当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107590

漏洞标题:中国电信全球眼业务平台通用程序Jboss漏洞

相关厂商:中国电信全球眼业务平台

漏洞作者: myh0st

提交时间:2015-04-14 18:13

修复时间:2015-06-01 14:18

公开时间:2015-06-01 14:18

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-14: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经确认,细节仅向厂商公开
2015-04-27: 细节向核心白帽子及相关领域专家公开
2015-05-07: 细节向普通白帽子公开
2015-05-17: 细节向实习白帽子公开
2015-06-01: 细节向公众公开

简要描述:

中国电信全球眼业务平台通用程序Jboss漏洞,导致获取webshell

详细说明:

问题IP:
http://222.76.124.135/
Jboss 漏洞说明:http://www.1337day.com/exploit/23480
该IP上运行着一个Jboss的通用程序,由于Jboss的漏洞导致过去webshell

1.PNG


下面是这个linux hosts文件的内容,初步判断是属于电信的
[/opt/inms/jboss-6.1.0.Final/common/deploy/admin-console.war/]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
222.76.124.135 fjvam_oc1
134.129.65.206 fjvam_c12
222.77.183.170 fjvam_c18
#117.27.130.49 localhost.localdomain localhost
#117.27.130.122 WIN-Q7D3FVPZ6AA
117.27.130.123 WINDOWS-O5LMI9S
#117.27.130.126 WINDOWS-UBWHF8C
117.27.130.124 WINDOWS-G0X3A2X
#移动全球眼
117.27.130.104 msp1
117.27.130.106 msp3
117.27.130.107 fzWebservice1
117.27.130.108 fzWebservice2
117.27.130.113 WIN-3LCB9S9VL4T
117.27.130.114 WIN-KNOLK2IUTTC
117.27.130.120 PSS-3
117.27.130.22 WIN-DVJFKLQ1PNK
117.27.130.23 WIN-1MQUYZPDS1P
117.27.130.125 WINDOWS-L4RU46W
117.27.130.122 WIN-Q7D3FVPZ6AA
#固网全球眼
222.77.183.29 wangguanserver
222.77.183.46 loghost.loghost.com
222.77.183.50 rizhiserver-1
222.77.183.51 access5_51
222.77.183.52 WEBserver
202.101.126.201 SMjieru01
202.101.126.202 SMjieru02
222.77.183.54 access2_back
222.77.183.55 access1_back
222.77.183.56 access4_back
222.77.183.57 access3_back
222.77.183.58 oracle_back
222.77.183.70 access6_back
222.77.183.71 access5_back
222.77.183.141 access05_master
222.77.183.142 access06_master
222.77.183.143 access07_master
222.77.183.144 access7_back
222.77.183.145 update
222.77.183.152 lvs01
222.77.183.153 lvs02
222.77.183.154 access01_master
222.77.183.155 access02_master
222.77.183.156 access03_master
222.77.183.157 access04_master
222.77.183.166 update
222.77.183.167 Fz_Jiaojing_Access
222.77.183.191 access5_191
#222.77.183.223 center02_back
222.77.183.73 97_01
#固网全球眼09扩容
222.77.183.37 center01_back
222.77.183.39 oracle-back
222.77.183.40 center04_back
#222.77.183.148 center02_back loghost center02_back.com
222.77.183.148 center02_back
222.77.183.149 center03_back
117.27.130.28 ky-qqy
117.27.130.30 store2
117.27.130.37 WIN-MY8SXKCD0BW
117.27.130.38 localhost
117.27.130.41 megaeyes
117.27.130.42 oracle01.localdomain.com
117.27.130.45 oracle02.localdomain.com
117.27.130.21 zxserver-117.27.130.21
117.27.130.27 cuncserver-117.27.130.27
117.27.130.25 ffserver-117.27.130.25
222.77.183.150 node1_boot1
222.77.183.151 node2_boot1
222.77.183.158 node1_boot1 node2_boot1
#大众全球眼
222.77.183.74 jboss-74
222.77.183.209 dz_access01
222.77.183.210 dz_access02
222.77.183.212 dz_access03
222.77.183.213 dz_access04
222.77.183.215 dz_duanxin
222.77.183.228 dz_web01
222.77.183.229 dz_web02
222.77.183.231 dz_center01
222.77.183.232 dz_center02
222.77.183.233 dz_disp01
222.77.183.236 dz_shengxun
#固网全球眼2010扩容
222.77.183.27 jrserver-222.77.183.27
117.27.130.49 ISMP-01
222.77.183.203 center203
222.77.183.31 vpncenter1
222.77.183.223 jboss-223
#宁德全球眼
61.131.25.147 NDupdate
61.131.25.163 NDwangguan02
61.131.25.139 NDduanxin
61.131.25.174 ehomeWeb1
61.131.25.175 ehomeWeb2
222.77.146.71 vauc1
222.77.146.72 vauc2
222.77.146.68 NDvaum1
222.77.146.69 NDvaum2
222.77.146.74 NDWebService1
222.77.146.75 NDWebService2
61.131.25.158 NDlogserver
222.77.146.81 localhost.localdomain
222.77.146.82 localhost.localdomain
222.77.146.78 localhost.localdomain
222.77.146.83 msp_1
222.77.146.84 msp_2
222.77.146.91 tupian
222.77.146.92 peizhi
61.131.25.177 NDaccess01
61.131.25.178 NDaccess02
61.131.25.181 NDcenter01
61.131.25.182 NDcenter02
61.131.25.152 NDoracle01
61.131.25.153 NDoracle02
61.131.25.179 NDaccess03
61.131.25.180 NDaccess04
61.131.25.183 NDcenter03
61.131.25.184 NDcenter04
61.131.25.189 access05
61.131.25.190 NDcenter05
61.131.25.145 NDstorage02
61.131.25.148 zhuangtai01
61.131.25.149 zhuangtai02
#莆田全球眼
218.6.16.29 PTweb
218.6.16.30 shengji-server
218.6.16.83 WIN-4ENPW7TB2EQ
218.6.16.84 vum2
218.6.16.3 PTjieru01
218.6.16.4 PTjieru02
218.6.16.23 PTzhongxin01
218.6.16.24 PTzhongxin02
218.6.16.34 rac2
218.6.16.33 rac1
218.6.16.37 oracle_bak
218.6.16.31 logserver
218.6.16.5 access3-5
218.6.16.25 center3_25
218.6.16.48 access4_48
218.6.16.51 access5_51
218.6.16.52 access-52
218.6.16.49 zhuangtai_49
218.6.16.26 center_26
218.6.16.28 center_dz
#云平台
110.84.128.27 WIN-I8HQ26R1V8J
#翼校通平台
61.131.51.122 ONECARD-APP1
#入云平台--天翼景象
110.84.128.75 tyjxdb
#厦门全球眼
117.25.223.2 XMjieru01
117.25.223.3 XMjieru02
117.25.223.4 XMjieru03
117.25.223.5 XMzhongxin01
117.25.223.6 XMzhongxin02
117.25.223.7 XMzhongxin03
117.25.223.9 XMweb
117.25.223.12 XMdba
117.25.223.14 XMjieru04
117.25.223.15 XMjieru05
117.25.223.16 XMzhongxin04
117.25.223.26 XMzengzhi
117.25.223.70 XMDZweb04
117.25.223.57 WIN-QV5QLEMWSHR
117.25.223.64 XMDZzhongxin01
117.25.223.65 XMDZzhongxin02
117.25.223.67 XMDZweb01
117.25.223.68 XMDZweb02
117.25.223.69 XMDZweb03
117.25.223.70 XMDZweb04
117.25.223.106 XMjieru6
117.25.223.107 XMjieru7
117.25.223.108 XMzhongxin06
117.25.223.109 XMzhongxin07
117.25.223.116 XMjieruzt02
#三明全球眼
218.67.62.22 SMcunchu07
218.67.62.13 SMcunchu02
202.101.126.218 SMzhongxin03
202.101.126.221 ehome_center1
202.101.126.206 ehome_web1
202.101.126.207 ehome_web2
202.101.126.209 shengxuejiekou
202.101.126.216 SMzhongxin01
202.101.126.217 SMzhongxin02
202.101.126.233 SMdba
202.101.126.211 SMzengzhi
202.101.126.231 SMweb
202.101.126.232 SMshengji
202.101.126.203 smjieru03
202.101.126.210 duanxin
218.67.62.11 SMcunchu01
218.67.62.12 SMcunchu02
#sm-quanqiuyan
202.101.126.221 duanxin
202.101.126.205 SMjieru05
202.101.126.236 SMjieru06
202.101.126.237 SMjieru07
202.101.126.220 SMzhongxin05
202.101.126.225 SMzhongxin06
202.101.126.226 SMzhongxin07
202.101.126.252 SMjieruzhuangtai01
202.101.126.253 SMjieruzhuangtai02
202.101.126.238 SMjieru08
202.101.126.227 SMzhongxin08
202.101.126.239 SMjieru09
02.101.126.228 SMzhongxin09
#xm-quanqiuyan
#172.16.2.116 XMjieruZT02
117.25.223.116 XMjieruZT02
#TSP
59.56.74.51 NginxMaster
59.56.74.52 Business3
59.56.74.53 MessageIFMaster
下面是root的用户的bash记录,可以证明这个主机是可以到达很多地方的
rm JbossMonitor.log
rm jboss-6.1.0.Final/server/all/log/server.log
sh ./run.sh
exit
pwd
su - inms
exit
su -touches
su
java -version
ll
pwd
su - inms
ll
ps -ef|grep jboss
date
pwd
su - inms
exit
ps -ef |grep jboss
pwd
cd /opt/inms
ll
vi JbossMonitor.log
cd jboss-6.1.0.Final/server/all/log
ll
vi server.log
exit
ll
su - inms
exit
cd /opt/vam
ll
ps -ef |grep tomcat
cd apache-tomcat-6.0.41
ll
cd logs
ll
mv catalina.out catalina.out.bak0211
ll
cd ..
ll
cd bin
ll
./startup.sh
cd ../logs
ll
vi catalina.out
df -h
exit
ls
su - inms
exit
ll
cd /opt/inms
cd /opt/vam
ll
cd apache-tomcat-6.0.41
ll
cd bin
sh ./shutdown.sh
ps -ef |grep tomcat
cd ../logs
ll
mv catalina.out catalina.out.bak0213
ll
rm catalina.out.bak1225
cd ..
cd bin
sh ./startup.sh
cd ../logs
ll
tail -f catalina.out
df -h
exit
su - inms
exit
telnet 117.27.130.28 10163
telnet 117.27.130.28 10161
nc -v -w2 117.27.130.28 10163
nc -v -w2 117.27.130.28 10161
nc -u -z -v -w2 117.27.130.28 10161
nc -u -z -v -w2 218.6.16.31 10161
nc -u -z -v -w2 117.27.130.113 10161
nc -v -w2 117.27.130.113 10163
nc -u -z -v -w2 117.25.223.81 10161
nc -u -z -v -w2 218.6.16.51 10161
nc -u -z -v -w2 117.25.223.16 10161
nc -u -z -v -w2 117.25.223.26 10161
nc -u -z -v -w2 222.77.183.209 10161
nc -u -z -v -w2 222.77.183.145 10161
nc -u -z -v -w2 202.101.126.211 10161
nc -u -z -v -w2 202.101.126.202 10161
nc -u -z -v -w2 202.101.126.201 10161
ping 202.101.126.201
nc -u -z -v -w2 218.6.16.55 161
cd Test
ll
su - inms
exit
netstat -anp |grep 11165
iptables -A INPUT -ptcp --dport 11165 -j ACCEPT
netstat -anp |grep 11165
exit
/etc/init.d/iptables status
exit
cd /etc/ssh
ls -l sshd_config
vi sshd_config
/etc/init.d/sshd restart
vi /etc/sysconfig/iptables
exit

漏洞证明:

问题IP:
http://222.76.124.135/
该IP上运行着一个Jboss的通用程序,由于Jboss的漏洞导致过去webshell

1.PNG


下面是这个linux hosts文件的内容,初步判断是属于电信的
[/opt/inms/jboss-6.1.0.Final/common/deploy/admin-console.war/]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
222.76.124.135 fjvam_oc1
134.129.65.206 fjvam_c12
222.77.183.170 fjvam_c18
#117.27.130.49 localhost.localdomain localhost
#117.27.130.122 WIN-Q7D3FVPZ6AA
117.27.130.123 WINDOWS-O5LMI9S
#117.27.130.126 WINDOWS-UBWHF8C
117.27.130.124 WINDOWS-G0X3A2X
#移动全球眼
117.27.130.104 msp1
117.27.130.106 msp3
117.27.130.107 fzWebservice1
117.27.130.108 fzWebservice2
117.27.130.113 WIN-3LCB9S9VL4T
117.27.130.114 WIN-KNOLK2IUTTC
117.27.130.120 PSS-3
117.27.130.22 WIN-DVJFKLQ1PNK
117.27.130.23 WIN-1MQUYZPDS1P
117.27.130.125 WINDOWS-L4RU46W
117.27.130.122 WIN-Q7D3FVPZ6AA
#固网全球眼
222.77.183.29 wangguanserver
222.77.183.46 loghost.loghost.com
222.77.183.50 rizhiserver-1
222.77.183.51 access5_51
222.77.183.52 WEBserver
202.101.126.201 SMjieru01
202.101.126.202 SMjieru02
222.77.183.54 access2_back
222.77.183.55 access1_back
222.77.183.56 access4_back
222.77.183.57 access3_back
222.77.183.58 oracle_back
222.77.183.70 access6_back
222.77.183.71 access5_back
222.77.183.141 access05_master
222.77.183.142 access06_master
222.77.183.143 access07_master
222.77.183.144 access7_back
222.77.183.145 update
222.77.183.152 lvs01
222.77.183.153 lvs02
222.77.183.154 access01_master
222.77.183.155 access02_master
222.77.183.156 access03_master
222.77.183.157 access04_master
222.77.183.166 update
222.77.183.167 Fz_Jiaojing_Access
222.77.183.191 access5_191
#222.77.183.223 center02_back
222.77.183.73 97_01
#固网全球眼09扩容
222.77.183.37 center01_back
222.77.183.39 oracle-back
222.77.183.40 center04_back
#222.77.183.148 center02_back loghost center02_back.com
222.77.183.148 center02_back
222.77.183.149 center03_back
117.27.130.28 ky-qqy
117.27.130.30 store2
117.27.130.37 WIN-MY8SXKCD0BW
117.27.130.38 localhost
117.27.130.41 megaeyes
117.27.130.42 oracle01.localdomain.com
117.27.130.45 oracle02.localdomain.com
117.27.130.21 zxserver-117.27.130.21
117.27.130.27 cuncserver-117.27.130.27
117.27.130.25 ffserver-117.27.130.25
222.77.183.150 node1_boot1
222.77.183.151 node2_boot1
222.77.183.158 node1_boot1 node2_boot1
#大众全球眼
222.77.183.74 jboss-74
222.77.183.209 dz_access01
222.77.183.210 dz_access02
222.77.183.212 dz_access03
222.77.183.213 dz_access04
222.77.183.215 dz_duanxin
222.77.183.228 dz_web01
222.77.183.229 dz_web02
222.77.183.231 dz_center01
222.77.183.232 dz_center02
222.77.183.233 dz_disp01
222.77.183.236 dz_shengxun
#固网全球眼2010扩容
222.77.183.27 jrserver-222.77.183.27
117.27.130.49 ISMP-01
222.77.183.203 center203
222.77.183.31 vpncenter1
222.77.183.223 jboss-223
#宁德全球眼
61.131.25.147 NDupdate
61.131.25.163 NDwangguan02
61.131.25.139 NDduanxin
61.131.25.174 ehomeWeb1
61.131.25.175 ehomeWeb2
222.77.146.71 vauc1
222.77.146.72 vauc2
222.77.146.68 NDvaum1
222.77.146.69 NDvaum2
222.77.146.74 NDWebService1
222.77.146.75 NDWebService2
61.131.25.158 NDlogserver
222.77.146.81 localhost.localdomain
222.77.146.82 localhost.localdomain
222.77.146.78 localhost.localdomain
222.77.146.83 msp_1
222.77.146.84 msp_2
222.77.146.91 tupian
222.77.146.92 peizhi
61.131.25.177 NDaccess01
61.131.25.178 NDaccess02
61.131.25.181 NDcenter01
61.131.25.182 NDcenter02
61.131.25.152 NDoracle01
61.131.25.153 NDoracle02
61.131.25.179 NDaccess03
61.131.25.180 NDaccess04
61.131.25.183 NDcenter03
61.131.25.184 NDcenter04
61.131.25.189 access05
61.131.25.190 NDcenter05
61.131.25.145 NDstorage02
61.131.25.148 zhuangtai01
61.131.25.149 zhuangtai02
#莆田全球眼
218.6.16.29 PTweb
218.6.16.30 shengji-server
218.6.16.83 WIN-4ENPW7TB2EQ
218.6.16.84 vum2
218.6.16.3 PTjieru01
218.6.16.4 PTjieru02
218.6.16.23 PTzhongxin01
218.6.16.24 PTzhongxin02
218.6.16.34 rac2
218.6.16.33 rac1
218.6.16.37 oracle_bak
218.6.16.31 logserver
218.6.16.5 access3-5
218.6.16.25 center3_25
218.6.16.48 access4_48
218.6.16.51 access5_51
218.6.16.52 access-52
218.6.16.49 zhuangtai_49
218.6.16.26 center_26
218.6.16.28 center_dz
#云平台
110.84.128.27 WIN-I8HQ26R1V8J
#翼校通平台
61.131.51.122 ONECARD-APP1
#入云平台--天翼景象
110.84.128.75 tyjxdb
#厦门全球眼
117.25.223.2 XMjieru01
117.25.223.3 XMjieru02
117.25.223.4 XMjieru03
117.25.223.5 XMzhongxin01
117.25.223.6 XMzhongxin02
117.25.223.7 XMzhongxin03
117.25.223.9 XMweb
117.25.223.12 XMdba
117.25.223.14 XMjieru04
117.25.223.15 XMjieru05
117.25.223.16 XMzhongxin04
117.25.223.26 XMzengzhi
117.25.223.70 XMDZweb04
117.25.223.57 WIN-QV5QLEMWSHR
117.25.223.64 XMDZzhongxin01
117.25.223.65 XMDZzhongxin02
117.25.223.67 XMDZweb01
117.25.223.68 XMDZweb02
117.25.223.69 XMDZweb03
117.25.223.70 XMDZweb04
117.25.223.106 XMjieru6
117.25.223.107 XMjieru7
117.25.223.108 XMzhongxin06
117.25.223.109 XMzhongxin07
117.25.223.116 XMjieruzt02
#三明全球眼
218.67.62.22 SMcunchu07
218.67.62.13 SMcunchu02
202.101.126.218 SMzhongxin03
202.101.126.221 ehome_center1
202.101.126.206 ehome_web1
202.101.126.207 ehome_web2
202.101.126.209 shengxuejiekou
202.101.126.216 SMzhongxin01
202.101.126.217 SMzhongxin02
202.101.126.233 SMdba
202.101.126.211 SMzengzhi
202.101.126.231 SMweb
202.101.126.232 SMshengji
202.101.126.203 smjieru03
202.101.126.210 duanxin
218.67.62.11 SMcunchu01
218.67.62.12 SMcunchu02
#sm-quanqiuyan
202.101.126.221 duanxin
202.101.126.205 SMjieru05
202.101.126.236 SMjieru06
202.101.126.237 SMjieru07
202.101.126.220 SMzhongxin05
202.101.126.225 SMzhongxin06
202.101.126.226 SMzhongxin07
202.101.126.252 SMjieruzhuangtai01
202.101.126.253 SMjieruzhuangtai02
202.101.126.238 SMjieru08
202.101.126.227 SMzhongxin08
202.101.126.239 SMjieru09
02.101.126.228 SMzhongxin09
#xm-quanqiuyan
#172.16.2.116 XMjieruZT02
117.25.223.116 XMjieruZT02
#TSP
59.56.74.51 NginxMaster
59.56.74.52 Business3
59.56.74.53 MessageIFMaster
下面是root的用户的bash记录,可以证明这个主机是可以到达很多地方的
rm JbossMonitor.log
rm jboss-6.1.0.Final/server/all/log/server.log
sh ./run.sh
exit
pwd
su - inms
exit
su -touches
su
java -version
ll
pwd
su - inms
ll
ps -ef|grep jboss
date
pwd
su - inms
exit
ps -ef |grep jboss
pwd
cd /opt/inms
ll
vi JbossMonitor.log
cd jboss-6.1.0.Final/server/all/log
ll
vi server.log
exit
ll
su - inms
exit
cd /opt/vam
ll
ps -ef |grep tomcat
cd apache-tomcat-6.0.41
ll
cd logs
ll
mv catalina.out catalina.out.bak0211
ll
cd ..
ll
cd bin
ll
./startup.sh
cd ../logs
ll
vi catalina.out
df -h
exit
ls
su - inms
exit
ll
cd /opt/inms
cd /opt/vam
ll
cd apache-tomcat-6.0.41
ll
cd bin
sh ./shutdown.sh
ps -ef |grep tomcat
cd ../logs
ll
mv catalina.out catalina.out.bak0213
ll
rm catalina.out.bak1225
cd ..
cd bin
sh ./startup.sh
cd ../logs
ll
tail -f catalina.out
df -h
exit
su - inms
exit
telnet 117.27.130.28 10163
telnet 117.27.130.28 10161
nc -v -w2 117.27.130.28 10163
nc -v -w2 117.27.130.28 10161
nc -u -z -v -w2 117.27.130.28 10161
nc -u -z -v -w2 218.6.16.31 10161
nc -u -z -v -w2 117.27.130.113 10161
nc -v -w2 117.27.130.113 10163
nc -u -z -v -w2 117.25.223.81 10161
nc -u -z -v -w2 218.6.16.51 10161
nc -u -z -v -w2 117.25.223.16 10161
nc -u -z -v -w2 117.25.223.26 10161
nc -u -z -v -w2 222.77.183.209 10161
nc -u -z -v -w2 222.77.183.145 10161
nc -u -z -v -w2 202.101.126.211 10161
nc -u -z -v -w2 202.101.126.202 10161
nc -u -z -v -w2 202.101.126.201 10161
ping 202.101.126.201
nc -u -z -v -w2 218.6.16.55 161
cd Test
ll
su - inms
exit
netstat -anp |grep 11165
iptables -A INPUT -ptcp --dport 11165 -j ACCEPT
netstat -anp |grep 11165
exit
/etc/init.d/iptables status
exit
cd /etc/ssh
ls -l sshd_config
vi sshd_config
/etc/init.d/sshd restart
vi /etc/sysconfig/iptables
exit

修复方案:

你应该比我懂

版权声明:转载请注明来源 myh0st@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-17 14:17

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无