当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090533

漏洞标题:苏宁某边界网络设备存在弱口令(可覆盖配置文件,带SSLVPN功能)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: 猪猪侠

提交时间:2015-01-07 18:01

修复时间:2015-02-21 18:02

公开时间:2015-02-21 18:02

漏洞类型:基础设施弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-07: 细节已通知厂商并且等待厂商处理中
2015-01-07: 厂商已经确认,细节仅向厂商公开
2015-01-17: 细节向核心白帽子及相关领域专家公开
2015-01-27: 细节向普通白帽子公开
2015-02-06: 细节向实习白帽子公开
2015-02-21: 细节向公众公开

简要描述:

苏宁某边界网络设备存在弱口令(带SSLVPN配置文件),深一步利用可能可以绕过边界防火墙

详细说明:

网络设备ftp服务弱口令: admin:admin

172-13-1-117:~ root$ ftp 58.213.19.168
Connected to 58.213.19.168.
220 FTP service ready.
Name (58.213.19.168:root): admin
331 Password required for admin.
Password:
230 User logged in.
Remote system type is H3C.
ftp> ls
227 Entering Passive Mode (58,213,19,168,19,23).
125 ASCII mode data connection already open, transfer starting for /*.
drwxrwxrwx 1 noone nogroup 0 Oct 19 2010 logfile
-rwxrwxrwx 1 noone nogroup 16256 Oct 19 2010 p2p_default.mtd
-rwxrwxrwx 1 noone nogroup 3751 Aug 18 2014 system.xml
-rwxrwxrwx 1 noone nogroup 6187 Aug 18 2014 startup.cfg
-rwxrwxrwx 1 noone nogroup 27450368 Jul 08 2014 msr30-cmw520-r2513p01-si.bin
-rwxrwxrwx 1 noone nogroup 24621440 Jul 08 2014 msr30-cmw520-r2207-si.bin
-rwxrwxrwx 1 noone nogroup 17449340 Jul 08 2014 msr30-cmw520-r2207p38-bi.bin
-rwxrwxrwx 1 noone nogroup 20147 Aug 18 2014 config.cwmp
-rwxrwxrwx 1 noone nogroup 5324 Jul 25 2014 _startup_bak.cfg
-rwxrwxrwx 1 noone nogroup 476922 Aug 01 2014 vpn3040.diag
-rwxrwxrwx 1 noone nogroup 188545 Aug 17 2014 default.diag
-rwxrwxrwx 1 noone nogroup 18324480 Aug 18 2014 msr30-cmw520-r2311-bi.bin
226 Transfer complete.


基础设施的鉴权信息,确认是suning的设备

local-user suning
password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+
authorization-attribute level 3
service-type ssh


对外开放了telnet和http管理端口,你懂得

EB336161-0715-42DA-BD6B-962B1DE56394.jpg


163CE164-16DA-40F1-B507-08529AEC707C.jpg


suning: 内部网络架构透明

#
dar p2p signature-file cfa0:/p2p_default.mtd
#
port-security enable
#
password-recovery enable
#
acl number 2000
rule 0 permit source 10.22.9.5 0
rule 5 permit source 10.22.9.215 0
rule 10 permit source 10.21.160.99 0
#
acl number 3000
rule 0 permit ip source 58.213.19.168 0 destination 221.226.125.148 0
rule 5 permit ip source 1.1.1.1 0
rule 10 permit ip source 221.226.125.148 0
rule 15 permit ip source 2.2.2.2 0
acl number 3002 match-order auto
description 2xuzhuangÏÞËÙ
rule 0 permit ip destination 192.168.40.149 0
acl number 3303 match-order auto
description vpn2xuzhuang
rule 10 deny ip source 10.21.160.99 0
rule 0 deny ip destination 10.21.160.99 0
rule 5 permit ip
acl number 3304 match-order auto
rule 5 permit ip source 192.168.0.0 0.0.255.255
rule 10 permit ip source 10.19.0.0 0.0.255.255
rule 15 permit ip source 10.24.0.0 0.0.255.255
rule 20 permit ip source 10.22.0.0 0.0.255.255
rule 0 deny ip destination 192.168.13.49 0
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike peer access
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$t6cH9TYK0j2lvziyz+VkcwnYSezftt1ugw==
id-type name
remote-name access
nat traversal
#
ike peer xinjiekou
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$fOTu6fpwl5bY1oMj/cT2stF3Ue5ED707rVdZUw==
id-type name
remote-name xinjiekou
nat traversal
#
ike peer yinhe
exchange-mode aggressive
proposal 1
pre-shared-key cipher $c$3$qjZO04rPk/ZAh0UJXOOG37rn958LzcHx3CZ/cuw=
id-type name
remote-name yinhe
nat traversal
#
ipsec transform-set default
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy-template xinjiekou 1
ike-peer xinjiekou
transform-set default
#
ipsec policy-template xuzhuang 1
ike-peer access
transform-set default
#
ipsec policy-template yinhe 1
ike-peer yinhe
transform-set default
#
ipsec policy ipsecdx 1 isakmp template xuzhuang
#
ipsec policy ipsecdx 2 isakmp template yinhe
#
ipsec policy ipsecdx 3 isakmp template xinjiekou
#
policy-based-route vpn2xuzhuang permit node 10
if-match acl 3303
apply ip-address next-hop 192.168.13.50
#
policy-based-route vpnup permit node 20
if-match acl 3304
apply ip-address next-hop 192.168.13.205
apply ip-address next-hop 192.168.13.209
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$kczijeyDQHGhKbH67mwOnmOlFMY1ZeHd
authorization-attribute level 3
service-type telnet
service-type ftp
local-user suning
password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+
authorization-attribute level 3
service-type ssh
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Serial4/0
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
#
interface LoopBack1000
#
interface GigabitEthernet0/0
port link-mode route
#
interface GigabitEthernet0/0.104
description To_JS5060-1»¥Áª.025
vlan-type dot1q vid 104
#
interface GigabitEthernet0/0.1101
description To_C7609-1»¥Áª
vlan-type dot1q vid 1101
ip policy-based-route vpn2xuzhuang
#
interface GigabitEthernet0/0.1102
description To_C7609-2»¥Áª
vlan-type dot1q vid 1102
ip policy-based-route vpn2xuzhuang
#
interface GigabitEthernet0/1
port link-mode route
description To_»¥ÁªÍø
#
interface GigabitEthernet0/1.2
description To_CTC01
vlan-type dot1q vid 2
ipsec policy ipsecdx
qos gts acl 3002 cir 50000 cbs 3125000 ebs 0 queue-length 50
#
interface Tunnel0
description To_Ðìׯ×ܲ¿
mtu 1524
source LoopBack0
destination 2.2.2.2
ip policy-based-route vpnup
#
nqa entry 1 1
type icmp-echo
data-size 20
destination ip 192.168.13.50
frequency 1000
probe count 2
probe timeout 50
reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
source ip 192.168.13.49
ttl 1
#
ip route-static 0.0.0.0 0.0.0.0 58.213.19.129 preference 5
ip route-static 10.19.250.6 255.255.255.255 192.168.13.50
ip route-static 10.21.160.99 255.255.255.255 192.168.13.205
ip route-static 10.21.160.99 255.255.255.255 192.168.13.209 preference 120
ip route-static 10.21.160.245 255.255.255.255 192.168.13.205
ip route-static 10.22.9.5 255.255.255.255 192.168.13.205
ip route-static 10.22.9.5 255.255.255.255 192.168.13.209 preference 120
ip route-static 10.22.9.215 255.255.255.255 192.168.13.50
ip route-static 172.33.0.1 255.255.255.255 172.16.0.1
ip route-static 172.33.0.2 255.255.255.255 172.16.0.2
ip route-static 192.168.0.0 255.255.0.0 192.168.13.209 preference 120
ip route-static 192.168.0.0 255.255.0.0 192.168.13.205
#

漏洞证明:

system.xml

<!-- XML CONFIGURATION FILE -->
<sslvpn>
<diyview>
<title-diy-table>
<row><index-title>SSL&#32;VPN</index-title><welcome-title>Welcome&#32;to&#32;SSL&#32;VPN</welcome-title><service-title>SSL&#32;VPN</service-title></row>
</title-diy-table>
<pic-save-table>
<row><service-logo>/svpn/images/h3c.gif</service-logo><service-bg>/svpn/images/top_right_01.jpg</service-bg><index-logo>/svpn/images/h3c.gif</index-logo></row>
</pic-save-table>
<all-diy-table>
<row><enable>0</enable></row>
</all-diy-table>
</diyview>
<resview>
<res-ipac-global-table>
<row><keepalive>10</keepalive><clireach>0</clireach><onlyvpn>0</onlyvpn><sevdis>0</sevdis></row>
</res-ipac-global-table>
<res-group-table>
<row><id>33890</id><name>autohome</name></row>
<row><id>17507</id><name>autostart</name></row>
</res-group-table>
</resview>
<userview>
<user-group-table>
<row><id>17408</id><name>Guests</name></row>
</user-group-table>
<user-table>
<row><id>2162688</id><name>guest</name><description>Default&#32;guest&#32;user</description><password-md5>3C943016CF71D795F741F76EED5B63AF</password-md5><public>0</public><public-limit>0</public-limit><status>0</status><period>0-0-0</period><studymac>0</studymac></row>
</user-table>
</userview>
<domainview>
<domain-policy-table>
<row><enable-sec-policy>0</enable-sec-policy><enable-verify>0</enable-verify><enable-only-client>0</enable-only-client><enable-bind-mac>0</enable-bind-mac><enable-auto-login>0</enable-auto-login><user-out-time>30</user-out-time><dft-auth-method>1</dft-auth-method><cert-sect>0</cert-sect><verify-out-time>120</verify-out-time></row>
</domain-policy-table>
<cache-policy-table>
<row><clear-cache>1</clear-cache><clear-cookie>1</clear-cookie><clear-client>0</clear-client><clear-config>1</clear-config></row>
</cache-policy-table>
<dom-loc-auth-table>
<row><cerpol>0</cerpol></row>
</dom-loc-auth-table>
<dom-radius-auth-table>
<row><ifstartauth>0</ifstartauth><cerpol>0</cerpol><ifstartcharge>0</ifstartcharge><ifupvirtualaddr>0</ifupvirtualaddr></row>
</dom-radius-auth-table>
<dom-ldap-auth-table>
<row><servport>389</servport><version>3</version><cerpol>0</cerpol><ifstartauth>0</ifstartauth><checkmethod>TEMPLATE</checkmethod></row>
</dom-ldap-auth-table>
<dom-ad-auth-table>
<row><cerpol>0</cerpol><ifstartauth>0</ifstartauth><serverectime>5</serverectime><usrnamestyle>0</usrnamestyle></row>
</dom-ad-auth-table>
<dom-comb-auth-table>
<row><ifstartcombauth>0</ifstartcombauth><cerpol>0</cerpol><ifinputpaswrdagain>0</ifinputpaswrdagain><cerpol_a>0</cerpol_a></row>
</dom-comb-auth-table>
</domainview>
<servermng>
<server-mng-table>
<row><enable>0</enable><port>443</port></row>
</server-mng-table>
</servermng>
</sslvpn>
<nat>
<nat>
<respond-table>
<row><respond-get>0</respond-get></row>
</respond-table>
</nat>
</nat>
<waninter>
<macaddress>
<macclone-table>
<row><ifindex>1048576</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1048577</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row>
<row><ifindex>1049396</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row>
<row><ifindex>1049394</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1049395</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
<row><ifindex>1049393</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row>
</macclone-table>
</macaddress>
</waninter>
<seclanserver>
<rdserver>
<rds-auth-table>
<row><auth-enable>0</auth-enable></row>
</rds-auth-table>
</rdserver>
</seclanserver>


修复方案:

关闭外网接口

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-07 20:03

厂商回复:

感谢提交,低级错误,把猪猪侠大材小用了。

最新状态:

暂无