当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168801

漏洞标题:中金公司在线交易系统命令执行root权限

相关厂商:中国国际金融股份有限公司

漏洞作者: 路人甲

提交时间:2016-01-13 17:06

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-13: 细节已通知厂商并且等待厂商处理中
2016-01-15: 厂商已经确认,细节仅向厂商公开
2016-01-25: 细节向核心白帽子及相关领域专家公开
2016-02-04: 细节向普通白帽子公开
2016-02-14: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

中金公司在线交易系统命令执行root权限,这个是银行的在线交易系统,影响应该很大吧

详细说明:

中国国际金融有限公司
作为中国第一家中外合资投资银行,中金公司致力于为国内外机构及个人客户提供符合国际标准的投资银行、资本市场、机构及个人证券销售和交易、固定收益、资产管理、直接投资以及研究服务。
中国国际金融有限公司(“中金公司”)成立于1995年8月,是由国内外著名金融机构和公司基于战略合作关系共同投资组建的中国第一家中外合资投资银行,注册资本为1.25亿美元。
中金公司总部位于北京,在国内主要城市,如香港、上海、深圳,成立分支机构。随着业务范围的不断拓展,中金公司亦积极开拓海外市场,为成为植根中国的国际投资银行奠定坚实的基础。


百度了一下域名是http://**.**.**.**/

111111.png


ping了一下IP是**.**.**.**
暴漏洞的IP是**.**.**.**

id.png

漏洞证明:

看看目录

pwd.png


uname -a

SunOS yzoltapb 5.10 Generic_138888-03 sun4v sparc SUNW,Sun-Blade-T6320


cat /etc/hosts

#
# Internet host table
#
**.**.**.**	localhost	
::1	localhost	
**.**.**.**	yzoltapb	loghost
**.**.**.** yzoltapb2


这2个内网IP,**.**.**.**对应**.**.**.**
**.**.**.**应该是对应**.**.**.**,不知道猜对没,这2台应该是做了集群
weblogic config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://**.**.**.**/weblogic/domain" xmlns:sec="http://**.**.**.**/weblogic/security" xmlns:wls="http://**.**.**.**/weblogic/security/wls" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xsi:schemaLocation="http://**.**.**.**/weblogic/security/xacml http://**.**.**.**/weblogic/security/xacml/1.0/xacml.xsd http://**.**.**.**/weblogic/security/providers/passwordvalidator http://**.**.**.**/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://**.**.**.**/weblogic/domain http://**.**.**.**/weblogic/1.0/domain.xsd http://**.**.**.**/weblogic/security http://**.**.**.**/weblogic/1.0/security.xsd http://**.**.**.**/weblogic/security/wls http://**.**.**.**/weblogic/security/wls/1.0/wls.xsd">
  <name>base_domain</name>
  <domain-version>**.**.**.**</domain-version>
  <security-configuration>
    <name>base_domain</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://**.**.**.**/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}u4/6HLN7+PFNxFibQ3J0xk5hAJFiikMxZ1qF7rXPROR2YM8eZ+LC+LiEKAmU2/yFGqVubURtt8AZ0vi+DUo2O8qnoUXiT4KgAmKxMS4sjQQNRZHOotRFRx72npOagN+I</credential-encrypted>
    <node-manager-username>Nmz79FpQgS</node-manager-username>
    <node-manager-password-encrypted>{AES}wYL+jPIQuItk8Gouh7wOT1q/UXmXMyW8LBbtKNv7Zsc=</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>AdminServer</name>
    <ssl>
      <enabled>false</enabled>
    </ssl>
    <listen-port>7001</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <listen-address>**.**.**.**</listen-address>
    <java-compiler>javac</java-compiler>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Off</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>
  <server>
    <name>serverA1</name>
    <ssl>
      <enabled>true</enabled>
      <listen-port>443</listen-port>
      <server-private-key-alias>**.**.**.**</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}2n3Oi7pwU7dmfHFZcwcPxGL8j0tYe+kweCk82UCKRIY=</server-private-key-pass-phrase-encrypted>
    </ssl>
    <machine xsi:nil="true"></machine>
    <listen-port>80</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <cluster>Cluster-0</cluster>
    <listen-address>**.**.**.**</listen-address>
    <java-compiler>javac</java-compiler>
    <jta-migratable-target>
      <user-preferred-server>serverA1</user-preferred-server>
      <cluster>Cluster-0</cluster>
    </jta-migratable-target>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade1/keystore.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES}UTX3J22fpi8Wk3B1sT0n6kTxZXhrqkGPfuW+HZDyS5Q=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade1/keystore.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES}2Bc13PMn7SRQMt23gyPpx4YngK+Ah+gPJPVU7/mckxg=</custom-trust-key-store-pass-phrase-encrypted>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Off</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>
  <server>
    <name>serverA2</name>
    <ssl>
      <enabled>true</enabled>
      <listen-port>443</listen-port>
      <server-private-key-alias>**.**.**.**</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}jXQdVNd8wm+xlNyuUgfSl//XBRlnSV9WtxVsz/1LWdE=</server-private-key-pass-phrase-encrypted>
    </ssl>
    <machine xsi:nil="true"></machine>
    <listen-port>80</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <cluster>Cluster-0</cluster>
    <listen-address>**.**.**.**</listen-address>
    <java-compiler>javac</java-compiler>
    <jta-migratable-target>
      <user-preferred-server>serverA2</user-preferred-server>
      <cluster>Cluster-0</cluster>
    </jta-migratable-target>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade2/keystore.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES}4lePUXOcfMI2io6+d7el0tjeWT5vjFbpWRLO08a+KP0=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade2/keystore.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES}ke/0Tt1/p4689w+qbFde3fjWdg5C4cP4Fiyb2jsXy3s=</custom-trust-key-store-pass-phrase-encrypted>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Off</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>
  <server>
    <name>serverB1</name>
    <ssl>
      <enabled>true</enabled>
      <listen-port>443</listen-port>
      <server-private-key-alias>**.**.**.**</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}vmM1KWM5PiASrTsLr21MUK1ua0iqvgX0kU7o95PDVH0=</server-private-key-pass-phrase-encrypted>
    </ssl>
    <machine xsi:nil="true"></machine>
    <listen-port>80</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <cluster>Cluster-0</cluster>
    <listen-address>**.**.**.**</listen-address>
    <java-compiler>javac</java-compiler>
    <jta-migratable-target>
      <user-preferred-server>serverB1</user-preferred-server>
      <cluster>Cluster-0</cluster>
    </jta-migratable-target>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade1/keystore.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES}OKn/vvgiy7Qy+hDEx0fG6eIW7ZmbBGlgOSPA483CCeo=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade1/keystore.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES}IILE3Ggkw3iDk6SibAPNDbNO/jkCnmodtmsfOV5sS0g=</custom-trust-key-store-pass-phrase-encrypted>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Off</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>
  <server>
    <name>serverB2</name>
    <ssl>
      <enabled>true</enabled>
      <listen-port>443</listen-port>
      <server-private-key-alias>**.**.**.**</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}RiwM/7gdo/PYvFbiWAsgMkX6E6AA1OiZfwW0Dyve2Fs=</server-private-key-pass-phrase-encrypted>
    </ssl>
    <machine xsi:nil="true"></machine>
    <listen-port>80</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <cluster>Cluster-0</cluster>
    <listen-address>**.**.**.**</listen-address>
    <java-compiler>javac</java-compiler>
    <jta-migratable-target>
      <user-preferred-server>serverB2</user-preferred-server>
      <cluster>Cluster-0</cluster>
    </jta-migratable-target>
    <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
    <key-stores>CustomIdentityAndCustomTrust</key-stores>
    <custom-identity-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade2/keystore.jks</custom-identity-key-store-file-name>
    <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
    <custom-identity-key-store-pass-phrase-encrypted>{AES}D5l1rWjHiKZC/zhTthl5dJP4oOpavHW5sXilBJrE7i4=</custom-identity-key-store-pass-phrase-encrypted>
    <custom-trust-key-store-file-name>/usr/local/Oracle/Middleware/user_projects/domains/ssl/trade2/keystore.jks</custom-trust-key-store-file-name>
    <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
    <custom-trust-key-store-pass-phrase-encrypted>{AES}2Guspr5ve+9O2FZz7EMAiNr6MxYY3ZbYNevAh9Ragt8=</custom-trust-key-store-pass-phrase-encrypted>
    <server-diagnostic-config>
      <wldf-diagnostic-volume>Off</wldf-diagnostic-volume>
    </server-diagnostic-config>
  </server>
  <cluster>
    <name>Cluster-0</name>
    <multicast-address>**.**.**.**</multicast-address>
    <multicast-port>7001</multicast-port>
    <cluster-messaging-mode>multicast</cluster-messaging-mode>
  </cluster>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>base_domain</name>
    <credential-encrypted>{AES}J6SngNwcp8CFa92jENtRDPqPS9LtV0KOqL/cpN5fyNWytgaJXlZ0vK4NbxiaYw+Y</credential-encrypted>
  </embedded-ldap>
  <configuration-version>**.**.**.**</configuration-version>
  <app-deployment>
    <name>dl</name>
    <target>Cluster-0</target>
    <module-type>war</module-type>
    <source-path>servers/AdminServer/upload/dl</source-path>
    <deployment-order>100</deployment-order>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode>stage</staging-mode>
  </app-deployment>
  <app-deployment>
    <name>oms</name>
    <target>Cluster-0</target>
    <module-type>war</module-type>
    <source-path>servers/AdminServer/upload/oms</source-path>
    <deployment-order>100</deployment-order>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode>stage</staging-mode>
  </app-deployment>
  <migratable-target>
    <name>serverA1 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>serverA1</user-preferred-server>
    <cluster>Cluster-0</cluster>
  </migratable-target>
  <migratable-target>
    <name>serverA2 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>serverA2</user-preferred-server>
    <cluster>Cluster-0</cluster>
  </migratable-target>
  <migratable-target>
    <name>serverB1 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>serverB1</user-preferred-server>
    <cluster>Cluster-0</cluster>
  </migratable-target>
  <migratable-target>
    <name>serverB2 (migratable)</name>
    <notes>This is a system generated default migratable target for a server. Do not delete manually.</notes>
    <user-preferred-server>serverB2</user-preferred-server>
    <cluster>Cluster-0</cluster>
  </migratable-target>
  <admin-server-name>AdminServer</admin-server-name>
</domain>


银行的系统不乱搞了,在线交易系统而且还是root权限,这个风险应该很大了吧,求20rank

修复方案:

补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-15 17:58

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向证券业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无