当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163712

漏洞标题:海尔集团某系统存在weblogic的反序列化漏洞(可入内网)

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-12-22 23:13

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-24: 厂商已经确认,细节仅向厂商公开
2016-01-03: 细节向核心白帽子及相关领域专家公开
2016-01-13: 细节向普通白帽子公开
2016-01-23: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

海尔集团

详细说明:

http://27.223.70.77:7001/
存在weblogic的反序列化漏洞
可反弹shell

1.jpg


读取下配置信息
D:\Oracle\Middleware\user_projects\domains\base_domain\config>type config.xml

type config.xml
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>base_domain</name>
  <domain-version>10.3.5.0</domain-version>
  <security-configuration>
    <name>base_domain</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}k77cNkchopQnD98Lk9bhatCSc8LYsOIPwQpBwD2IZ4GGFFkV2NWnNMNAG69CBoBpLK7gQa+WCOek6AfWNz6etTFe8A42os5QZQhevUwJVTqYBPcbP9JGDSjzq9+YOLOd</credential-encrypted>
    <node-manager-username>kXRx0qV8Ci</node-manager-username>
    <node-manager-password-encrypted>{AES}rBvG0C6Lqyj+i1tVEsjg1uRLlZA0FxVOBNPPT0mzHbI=</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>AdminServer</name>
    <ssl>
      <server-private-key-alias>weblogic</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}gI07Nk70oXtmsbc9eRoE1GEiFoeioTtTZzTdfamsiy0=</server-private-key-pass-phrase-encrypted>
    </ssl>
    <listen-address></listen-address>
    <key-stores>DemoIdentityAndDemoTrust</key-stores>
    <custom-identity-key-store-file-name>D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoIdentity.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>jks</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES}WJ4ttnQJEBtkpWAkO+MUDJmreWP0GIxLLoP1htB22kI=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>D:\Oracle\Middleware\user_projects\domains\base_domain\jpushJks1.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>jks</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES}wd3BUY+mB9X7NC4wCcfmI6mFnkRgtbCq0vCYTL3heLA=</custom-trust-key-store-pass-phrase-encrypted>
  </server>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}pbAo/PlhkYvUI6OQFrA89rodZK09WpCs+EeP04TAVbg0xr0eDQ8xqy0+RfmIwu/5</credential-encrypted>
  </embedded-ldap>
  <configuration-version>10.3.5.0</configuration-version>
  <app-deployment>
    <name>sales</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>servers\AdminServer\upload\sales.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>dkt</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>servers\AdminServer\upload\dkt.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <admin-server-name>AdminServer</admin-server-name>
</domain>


net user

2.jpg


arp -a

3.jpg


arp -a
½ӿغ 10.135.108.217 --- 0xb
  Internet µٖ·         ϯmµٖ·              `э
  10.135.108.1          00-26-52-b3-9a-45     ¶¯̬        
  10.135.108.10         d8-9d-67-26-54-44     ¶¯̬        
  10.135.108.11         d8-9d-67-2b-7b-34     ¶¯̬        
  10.135.108.90         00-50-56-a3-75-1f     ¶¯̬        
  10.135.108.94         00-50-56-a3-09-e8     ¶¯̬        
  10.135.108.111        00-50-56-a3-35-3c     ¶¯̬        
  10.135.108.146        00-50-56-a3-0e-8f     ¶¯̬        
  10.135.108.181        00-50-56-a3-79-8e     ¶¯̬        
  10.135.108.188        00-50-56-a3-47-94     ¶¯̬        
  10.135.108.197        00-50-56-a3-37-b3     ¶¯̬        
  10.135.108.221        00-50-56-a3-6e-ae     ¶¯̬        
  10.135.108.232        00-50-56-a3-45-3f     ¶¯̬        
  10.135.108.255        ff-ff-ff-ff-ff-ff     ¾²̬        
  224.0.0.22            01-00-5e-00-00-16     ¾²̬        
  224.0.0.252           01-00-5e-00-00-fc     ¾²̬        
  239.255.255.250       01-00-5e-7f-ff-fa     ¾²̬


漏洞证明:

net user

2.jpg


arp -a

3.jpg

修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-24 09:07

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理。

最新状态:

暂无