当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145501

漏洞标题:电讯盈科旗下香港电讯系统存在漏洞(涉及移动電話认证服务、SIM卡增值服务)

相关厂商:电讯盈科

漏洞作者: 猪猪侠

提交时间:2015-10-09 17:18

修复时间:2015-10-26 11:28

公开时间:2015-10-26 11:28

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态: 已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-10-26: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

电讯盈科旗下香港电讯系统存在漏洞(涉移动電話认证服务、增值服务),间接利用可管理电讯储值卡之类的系统;
系统后台是个负载均衡集群,可影响多台服务器;

详细说明:

#1 漏洞地址

http://**.**.**.**/axis2/
**.**.**.**,开启了负载均衡服务,后台存在多台服务器
**.**.**.**    **.**.**.**
**.**.**.**    **.**.**.**

系统对应其它地址:https://**.**.**.**/login

systempic.png


#2 axis2管理默认口令admin:axis2

pccw1.png


#3 getSYSTEM shell

pccw2_ifconfig.png


#4 payment服务

if netstat -an |grep ":8080" |grep LISTEN > /dev/null &&  ps -ef | grep /opt/bpp/tomcat |grep -v "grep" > dev/null
then
    echo "Start Payment Client Application on " `hostname` " at " `date`  >> $RESTART_LOG 2>&1
    cd /
    su - tomcat -c "/home/oper/linux/payment_start.sh"
else
    echo "Tomcat is NOT RUNNING" >> $RESTART_LOG 2>&1


#5 该系统对应的其它系统服务

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<wsdl:definitions xmlns:wsdl="http://**.**.**.**/wsdl/" xmlns:ns1="http://org.apache.axis2/xsd" xmlns:ns="http://**.**.**.**" xmlns:ax27="http://**.**.**.**/xsd" xmlns:wsaw="http://**.**.**.**/2006/05/addressing/wsdl" xmlns:ax25="http://**.**.**.**/xsd" xmlns:http="http://**.**.**.**/wsdl/http/" xmlns:xs="http://**.**.**.**/2001/XMLSchema" xmlns:mime="http://**.**.**.**/wsdl/mime/" xmlns:soap="http://**.**.**.**/wsdl/soap/" xmlns:soap12="http://**.**.**.**/wsdl/soap12/" targetNamespace="http://**.**.**.**">
<wsdl:documentation>MonitiseServices</wsdl:documentation>
<wsdl:types>
<xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**/xsd">
<xs:complexType name="MonitiseAccountValidateOutputDTO">
<xs:sequence>
</xs:complexType>
</xs:schema>
<xs:schema attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**/xsd">
<xs:complexType name="MonitiseInputDTO">
<xs:sequence>
<xs:element minOccurs="0" name="channel" nillable="true" type="xs:string"/>
<xs:element minOccurs="0" name="msisdn" nillable="true" type="xs:string"/>
<xs:element minOccurs="0" name="starterPackId" nillable="true" type="xs:string"/>
<xs:element minOccurs="0" name="topupAmount" type="xs:float"/>
<xs:element minOccurs="0" name="transactionId" nillable="true" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
<xs:schema xmlns:ax28="http://**.**.**.**/xsd" xmlns:ax26="http://**.**.**.**/xsd" attributeFormDefault="qualified" elementFormDefault="qualified" targetNamespace="http://**.**.**.**">
<xs:import namespace="http://**.**.**.**/xsd"/>
<xs:import namespace="http://**.**.**.**/xsd"/>
<xs:element name="validateTopup">
<xs:complexType>
<xs:sequence>
<http:address location="http://**.**.**.**/axis2/services/MonitiseServices.MonitiseServicesHttpEndpoint/"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>


drwxr-x--- 2 tomcat tomcat  4096 Jul  7  2014 .
drwxr-x--- 5 tomcat tomcat  4096 Jul  7  2014 ..
-rw-r----- 1 tomcat tomcat 15840 Jun 30  2014 AccumulativeChrgSumyAction.class
-rw-r----- 1 tomcat tomcat 19122 Apr 23  2014 AccumulativeChrgSumyAction.java
-rw-r----- 1 tomcat tomcat  2057 Jun 30  2014 ActionConstant.class
-rw-r----- 1 tomcat tomcat  2154 Nov 12  2013 ActionConstant.java
-rw-r----- 1 tomcat tomcat  1267 Jul  4  2014 AlipayTopupAction$1.class
-rw-r----- 1 tomcat tomcat 27144 Jul  4  2014 AlipayTopupAction.class
-rw-r----- 1 tomcat tomcat 36573 Jul  4  2014 AlipayTopupAction.java
-rw-r----- 1 tomcat tomcat  1248 Jul  4  2014 AlipayTopupAction$miTM.class
-rw-r----- 1 tomcat tomcat  4557 Jun 30  2014 AutoLogonAction.class
-rw-r----- 1 tomcat tomcat  4187 Feb  6  2014 AutoLogonAction.java
-rw-r----- 1 tomcat tomcat  1182 Jun 30  2014 CardInfoAction.class
-rw-r----- 1 tomcat tomcat   544 Nov 12  2013 CardInfoAction.java
-rw-r----- 1 tomcat tomcat  7788 Jun 30  2014 CardInformationAction.class
-rw-r----- 1 tomcat tomcat  6984 Nov 12  2013 CardInformationAction.java
-rw-r----- 1 tomcat tomcat  5483 Jun 30  2014 ChangePasswordAction.class
-rw-r----- 1 tomcat tomcat  5525 Nov 27  2013 ChangePasswordAction.java
-rw-r----- 1 tomcat tomcat 10347 Jun 30  2014 ChangeVasAction.class
-rw-r----- 1 tomcat tomcat  9418 Nov 28  2013 ChangeVasAction.java
-rw-r----- 1 tomcat tomcat  4976 Jun 30  2014 ForgetPasswordAction.class
-rw-r----- 1 tomcat tomcat  4419 Feb 17  2014 ForgetPasswordAction.java
-rw-r----- 1 tomcat tomcat  2040 Jun 30  2014 LogonAction.class
-rw-r----- 1 tomcat tomcat  1563 Nov 12  2013 LogonAction.java
-rw-r----- 1 tomcat tomcat   682 Jun 30  2014 LogoutAction.class
-rw-r----- 1 tomcat tomcat   384 Nov 12  2013 LogoutAction.java
-rw-r----- 1 tomcat tomcat  6984 Jun 30  2014 ManualLoginAction.class
-rw-r----- 1 tomcat tomcat  6165 Jan  3  2014 ManualLoginAction.java
-rw-r----- 1 tomcat tomcat   596 Jun 30  2014 MessageAction.class
-rw-r----- 1 tomcat tomcat   304 Nov 12  2013 MessageAction.java
-rw-r----- 1 tomcat tomcat  4936 Jun 30  2014 NEAction.class
-rw-r----- 1 tomcat tomcat  5319 Jun 18  2014 NEAction.java
-rw-r----- 1 tomcat tomcat 20582 Jun 30  2014 OnlineTopupAction.class
-rw-r----- 1 tomcat tomcat 22270 Jun 18  2014 OnlineTopupAction.java
-rw-r----- 1 tomcat tomcat  2341 Jun 30  2014 PropertiesAction.class
-rw-r----- 1 tomcat tomcat  1768 Nov 12  2013 PropertiesAction.java
-rw-r----- 1 tomcat tomcat  4213 Jun 30  2014 RetrievePasswordAction.class
-rw-r----- 1 tomcat tomcat  4092 Nov 27  2013 RetrievePasswordAction.java
-rw-r----- 1 tomcat tomcat  1357 Jun 30  2014 SmsHistoryAction.class
-rw-r----- 1 tomcat tomcat   766 Nov 12  2013 SmsHistoryAction.java
-rw-r----- 1 tomcat tomcat 11972 Jun 30  2014 SmsSettingAction.class
-rw-r----- 1 tomcat tomcat 13075 Nov 27  2013 SmsSettingAction.java
-rw-r----- 1 tomcat tomcat  1693 Jun 30  2014 TestDisplayAction.class
-rw-r----- 1 tomcat tomcat   932 Nov 12  2013 TestDisplayAction.java
-rw-r----- 1 tomcat tomcat  2757 Jun 30  2014 TestUpdateAction.class
-rw-r----- 1 tomcat tomcat  2615 Nov 27  2013 TestUpdateAction.java
-rw-r----- 1 tomcat tomcat  4475 Jun 30  2014 UsageEntitlementAction.class
-rw-r----- 1 tomcat tomcat  3831 Nov 27  2013 UsageEntitlementAction.java
-rw-r----- 1 tomcat tomcat  2082 Jun 30  2014 VasAction.class
-rw-r----- 1 tomcat tomcat  1395 Nov 27  2013 VasAction.java
-rw-r----- 1 tomcat tomcat 16554 Jun 30  2014 VoucherOnlineTopupAction.class
-rw-r----- 1 tomcat tomcat 25868 Feb 17  2014 VoucherOnlineTopupAction.java

漏洞证明:

last -20
sitescop pts/2        **.**.**.**     Fri Oct  9 10:50   still logged in   
sitescop pts/0        **.**.**.**     Fri Oct  9 10:20   still logged in   
sitescop pts/6        **.**.**.**     Fri Oct  9 10:00   still logged in   
sitescop pts/2        **.**.**.**     Fri Oct  9 09:45 - 10:45  (00:59)    
sitescop pts/0        **.**.**.**     Fri Oct  9 09:00 - 10:10  (01:09)    
sitescop pts/6        **.**.**.**     Fri Oct  9 01:25 - 09:55  (08:30)    
sitescop pts/5        **.**.**.**     Fri Oct  9 01:24   still logged in   
sitescop pts/2        **.**.**.**     Fri Oct  9 01:20 - 09:35  (08:14)    
sitescop pts/4        **.**.**.**     Fri Oct  9 01:20   still logged in   
sitescop pts/3        **.**.**.**     Fri Oct  9 01:18   still logged in   
sitescop pts/2        **.**.**.**     Fri Oct  9 01:18 - 01:20  (00:01)    
sitescop pts/3        **.**.**.**     Fri Oct  9 01:18 - 01:18  (00:00)    
sitescop pts/5        **.**.**.**     Fri Oct  9 01:18 - 01:19  (00:01)    
sitescop pts/2        **.**.**.**     Fri Oct  9 01:18 - 01:18  (00:00)    
sitescop pts/0        **.**.**.**     Fri Oct  9 01:18 - 08:55  (07:37)    
sitescop pts/5        **.**.**.**     Wed Oct  7 04:00 - 01:15 (1+21:15)   
sitescop pts/4        **.**.**.**     Wed Oct  7 03:45 - 01:18 (1+21:33)   
sitescop pts/6        **.**.**.**     Wed Oct  7 02:45 - 01:18 (1+22:33)   
cspsbat  pts/7        hp90             Tue Oct  6 15:01 - 15:36  (00:34)    
sitescop pts/3        **.**.**.**     Tue Oct  6 05:13 - 01:14 (2+20:00)


# Do not remove the following line, or various programs
# that require network functionality will fail.
**.**.**.**		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
**.**.**.**	**.**.**.**
**.**.**.**      lx23    LX23    xhkalx23        XHKALX23
**.**.**.**     hp90    HP90    xhkahp90        XHKAHP90
**.**.**.**    hp91    HP91    xhkahp91        XHKAHP91
**.**.**.**    lx39    LX39    xhkalx39        XHKALX39
**.**.**.**    lx40    LX40    xhkalx40        XHKALX40
**.**.**.**     lx49    LX49    xhkalx49        XHKALX49
**.**.**.**	lx50	LX50	xhkalx50	XHKALX50
**.**.**.**   NTSYSA16        ntsysa16
**.**.**.**     **.**.**.**


ifconfig
eth0      Link encap:Ethernet  HWaddr E4:1F:13:67:3E:1C  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::e61f:13ff:fe67:3e1c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2738312948 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2278510958 errors:67591190 dropped:0 overruns:0 carrier:67591190
          collisions:80445229 txqueuelen:1000 
          RX bytes:358356022427 (333.7 GiB)  TX bytes:1627045472176 (1.4 TiB)
          Interrupt:169 Memory:a6000000-a6012800 
eth1      Link encap:Ethernet  HWaddr E4:1F:13:67:3E:1E  
          inet addr:**.**.**.**  Bcast:**.**.**.**55  Mask:**.**.**.**
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


修复方案:

#1 删除不需要用到的中间件
#2 避免默认配置
#3 皮面弱口令

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-10-12 14:05

厂商回复:

已將事件通知有關機構

最新状态:

2015-10-26:相關機構回報已修復漏洞