当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078536

漏洞标题:优酷因某弱口令导致一次内网漫游小记

相关厂商:优酷

漏洞作者: if、so

提交时间:2014-10-07 13:30

修复时间:2014-11-21 13:32

公开时间:2014-11-21 13:32

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-07: 细节已通知厂商并且等待厂商处理中
2014-10-07: 厂商已经确认,细节仅向厂商公开
2014-10-17: 细节向核心白帽子及相关领域专家公开
2014-10-27: 细节向普通白帽子公开
2014-11-06: 细节向实习白帽子公开
2014-11-21: 细节向公众公开

简要描述:

优酷内网漫游

详细说明:

WooYun: 优酷某站配置不当导致getshell,用户泄露,内部邮件泄露,并可内网漫游
得知优酷的vpn是vpn.youku.com pptp
弱口令一枚

mask 区域
*****ouku.co*****


3333.png


连接vpn,成功连上

1111.png


简单逛逛

5555.png


2222.png


4444.png


1.vbs

'********************************************************************
'* Main Function: 從AD中比對每一個使用者的Password LastSet,如果距離過期日剩5 天的使用者,則發信通知
'*
'* Usage:
' For Example : cscript QuerryAD.vbs
'*
'*Copyright (C) 2011 Kang Jia Youku Corporation
'********************************************************************
'Option Explicit
'For FileSystemObject
Const ForReading = 1
Const ForAppending = 8
Const ForWriting = 2
Const ADS_PROPERTY_DELETE = 4
dim arrWillExpiredDays
'Please modify the variable
CONST MASTERMAIL = "web_admin@youku.com" '寄信人的Email Address
'const strSMTPServer = "10.10.0.12" '寄信ExchangeServer
'const strSendUserName = "1verge\web_admin" '有權限的使用者(寄信使用)
'const strSendPassword = "" '密碼
const strFullAdsiPath = "LDAP://1verge.com/dc=1verge,dc=com" 'LDAP路徑
arrWillExpiredDays = Array(5) '將要過期天數的陣列
'Main Function
'Declare variables
Dim strTestMode
strTestMode = False 'use for debuging
'Cretae log file
Set WshSHell = CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

strFileName = Replace(Datevalue(Now), "-", "_")
strFileName = Replace(strFileName, "/", "_")

Public fLog
Set oLog = objFSO.OpenTextFile(strFileName & ".txt", ForWriting, TRUE)
PrintScreen Now
PrintScreen ""

sta = ListWillExpireUsers()
PrintScreen sta
PrintScreen ""
PrintScreen "The command runs successfully!"
PrintScreen Now

oLog.Close
'Program ending
wscript.quit
'======================================
' Function Area
'======================================
'********************************************************************
'*
'* Function: PrintScreen
'* Purpose: Show Message
'* Input: Message
'*
'* Output: None
'*
'********************************************************************
Sub PrintScreen(strMessage)
if strTestMode = True then
Wscript.Echo strMessage
end if
oLog.WriteLine strMessage
End Sub
'********************************************************************
'*Function ListWillExpireUsers(nDays)
'* List all user objects whose password will be expired or is expired
'* nDays: how many days the password will be expired
'*
'*
'*
'*-------------------------------------------------------------------

Function ListWillExpireUsers()

Dim strMailAddress

' Create User Object
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.CommandText = "<" & strFullAdsiPath & ">;(&(objectCategory=person)(objectclass=user));AdsPath,cn;subTree"
objCommand.Properties("Page Size") = 99 'specifies the maximum number of objects to return in a results set.

PrintScreen objCommand.CommandText
PrintScreen " "

Set objRecordSet = objCommand.Execute

If objRecordSet.RecordCount = 0 Then
PrintScreen "Error: Cannot found the user object in domain " & BaseDN & "."
Else

Dim intTotalAccount '計算找到幾位使用者
intTotalAccount = 0

objRecordSet.MoveFirst

Do Until objRecordSet.EOF
intTotalAccount = intTotalAccount +1
'Retrive user information
Dim oUser

Set oUser = GetObject(objRecordSet.Fields("ADsPath").Value)

For Each oUserProperty in oUser
PrintScreen oUserProperty.Name
Next

If (oUser.AccountDisabled = FALSE) Then

PrintScreen vbTab & "User Name : " & oUser.Name
sStatus = UserPwdExpire(oUser)

Select Case sStatus
Case 999999
PrintScreen vbTab & " The user " & oUser.samaccountname & " Password never expires."

Case Else
if sStatus >= 0 then
strMSG = "Your password is already expired in " & sStatus & " days!"
PrintScreen vbTab & " The user " & oUser.samAccountName & " password is expired after " & sStatus & " days!"
elseif sStatus < 0 then
strMSG = "Your mail account password will be expired in " & 0-sStatus & " days!" & vbcrlf & "Please change your password as soon as!"
PrintScreen vbTab & " The user " & oUser.samAccountName & " password will be expired in " & 0-sStatus & " days!"
end if

For each checkDays in arrWillExpiredDays
if checkDays = (0-sStatus) then
call fnCheck_SendMail(oUser,strMSG)
end if
next
End Select

else
PrintScreen vbTab & "User Name : " & oUser.Name
PrintScreen vbTab & " The user " & oUser.samaccountname & " Account Disabled."
end if

objRecordSet.MoveNext


PrintScreen " "

Loop
End If
PrintScreen "Total Accounts is " & intTotalAccount

ListWillExpireUsers = "OK"

End Function

'********************************************************************
'* Function UserPwdExpire(objUser, nMaxPwdAge)
'* Check if user object password is or will be expired
'* objUser: the user object
'*
'* nMaxPwdAge: maximum password age of domain
'*
'*-------------------------------------------------------------------
Function UserPwdExpire(objUser)

On Error Resume Next
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const SEC_IN_DAY = 86400

intCurrentValue = objUser.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
'The password does not expire.
UserPwdExpire = 999999 '永遠不過期
Else

dtmValue = objUser.PasswordLastChanged
if err.number <> 0 then
dtmValue = 0
err.Clear
end if


PrintScreen vbTab & " The password was last changed on " & DateValue(dtmValue) & " at " & TimeValue(dtmValue)
'PrintScreen vbTab & "The password was last changed on " & _
'DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
' "The difference between when the password was last set" & VbCrLf & _
' "and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)


Set objSysInfo = CreateObject("ADSystemInfo")
strDomain = objSysInfo.DomainShortName
Set objSysInfo = Nothing

Set objDomainNT = GetObject("WinNT://" & strDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")

If intMaxPwdAge < 0 Then
'WScript.Echo "The Maximum Password Age is set to 0 in the " & _
'"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
'Wscript.echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
'PrintScreen vbTab & "The password has expired."
UserPwdExpire = int(intTimeInterval - intMaxPwdAge)
Else
'PrintScreen vbTab & "The password will expire on " & _
' DateValue(dtmValue + intMaxPwdAge) & " (" & _
' int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")."
UserPwdExpire = int(now - (dtmValue + intMaxPwdAge))
End If
End If
End If
End Function

'******************************
' Mail Message
'Reference : Creating and Sending a Message
'http://msdn.microsoft.com/library/en-us/cdosys/html/_cdosys_messaging_examples_creating_and_sending_a_message.asp?frame=true
'http://msdn.microsoft.com/library/en-us/cdosys/html/_cdosys_cdosendusing_enum.asp?frame=true
'******************************
Sub SendMail(strFrom, strTo, strSubject, strBodyText)

Dim iMsg
Set iMsg = CreateObject("CDO.Message")
Dim iConf
Set iConf = CreateObject("CDO.Configuration")

Dim Flds
Set Flds = iConf.Fields

With Flds
' assume constants are defined within script file
.Item("cdoSendUsingMethod") = 2 ' cdoSendUsingPickup:1:Local , cdoSendUsingPort:2:Network
.Item("cdoSendUsingPort") = 25 'cdoSendUsingPort
.Item("cdoSMTPServer") = strSMTPServer
.Item("cdoSMTPConnectionTimeout") = 10 ' quick timeout
.Item("cdoSMTPAuthenticate") = cdoBasic
.Item("cdoSendUserName") = strSendUserName
.Item("cdoSendPassword") = strSendPassword
'.Item("cdoURLProxyServer") = "tpeproxy:80"
.Item("cdoURLProxyBypass") = "<local>"
.Item("cdoURLGetLatestVersion") = True
.Update
End With

With iMsg
Set .Configuration = iConf
.To = strTo
.From = strFrom
.Subject = strSubject
'.CreateMHTMLBody "This folder [" & strFolderPath & "] Created in " & intDayNum & " Days"
.TextBody = strBodyText
'.AddAttachment "C:\files\mybook.doc"
.Send
End With

End Sub

'********************************************************************
'*
'* Function: fnCheck_SendMail
'* Purpose: 檢查是否有符合寄信標準的使用者(以arrWillExpiredDays為準)
'* Input: objUser,MailMessage
'*
'* Output: None
'*
'********************************************************************
Function fnCheck_SendMail(objUser,strMSG)
'Send email
On Error Resume Next
Err.Clear

'某些User在此行發生Error
Dim PropArray

'PropArray = Array("proxyAddresses")
'oUser.GetInfoEx Array("proxyAddresses"), 0
aProxyAddress = objUser.GetEx("proxyAddresses")

If Err<>0 Then
PrintScreen vbTab & Time & " The user doesn't have email address."
Err.Clear
Else

For Each saProxyAddress in aProxyAddress

'Need a string variable to transfer the saProxyAddress
strMailAddress = saProxyAddress

ePos = Instr(1,strMailAddress,"SMTP:",VbTextCompare)

'PrintScreen vbTab & vbTab & "ePos = " & ePos

If ePos > 0 Then

strEmail = mid(strMailAddress,6)
PrintScreen vbTab & " Email Address: " & strEmail

'Use Exchange Server to send mail
'SendMail MASTERMAIL, strEmail, "Password expiration notification!", strMSG

'If server installed the SMTP Service
SendMessage MASTERMAIL, strEmail, "Password expiration notification!", strMSG

PrintScreen vbTab & " " & Time & " Finish sending email!"

Exit For

Else
'PrintScreen vbTab & vbTab & " No SMTP: string"
End If

Next

End If
end Function
'******************************************************************************
' Send messages with CDO for Windows 2000
' strTo: [in] To
' strFrom: [in] From
' strSubject: [in] Subject
' strBodyFile: [in] Body text file
'******************************************************************************
Sub SendMessage(strFrom, strTo, strSubject, strBodyText)

' For more information about CDO for Windows 2000, please refer to
' http://msdn.microsoft.com/library/en-us/exchanchor/htms/msexchsvr_cdowin2000.asp?frame=true

'On Error Resume Next
Dim oMessage ' as CDO.Message
Set oMessage = CreateObject("CDO.Message")

oMessage.TextBody = strBodyText
oMessage.To = strTo
oMessage.From = strFrom
oMessage.Subject = strSubject
Err.Clear
oMessage.Send

If Err.number <> 0 then
Wscript.Echo "Error in SendMessage: id=" & Err.number & ", source=" & Err.Source & ",Desc=" & Err.Description
Err.Clear
End If
Set oMessage = nothing

End Sub


.....
人家内网,比较敏感,不再深入

漏洞证明:

1111.png


5555.png


2222.png


4444.png


1.vbs

'********************************************************************
'* Main Function: 從AD中比對每一個使用者的Password LastSet,如果距離過期日剩5 天的使用者,則發信通知
'*
'* Usage:
' For Example : cscript QuerryAD.vbs
'*
'*Copyright (C) 2011 Kang Jia Youku Corporation
'********************************************************************
'Option Explicit
'For FileSystemObject
Const ForReading = 1
Const ForAppending = 8
Const ForWriting = 2
Const ADS_PROPERTY_DELETE = 4
dim arrWillExpiredDays
'Please modify the variable
CONST MASTERMAIL = "web_admin@youku.com" '寄信人的Email Address
'const strSMTPServer = "10.10.0.12" '寄信ExchangeServer
'const strSendUserName = "1verge\web_admin" '有權限的使用者(寄信使用)
'const strSendPassword = "" '密碼
const strFullAdsiPath = "LDAP://1verge.com/dc=1verge,dc=com" 'LDAP路徑
arrWillExpiredDays = Array(5) '將要過期天數的陣列
'Main Function
'Declare variables
Dim strTestMode
strTestMode = False 'use for debuging
'Cretae log file
Set WshSHell = CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

strFileName = Replace(Datevalue(Now), "-", "_")
strFileName = Replace(strFileName, "/", "_")

Public fLog
Set oLog = objFSO.OpenTextFile(strFileName & ".txt", ForWriting, TRUE)
PrintScreen Now
PrintScreen ""

sta = ListWillExpireUsers()
PrintScreen sta
PrintScreen ""
PrintScreen "The command runs successfully!"
PrintScreen Now

oLog.Close
'Program ending
wscript.quit
'======================================
' Function Area
'======================================
'********************************************************************
'*
'* Function: PrintScreen
'* Purpose: Show Message
'* Input: Message
'*
'* Output: None
'*
'********************************************************************
Sub PrintScreen(strMessage)
if strTestMode = True then
Wscript.Echo strMessage
end if
oLog.WriteLine strMessage
End Sub
'********************************************************************
'*Function ListWillExpireUsers(nDays)
'* List all user objects whose password will be expired or is expired
'* nDays: how many days the password will be expired
'*
'*
'*
'*-------------------------------------------------------------------

Function ListWillExpireUsers()

Dim strMailAddress

' Create User Object
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.CommandText = "<" & strFullAdsiPath & ">;(&(objectCategory=person)(objectclass=user));AdsPath,cn;subTree"
objCommand.Properties("Page Size") = 99 'specifies the maximum number of objects to return in a results set.

PrintScreen objCommand.CommandText
PrintScreen " "

Set objRecordSet = objCommand.Execute

If objRecordSet.RecordCount = 0 Then
PrintScreen "Error: Cannot found the user object in domain " & BaseDN & "."
Else

Dim intTotalAccount '計算找到幾位使用者
intTotalAccount = 0

objRecordSet.MoveFirst

Do Until objRecordSet.EOF
intTotalAccount = intTotalAccount +1
'Retrive user information
Dim oUser

Set oUser = GetObject(objRecordSet.Fields("ADsPath").Value)

For Each oUserProperty in oUser
PrintScreen oUserProperty.Name
Next

If (oUser.AccountDisabled = FALSE) Then

PrintScreen vbTab & "User Name : " & oUser.Name
sStatus = UserPwdExpire(oUser)

Select Case sStatus
Case 999999
PrintScreen vbTab & " The user " & oUser.samaccountname & " Password never expires."

Case Else
if sStatus >= 0 then
strMSG = "Your password is already expired in " & sStatus & " days!"
PrintScreen vbTab & " The user " & oUser.samAccountName & " password is expired after " & sStatus & " days!"
elseif sStatus < 0 then
strMSG = "Your mail account password will be expired in " & 0-sStatus & " days!" & vbcrlf & "Please change your password as soon as!"
PrintScreen vbTab & " The user " & oUser.samAccountName & " password will be expired in " & 0-sStatus & " days!"
end if

For each checkDays in arrWillExpiredDays
if checkDays = (0-sStatus) then
call fnCheck_SendMail(oUser,strMSG)
end if
next
End Select

else
PrintScreen vbTab & "User Name : " & oUser.Name
PrintScreen vbTab & " The user " & oUser.samaccountname & " Account Disabled."
end if

objRecordSet.MoveNext


PrintScreen " "

Loop
End If
PrintScreen "Total Accounts is " & intTotalAccount

ListWillExpireUsers = "OK"

End Function

'********************************************************************
'* Function UserPwdExpire(objUser, nMaxPwdAge)
'* Check if user object password is or will be expired
'* objUser: the user object
'*
'* nMaxPwdAge: maximum password age of domain
'*
'*-------------------------------------------------------------------
Function UserPwdExpire(objUser)

On Error Resume Next
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const SEC_IN_DAY = 86400

intCurrentValue = objUser.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
'The password does not expire.
UserPwdExpire = 999999 '永遠不過期
Else

dtmValue = objUser.PasswordLastChanged
if err.number <> 0 then
dtmValue = 0
err.Clear
end if


PrintScreen vbTab & " The password was last changed on " & DateValue(dtmValue) & " at " & TimeValue(dtmValue)
'PrintScreen vbTab & "The password was last changed on " & _
'DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
' "The difference between when the password was last set" & VbCrLf & _
' "and today is " & int(now - dtmValue) & " days"
intTimeInterval = int(now - dtmValue)


Set objSysInfo = CreateObject("ADSystemInfo")
strDomain = objSysInfo.DomainShortName
Set objSysInfo = Nothing

Set objDomainNT = GetObject("WinNT://" & strDomain)
intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")

If intMaxPwdAge < 0 Then
'WScript.Echo "The Maximum Password Age is set to 0 in the " & _
'"domain. Therefore, the password does not expire."
Else
intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
'Wscript.echo "The maximum password age is " & intMaxPwdAge & " days"
If intTimeInterval >= intMaxPwdAge Then
'PrintScreen vbTab & "The password has expired."
UserPwdExpire = int(intTimeInterval - intMaxPwdAge)
Else
'PrintScreen vbTab & "The password will expire on " & _
' DateValue(dtmValue + intMaxPwdAge) & " (" & _
' int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")."
UserPwdExpire = int(now - (dtmValue + intMaxPwdAge))
End If
End If
End If
End Function

'******************************
' Mail Message
'Reference : Creating and Sending a Message
'http://msdn.microsoft.com/library/en-us/cdosys/html/_cdosys_messaging_examples_creating_and_sending_a_message.asp?frame=true
'http://msdn.microsoft.com/library/en-us/cdosys/html/_cdosys_cdosendusing_enum.asp?frame=true
'******************************
Sub SendMail(strFrom, strTo, strSubject, strBodyText)

Dim iMsg
Set iMsg = CreateObject("CDO.Message")
Dim iConf
Set iConf = CreateObject("CDO.Configuration")

Dim Flds
Set Flds = iConf.Fields

With Flds
' assume constants are defined within script file
.Item("cdoSendUsingMethod") = 2 ' cdoSendUsingPickup:1:Local , cdoSendUsingPort:2:Network
.Item("cdoSendUsingPort") = 25 'cdoSendUsingPort
.Item("cdoSMTPServer") = strSMTPServer
.Item("cdoSMTPConnectionTimeout") = 10 ' quick timeout
.Item("cdoSMTPAuthenticate") = cdoBasic
.Item("cdoSendUserName") = strSendUserName
.Item("cdoSendPassword") = strSendPassword
'.Item("cdoURLProxyServer") = "tpeproxy:80"
.Item("cdoURLProxyBypass") = "<local>"
.Item("cdoURLGetLatestVersion") = True
.Update
End With

With iMsg
Set .Configuration = iConf
.To = strTo
.From = strFrom
.Subject = strSubject
'.CreateMHTMLBody "This folder [" & strFolderPath & "] Created in " & intDayNum & " Days"
.TextBody = strBodyText
'.AddAttachment "C:\files\mybook.doc"
.Send
End With

End Sub

'********************************************************************
'*
'* Function: fnCheck_SendMail
'* Purpose: 檢查是否有符合寄信標準的使用者(以arrWillExpiredDays為準)
'* Input: objUser,MailMessage
'*
'* Output: None
'*
'********************************************************************
Function fnCheck_SendMail(objUser,strMSG)
'Send email
On Error Resume Next
Err.Clear

'某些User在此行發生Error
Dim PropArray

'PropArray = Array("proxyAddresses")
'oUser.GetInfoEx Array("proxyAddresses"), 0
aProxyAddress = objUser.GetEx("proxyAddresses")

If Err<>0 Then
PrintScreen vbTab & Time & " The user doesn't have email address."
Err.Clear
Else

For Each saProxyAddress in aProxyAddress

'Need a string variable to transfer the saProxyAddress
strMailAddress = saProxyAddress

ePos = Instr(1,strMailAddress,"SMTP:",VbTextCompare)

'PrintScreen vbTab & vbTab & "ePos = " & ePos

If ePos > 0 Then

strEmail = mid(strMailAddress,6)
PrintScreen vbTab & " Email Address: " & strEmail

'Use Exchange Server to send mail
'SendMail MASTERMAIL, strEmail, "Password expiration notification!", strMSG

'If server installed the SMTP Service
SendMessage MASTERMAIL, strEmail, "Password expiration notification!", strMSG

PrintScreen vbTab & " " & Time & " Finish sending email!"

Exit For

Else
'PrintScreen vbTab & vbTab & " No SMTP: string"
End If

Next

End If
end Function
'******************************************************************************
' Send messages with CDO for Windows 2000
' strTo: [in] To
' strFrom: [in] From
' strSubject: [in] Subject
' strBodyFile: [in] Body text file
'******************************************************************************
Sub SendMessage(strFrom, strTo, strSubject, strBodyText)

' For more information about CDO for Windows 2000, please refer to
' http://msdn.microsoft.com/library/en-us/exchanchor/htms/msexchsvr_cdowin2000.asp?frame=true

'On Error Resume Next
Dim oMessage ' as CDO.Message
Set oMessage = CreateObject("CDO.Message")

oMessage.TextBody = strBodyText
oMessage.To = strTo
oMessage.From = strFrom
oMessage.Subject = strSubject
Err.Clear
oMessage.Send

If Err.number <> 0 then
Wscript.Echo "Error in SendMessage: id=" & Err.number & ", source=" & Err.Source & ",Desc=" & Err.Description
Err.Clear
End If
Set oMessage = nothing

End Sub

修复方案:

。。。

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-10-07 17:22

厂商回复:

多谢提醒,马上修复。

最新状态:

暂无