当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115037

漏洞标题:美国系列二:纽约大学某站存在后门,可渗入内网集群环境

相关厂商:ersprod.its.nyu.edu:8443

漏洞作者: 路人甲

提交时间:2015-05-19 22:51

修复时间:2015-07-07 16:08

公开时间:2015-07-07 16:08

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-23: 厂商已经确认,细节仅向厂商公开
2015-06-02: 细节向核心白帽子及相关领域专家公开
2015-06-12: 细节向普通白帽子公开
2015-06-22: 细节向实习白帽子公开
2015-07-07: 细节向公众公开

简要描述:

美国系列二

详细说明:

纽约大学(New York University),简称NYU,是一所位于美国纽约市的私立研究型大学;也是美国一座坐落于纽约心脏地带的世界顶尖名校。学校于1831年成立,今日已经成为全美国境内规模最大的私立非营利高等教育机构,在各类大学排名中均名列前茅,被列为新常春藤校之一。
1.域名:ersprod.its.nyu.edu:8443
2.后门地址:https://ersprod.its.nyu.edu:8443/sh/

4.jpg


该后门功能:自定义搜索后缀名、alias命令名修改、开启shell后门、命令执行、目录列表
,从功能上看,跟菜刀很相似。
3.深入内网
/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.126.23 adc07-ldb.sas.its.nyu.edu adc07-ldb
192.168.126.24 adc08-ldb.sas.its.nyu.edu adc08-ldb
128.122.120.41 adc09-ldb.sas.its.nyu.edu adc09-ldb
#128.122.221.21 ITS01-LFP-V.SAS.ITS.NYU.EDU nfs221
#128.122.221.40 its01-lfp.sas.its.nyu.edu nfs221
# The below entry is needed for Remedy
192.168.126.24 arprod.its.nyu.edu arprod
# New NFS Servers
128.122.120.77 its020-nfs.cfs.its.nyu.edu lownfs4
# ITM SERVER
128.122.122.87 its006-lap-v.sas.its.nyu.edu


看着hosts,内网好像是纽约大学IT管理部门的一个SAS集群环境.
/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
oracle:x:400:400:Oracle Software Owner:/home/oracle:/bin/bash
jvd1:x:504:504:Joe DiMeo:/home/jvd1:/bin/bash
ai15:x:506:401:Arthur Iconis:/home/ai15:/bin/bash
rql1245:x:521:401:Raymond Lau:/home/rql1245:/bin/bash
eph1:x:525:401:Jill Hochberg:/home/eph1:/bin/bash
sg1481:x:510:401:Sandeep Gupta:/home/sg1481:/bin/bash
bb:x:410:410:Big Brother Client User:/usr/local/bb:/bin/bash
emd0753:x:531:401:Lizz Duke:/home/emd0753:/bin/bash
ser1:x:651:401:Stanley Roberts:/home/ser1:/bin/bash
ka38:x:652:401:Keith Allison:/home/ka38:/bin/bash
dr66:x:666:401:Dana Rasso:/home/dr66:/bin/bash
mn1168:x:528:400:Michael New:/home/mn1168:/bin/bash
km63:x:932:932:Kate Monahan:/home/km63:/bin/bash
vdr1:x:508:508:Valrie Russell:/home/vdr1:/bin/bash
rpg1:x:612:612:Richard Gregorio:/home/rpg1:/bin/bash
cfslinuxdradmin:x:563:563:DR UserID:/home/cfslinuxdradmin:/bin/bash
nagios:x:933:100::/home/nagios:/bin/bash
jt1670:x:825:825:Javan Teixeira:/home/jt1670:/bin/bash


Linux版本:Linux adc08-ldb.sas.its.nyu.edu 2.6.9-89.ELhugemem #1 SMP Mon Apr 20 10:45:44 EDT 2009 i686 i686 i386 GNU/Linux
可提权。
就这样,不想深入,点到即止。
good luck!

漏洞证明:

纽约大学(New York University),简称NYU,是一所位于美国纽约市的私立研究型大学;也是美国一座坐落于纽约心脏地带的世界顶尖名校。学校于1831年成立,今日已经成为全美国境内规模最大的私立非营利高等教育机构,在各类大学排名中均名列前茅,被列为新常春藤校之一。
1.域名:ersprod.its.nyu.edu:8443
2.后门地址:https://ersprod.its.nyu.edu:8443/sh/

4.jpg


该后门功能:自定义搜索后缀名、alias命令名修改、开启shell后门、命令执行、目录列表
,从功能上看,跟菜刀很相似。
3.深入内网
/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.126.23 adc07-ldb.sas.its.nyu.edu adc07-ldb
192.168.126.24 adc08-ldb.sas.its.nyu.edu adc08-ldb
128.122.120.41 adc09-ldb.sas.its.nyu.edu adc09-ldb
#128.122.221.21 ITS01-LFP-V.SAS.ITS.NYU.EDU nfs221
#128.122.221.40 its01-lfp.sas.its.nyu.edu nfs221
# The below entry is needed for Remedy
192.168.126.24 arprod.its.nyu.edu arprod
# New NFS Servers
128.122.120.77 its020-nfs.cfs.its.nyu.edu lownfs4
# ITM SERVER
128.122.122.87 its006-lap-v.sas.its.nyu.edu


看着hosts,内网好像是纽约大学IT管理部门的一个SAS集群环境.
/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
oracle:x:400:400:Oracle Software Owner:/home/oracle:/bin/bash
jvd1:x:504:504:Joe DiMeo:/home/jvd1:/bin/bash
ai15:x:506:401:Arthur Iconis:/home/ai15:/bin/bash
rql1245:x:521:401:Raymond Lau:/home/rql1245:/bin/bash
eph1:x:525:401:Jill Hochberg:/home/eph1:/bin/bash
sg1481:x:510:401:Sandeep Gupta:/home/sg1481:/bin/bash
bb:x:410:410:Big Brother Client User:/usr/local/bb:/bin/bash
emd0753:x:531:401:Lizz Duke:/home/emd0753:/bin/bash
ser1:x:651:401:Stanley Roberts:/home/ser1:/bin/bash
ka38:x:652:401:Keith Allison:/home/ka38:/bin/bash
dr66:x:666:401:Dana Rasso:/home/dr66:/bin/bash
mn1168:x:528:400:Michael New:/home/mn1168:/bin/bash
km63:x:932:932:Kate Monahan:/home/km63:/bin/bash
vdr1:x:508:508:Valrie Russell:/home/vdr1:/bin/bash
rpg1:x:612:612:Richard Gregorio:/home/rpg1:/bin/bash
cfslinuxdradmin:x:563:563:DR UserID:/home/cfslinuxdradmin:/bin/bash
nagios:x:933:100::/home/nagios:/bin/bash
jt1670:x:825:825:Javan Teixeira:/home/jt1670:/bin/bash


Linux版本:Linux adc08-ldb.sas.its.nyu.edu 2.6.9-89.ELhugemem #1 SMP Mon Apr 20 10:45:44 EDT 2009 i686 i686 i386 GNU/Linux
可提权。
就这样,不想深入,点到即止。
good luck!

修复方案:

good luck!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-23 16:06

厂商回复:

最新状态:

暂无