访问

122.228.68.155:873
122.228.68.154:873
122.228.68.152:873
122.228.68.153:873
122.228.68.144:873


rsync 122.228.68.155::ppquery_sct
drwxr-xr-x        4096 2015/03/06 00:26:21 .
-rw-r--r--        1189 2015/03/06 00:25:03 234.ini
-rw-r--r--        1191 2015/03/06 00:25:53 240.ini
-rw-r--r--        1191 2015/03/06 00:25:53 241.ini
-rw-r--r--        1191 2015/03/06 00:25:53 242.ini
-rw-r--r--        1191 2015/03/06 00:25:53 243.ini
-rw-r--r--        1191 2015/03/06 00:25:53 244.ini
-rw-r--r--        1191 2015/03/06 00:25:53 245.ini
-rw-r--r--        1191 2015/03/06 00:25:53 246.ini
-rw-r--r--        1191 2015/03/06 00:25:53 247.ini
-rw-r--r--        1194 2015/03/06 00:25:53 248.ini
-rw-r--r--        1191 2015/03/06 00:25:53 249.ini
-rw-r--r--        1191 2015/03/06 00:25:53 250.ini
-rw-r--r--        1189 2015/03/06 00:25:03 271.ini
-rw-r--r--        1189 2015/03/06 00:25:03 297.ini
-rw-r--r--        1189 2015/03/06 00:25:03 407.ini
-rw-r--r--        1189 2015/03/06 00:25:03 409.ini
-rw-r--r--        1189 2015/03/06 00:25:03 430.ini
-rw-r--r--        1189 2015/03/06 00:25:03 497.ini
-rw-r--r--        1189 2015/03/06 00:25:03 525.ini
-rw-r--r--        1189 2015/03/06 00:25:03 529.ini
-rw-r--r--         317 2015/03/06 00:25:03 all_desk_link.ini
-rw-r--r--         313 2015/01/09 13:48:51 all_desk_link_fsfm_qm.ini
-rw-r--r--         309 2015/01/09 13:44:57 all_desk_link_fsfm_qm.ini~
-rw-r--r--         227 2014/12/05 21:56:53 all_desk_link_hazg.ini
-rw-r--r--         319 2015/02/12 13:43:14 all_desk_link_hazg_fsfm.ini
-rw-r--r--         314 2015/02/12 13:42:33 all_desk_link_hazg_fsfm.ini~
-rw-r--r--         317 2014/12/05 21:57:03 all_desk_link_hazg_jstm.ini
-rw-r--r--         314 2015/02/01 21:23:36 all_desk_link_hazg_qm.ini
-rw-r--r--         314 2015/02/01 21:23:01 all_desk_link_hazg_qm.ini~
-rw-r--r--         315 2014/12/05 21:57:12 all_desk_link_hazg_xxd.ini
-rw-r--r--         224 2014/09/04 12:17:58 all_desk_link_jstm.ini
-rw-r--r--         312 2014/12/10 13:29:26 all_desk_link_jstm_xxd.ini
-rw-r--r--         313 2015/01/13 11:02:04 all_desk_link_qm_fsfm.ini
-rw-r--r--         313 2015/01/13 11:01:00 all_desk_link_qm_fsfm.ini~
-rw-r--r--         314 2014/12/23 13:35:43 all_desk_link_qm_hazg.ini
-rw-r--r--         309 2014/12/26 10:23:15 all_desk_link_qm_xxd.ini
-rw-r--r--         223 2014/08/25 21:18:34 all_desk_link_sgh.ini
-rw-r--r--         222 2014/09/18 17:35:54 all_desk_link_xxd.ini
-rw-r--r--         317 2015/03/06 00:24:51 all_desk_link_zsg_hazg.ini
-rw-r--r--         314 2015/03/06 00:24:12 all_desk_link_zsg_hazg.ini~
-rw-r--r--         448 2014/12/26 16:22:08 all_desk_src.ini
-rw-r--r--         444 2014/12/26 16:21:12 all_desk_src.ini~
-rwxr-xr-x         404 2014/08/22 17:18:01 batch_pro.sh
-rwxr-xr-x         439 2015/03/06 00:25:49 batch_temp.sh
-rwxr-xr-x         377 2015/02/12 13:44:56 batch_temp.sh~
-rw-r--r--         108 2014/08/22 17:18:01 clean.ini
-rw-r--r--         309 2015/03/06 00:25:03 def_desk_link.ini
-rw-r--r--         305 2015/01/09 13:50:08 def_desk_link_fsfm_qm.ini
-rw-r--r--         301 2015/01/09 13:49:18 def_desk_link_fsfm_qm.ini~
-rw-r--r--         219 2014/12/05 21:57:23 def_desk_link_hazg.ini
-rw-r--r--         311 2015/02/12 13:44:17 def_desk_link_hazg_fsfm.ini
-rw-r--r--         306 2015/02/12 13:43:39 def_desk_link_hazg_fsfm.ini~
-rw-r--r--         309 2014/12/05 21:57:35 def_desk_link_hazg_jstm.ini
-rw-r--r--         306 2015/02/01 21:24:17 def_desk_link_hazg_qm.ini
-rw-r--r--         306 2015/02/01 21:23:57 def_desk_link_hazg_qm.ini~
-rw-r--r--         307 2014/12/05 21:57:47 def_desk_link_hazg_xxd.ini
-rw-r--r--         216 2014/09/04 12:20:34 def_desk_link_jstm.ini
-rw-r--r--         304 2014/12/10 13:32:25 def_desk_link_jstm_xxd.ini
-rw-r--r--         305 2015/01/13 11:02:15 def_desk_link_qm_fsfm.ini
-rw-r--r--         305 2015/01/13 11:01:22 def_desk_link_qm_fsfm.ini~
-rw-r--r--         306 2014/12/23 13:36:14 def_desk_link_qm_hazg.ini
-rw-r--r--         301 2014/12/26 10:24:23 def_desk_link_qm_xxd.ini
-rw-r--r--         215 2014/09/04 12:20:38 def_desk_link_sgh.ini
-rw-r--r--         214 2014/10/17 14:35:34 def_desk_link_xxd.ini
-rw-r--r--         309 2015/03/06 00:23:52 def_desk_link_zsg_hazg.ini
-rw-r--r--         306 2015/03/06 00:22:13 def_desk_link_zsg_hazg.ini~
-rw-r--r--        1170 2015/03/06 00:25:03 default.ini
-rw-r--r--        1170 2014/11/24 15:52:24 default_1.ini
-rw-r--r--        1170 2014/11/24 15:52:24 default_2.ini
-rw-r--r--        1170 2014/11/24 15:52:24 default_3.ini
-rw-r--r--         785 2014/08/22 17:18:01 force.ini
-rwxr-xr-x         683 2014/12/26 18:05:18 gen.sh
-rwxr-xr-x         409 2014/12/26 16:19:15 gen.sh~
-rwxr-xr-x         730 2014/12/02 16:36:28 gen_all_by_para.sh
-rwxr-xr-x         561 2014/09/16 16:16:07 gen_def_desklink.sh
-rwxr-xr-x         562 2014/09/16 16:16:20 gen_desklink.sh
-rwxr-xr-x         945 2014/09/16 16:15:14 gen_fulllink.sh
-rw-r--r--         783 2014/08/22 17:18:01 hao123
-rw-r--r--         927 2015/01/20 23:33:52 id2url.conf
-rw-r--r--         422 2014/12/02 16:29:12 id2url.conf.20141202
-rw-r--r--         926 2015/01/06 15:39:29 id2url.conf~
-rw-r--r--        1014 2014/10/21 15:38:51 id_source.ini
-rw-r--r--         477 2015/01/12 20:39:19 live_share_task.ini
-rw-r--r--         476 2015/01/08 16:28:29 live_share_task.ini~
-rw-r--r--         305 2015/01/12 20:39:25 live_share_task_pop.ini
-rw-r--r--         304 2015/01/08 16:29:33 live_share_task_pop.ini~
-rw-r--r--         485 2015/01/12 20:39:30 live_share_task_wang.ini
-rw-r--r--         486 2015/01/12 20:39:35 live_share_task_wang.ini.cnc
-rw-r--r--         485 2015/01/08 16:29:40 live_share_task_wang.ini.cnc~
-rw-r--r--         484 2015/01/08 16:29:37 live_share_task_wang.ini~
-rw-r--r--         564 2014/08/22 17:18:01 pi_def.ini
-rwxr-xr-x         393 2014/08/22 17:18:01 replace.sh
-rw-r--r--        1061 2014/08/22 17:18:01 sample.ini
-rw-r-----        3593 2015/02/06 22:33:10 sct.conf
-rw-r-----        3305 2015/01/31 23:53:23 sct.conf~


cat 525.ini
[h]
#how many times
times=2
#interval minutes
int_min=5
#delay days
dd=0
#force fix interval minutes
ffit=1440
fdd=0
fa=1
#0: not fix; 1: fix has same domain only; 2: fix has argment only; 3: fix all beside white list; 4: fix all
mod=4
brs=|firefox.exe|qqbrowser.exe|chrome.exe|liebao.exe|iexplore.exe|theworld.exe|maxthon.exe|sogouexplorer.exe|opera/launcher.exe|baidubrowser.exe|2345explorer.exe|
url=www.hao123.com/?tn=94472661_hao_pg
u0=www.3600.com/?src=lm&ls=n431da8d38f
u1=www.2345.com/?k34511517
u2=www.duba.com/?un_449343_1173
u3=www.88488.com/?sign=rec|www.hao123.com/?tn=94472661_hao_pg
#ie home page
fhp=0
#url
#hpu=
fit=10
#fix other browser link
flnk=1
#url
#lnku=
#fix interval minutes
#flnkit=1440
#create Internet Explorer.lnk on desktop
cdlnk=0
#url
#dlnku=
#interval minutes
dlnkit=144000
#only change if exist
mon=1
[d]
cn=3
it=14400
odmax=1
0=hao123www.hao123.com/?tn=94472661_hao_pg|www.hao123.com/favicon.ico|0
0_wl=
0_cn=0
#delay days
0_dd=0
#interval minutes
0_it=144000
1=[]|gc.pipi.cn/desktop/zsglw1.html|afm.pipi.cn/pfup/zsg.ico|0
1_dd=0
1_it=144000
2=[|gc.pipi.cn/desktop/hazg1.html|www.pipi.cn/pfup/hazg2.ico|0
2_dd=0
2_it=144000

漏洞证明:

cat pi_def.ini
[r]
stra=maximum
cn=1
it=1
dd=0
[0]
id=61
dd=0
;ln=goodpic_600.tmp
;pa=/verysilent
md5=a5cfb4ca7f74d913f0396abc5ba9497c
url=http://dl.shenmatv.cn/goodpic_dae_600.exe
hk=HKCR\goodPic\DefaultIcon\
[1]
id=102
url=http://kkupd.gamebox.duowan.com/client/package/38_47/gamebox_setup.exe
hk=HKCU\Software\duowan\gamebox\InstallDir
[2]
id=57
url=http://dl.pipi.cn/sp/pipi_jiangshen.exe
hk=HKLM\SOFTWARE\Jiangshen\pipi\
delay=300
[3]
id=170
url=http://www.yunduan.cn/update/bfc/bfcmpasetup_ff28_0.exe
hk=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bfcmpa.exe\


cat sct.conf
//lshare
lshare_ver_file=/home/public/KmPPQueryService/etc/live_share_version.ini
#lshare_task_file=/home/public/KmPPQueryService/etc/sct/live_share_task.ini
lshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_wang.ini
#lshare_task_file=0-250:/home/public/KmPPQueryService/etc/sct/live_share_task.ini|250-1000:/home/public/KmPPQueryService/etc/sct/live_share_task_pop.ini
lshare_enable=1
lshare_inst_days=0
lshare_ex_city=|�|
lshare_clk_minver=16974592
lshare_clk_reduce=0
#not use{{
lshare_percent=100
lshare_clk_permill=80
lshare_webclk_permill=200
lshare_clk_permill2=250
lshare_webclk_permill2=250
#}}
#clean_sct_app_build_ver=3178
can_set_iehp=1
desklnk_boot_only=0
fix_favorite=1
//desktop shortcut
given_�=/home/public/KmPPQueryService/etc/sct/clean.ini
given_201=home/public/KmPPQueryService/etc/sct/clean.ini
given_0=/home/public/KmPPQueryService/etc/sct/default.ini
given_271=/home/public/KmPPQueryService/etc/sct/271.ini
givenddays_271=1
given_525=/home/public/KmPPQueryService/etc/sct/525.ini
given_234=/home/public/KmPPQueryService/etc/sct/234.ini
given_430=/home/public/KmPPQueryService/etc/sct/430.ini
given_529=/home/public/KmPPQueryService/etc/sct/529.ini
given_407=/home/public/KmPPQueryService/etc/sct/407.ini
given_409=/home/public/KmPPQueryService/etc/sct/409.ini
given_297=/home/public/KmPPQueryService/etc/sct/297.ini
given_497=/home/public/KmPPQueryService/etc/sct/497.ini
//whiteurl
#whiteurl=www.hao123.com|tn|98227422_hao_pg|29065018_253_hao_pg|93890339_hao_pg|98723078_hao_pg|29065018_254_hao_pg|
//config url
givenurl_�=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90
givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v1.conf|5ec58330c977d92902d3b83c221b0c90
givenurl_p1=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c
givenurl_p2=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c
givenurl_p3=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c
givenurl_p4=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c
givenurl_p5=http://www.pipi.cn/pfup/jfcheck/jfcheck_no_v2.conf|0a889d49e85540ed43efa033625f4b4c
#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck.conf|ef17cce7b9c0e7802c79a7d82739def9
#givenurl_0=http://www.pipi.cn/pfup/jfcheck/jfcheck_v7.conf|432eea1a971cca7cd998ef2c8364f2e1
pushinst_0=/home/public/KmPPQueryService/etc/sct/pi_def.ini
pushinstddays_0=0
//clk cc domains
clk_cookie_domains=|acxiom-online.com|serving-sys.com|utmz|utmb|utma|optimix.asia|kejet.net|h5po.cn|pagechoice.net|cnzz.mmstat.com|CNZZDATA|cnzz.com|miaozhen.com|mediav.com|_smtz|_smta|_smtp|_smtt|_smtz|allyes.com|HMACCOUNT|_ga|Hm_lvt_|Hm_lpvt_|admaster.com.cn|doubleclick.net|acs86.com|mlt01.com|icast.cn|admckid|admaster.com.cn|_smtz|_smta|_smtp|_smtt|viewlist|clicklist|
given_240=/home/public/KmPPQueryService/etc/sct/240.ini
given_241=/home/public/KmPPQueryService/etc/sct/241.ini
given_242=/home/public/KmPPQueryService/etc/sct/242.ini
given_243=/home/public/KmPPQueryService/etc/sct/243.ini
given_244=/home/public/KmPPQueryService/etc/sct/244.ini
given_245=/home/public/KmPPQueryService/etc/sct/245.ini
given_246=/home/public/KmPPQueryService/etc/sct/246.ini
given_247=/home/public/KmPPQueryService/etc/sct/247.ini
given_248=/home/public/KmPPQueryService/etc/sct/248.ini
given_249=/home/public/KmPPQueryService/etc/sct/249.ini
given_250=/home/public/KmPPQueryService/etc/sct/250.ini

修复方案:

下线或删除

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-03-12 21:27

厂商回复:

感谢大侠:)

最新状态:

暂无