当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164397

漏洞标题:支付安全之普天银通某系统存在java反序列化漏洞(root权限)

相关厂商:普天银通支付有限公司

漏洞作者: Martial

提交时间:2015-12-25 10:00

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-25: 细节已通知厂商并且等待厂商处理中
2015-12-29: 厂商已经确认,细节仅向厂商公开
2016-01-08: 细节向核心白帽子及相关领域专家公开
2016-01-18: 细节向普通白帽子公开
2016-01-28: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

关于钱的问题

详细说明:

普天银通支付有限公司
**.**.**.**/index/index.action
java反序列化漏洞
查看了下 是root权限

1.jpg


查看下配置文件

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://**.**.**.**/weblogic/domain" xmlns:sec="http://**.**.**.**/weblogic/security" xmlns:wls="http://**.**.**.**/weblogic/security/wls" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xsi:schemaLocation="http://**.**.**.**/weblogic/security/xacml http://**.**.**.**/weblogic/security/xacml/1.0/xacml.xsd http://**.**.**.**/weblogic/security/providers/passwordvalidator http://**.**.**.**/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://**.**.**.**/weblogic/domain http://**.**.**.**/weblogic/1.0/domain.xsd http://**.**.**.**/weblogic/security http://**.**.**.**/weblogic/1.0/security.xsd http://**.**.**.**/weblogic/security/wls http://**.**.**.**/weblogic/security/wls/1.0/wls.xsd">
  <name>polypay</name>
  <domain-version>**.**.**.**</domain-version>
  <security-configuration>
    <name>polypay</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://**.**.**.**/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://**.**.**.**/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}/7Ik7oTKxi65RwkFuZBEsbosju+lwSGpUXlb0hdnVvyDcHfXAAkFS3tZwkRAOqNDHVvYyzdnxnGyl9C/rg2rHN2W0d4gzIG+5nREvkNEnxZWAU8MFfHPaWq/0D3vLA4k</credential-encrypted>
    <node-manager-username>8hLwWVJXEL</node-manager-username>
    <node-manager-password-encrypted>{AES}84nf+IHhuCTZyHTH9+eqMiHyZYZ2xOtvvoc7mJmjQmA=</node-manager-password-encrypted>
  </security-configuration>
  <log>
    <number-of-files-limited>true</number-of-files-limited>
    <file-min-size>500</file-min-size>
    <rotate-log-on-startup>true</rotate-log-on-startup>
  </log>
  <server>
    <name>AdminServer</name>
    <listen-port>80</listen-port>
    <listen-address></listen-address>
  </server>
  <production-mode-enabled>true</production-mode-enabled>
  <embedded-ldap>
    <name>polypay</name>
    <credential-encrypted>{AES}flystwnqS/j46LjhFpkiyquPwKvmeWE7QYS/aUDucixuFqOCfXaY+F9wohBOGhUm</credential-encrypted>
  </embedded-ldap>
  <administration-port-enabled>true</administration-port-enabled>
  <administration-port>9080</administration-port>
  <configuration-version>**.**.**.**</configuration-version>
  <app-deployment>
    <name>ptyt</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>/web/webapps/ptyt/web</source-path>
    <plan-dir xsi:nil="true"></plan-dir>
    <plan-path>/web/webapps/ptyt/web/Plan.xml</plan-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>**.**.**.**</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>/web/webapps/polypay/web</source-path>
    <plan-dir xsi:nil="true"></plan-dir>
    <plan-path>/web/webapps/polypay/web/Plan.xml</plan-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <app-deployment>
    <name>gateway</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>/web/webapps/gatewayrtn/web</source-path>
    <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <admin-server-name>AdminServer</admin-server-name>
  <internal-apps-deploy-on-demand-enabled>true</internal-apps-deploy-on-demand-enabled>
</domain>


2.jpg


3.jpg

漏洞证明:

2.jpg


3.jpg

修复方案:

升级

版权声明:转载请注明来源 Martial@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-29 18:27

厂商回复:

CNVD确认所述漏洞情况,已经转由CNCERT下发上海分中心,由其后续协调网站管理单位处置。

最新状态:

暂无