当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0184687

漏洞标题:广西移动一处Elasticsearch配置不当/可任意操作/涉及大量敏感信息(用户手机号码/IMEI/IMSI/上网时间/地点等)

相关厂商:广西移动

漏洞作者: 路人甲

提交时间:2016-03-15 00:00

修复时间:2016-05-02 18:28

公开时间:2016-05-02 18:28

漏洞类型:

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-15: 细节已通知厂商并且等待厂商处理中
2016-03-18: 厂商已经确认,细节仅向厂商公开
2016-03-28: 细节向核心白帽子及相关领域专家公开
2016-04-07: 细节向普通白帽子公开
2016-04-17: 细节向实习白帽子公开
2016-05-02: 细节向公众公开

简要描述:

rt

详细说明:

mask 区域
1.://**.**.**/_
*****542494b803e8938a0202.png&qu*****
2.://**.**.**/_plugin/head/_
*****^^广西^*****
*****91d4955b6cbbda450018.png&qu*****
3.://**.**.**/_plugin/head/_
*****2018e69ae1a7e48afc82.png&qu*****
**********
*****e&gt*****
***** ".ki*****
*****"dash*****
*****^西移动缓*****
*****ion&qu*****
*****e&quot*****
*****ce&quo*****
*****^西移动缓^*****
*****s&quo*****
*****": &*****
*****l":4,"id":"广西移动回源吐出速率","row":1,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"id":"广西移动ats状态码分布","row":6,"size_x":3,"size_y":3,"type":"visualization"},{"col":7,"id":"^*****
*****on&quo*****
*****re"*****
*****ObjectMet*****
*****query_string":{"analyze_wildcard*****
*****
*****
*****
*****
*****ode&*****
**********
*****/IMSI/上网*****
**********
*****e&gt*****
***** "log*****
*****: "w*****
*****AVI-vc0Bb6s_*****
*****ion&qu*****
*****e&quot*****
*****ce&quo*****
*****.**.**,中华人民共和国,海南省,海口市,3gnet,中国联通移动网,省内漫游,2016/01/12/15/53/45-600523929,**.**.**.******
*****ot*****
*****ot;: &quo*****
*****;2016-01-14T06:*****
*****quot;**.*******
*****quot;/tmp/*****
***** "w-*****
*****16-01-12 15:53:*****
*****016-01-12 15:5*****
*****"460011*****
*****t;: "i*****
*****;01360500266*****
*****uot;: &quo*****
*****;: "^*****
*****ot;: "^*****
*****ot;60000:HTTP^*****
*****ot;: "^*****
*****: "文^*****
***** "HK*****
*****quot;**.*******
*****t;: &quot*****
*****: "*****
*****09A0文昌抱^*****
***** "超时^*****
*****"**.*******
*****t;中华人^*****
***** "海^*****
*****quot;海^*****
*****"3gn*****
*****t;中国联^*****
*****;: "省*****
*****/01/12/15/53/45*****
*****quot;**.**.*****
*****": &qu*****
*****_time&quo*****
*****"首*****
*****quot;**.*******
*****ow&quo*****
*****ow&quot*****
*****cket&q*****
*****"*****
*****cket&qu*****
*****n_time&qu*****
*****n_byte&qu*****
*****quot;: &q*****
*****y": &*****
*****ce": *****
*****": &*****
*****ot;: &quo*****
*****quot;: &q*****
*****_delay&*****
*****ss_delay*****
*****quot;: &q*****
*****count&qu*****
*****TL&quo*****
*****quot;: &q*****
*****elay&q*****
*****_count&q*****
*****delay&q*****
*****y_count&q*****
*****ay&quot*****
*****_count&q*****
*****up_count&*****
*****down_coun*****
*****_size&quot*****
*****wn_size&qu*****
*****count&q*****
*****delay&q*****
*****count&qu*****
*****delay&qu*****
*****_count&q*****
*****_byte&qu*****
*****;: "*****
*****ount&q*****
*****ay&quot*****
*****delay&qu*****
*****try_count*****
*****: "*****
*****;: &quo*****
*****t;: &quot*****
*****delay&q*****
*****se_delay*****
*****delay&qu*****
*****se_delay&*****
*****_delay&q*****
*****cess_delay*****
*****uot;: &qu*****
*****lay": *****
*****y": &*****
*****delay":*****
*****ot;: &quo*****
*****op_count*****
*****q_delay&*****
*****ccess_dela*****
*****n_req_dela*****
*****q_success_de*****
*****_req_dela*****
*****uccess_del*****
*****_delay&*****
*****cess_dela*****
*****q_delay&q*****
*****ccess_del*****
*****q_delay&*****
*****ess_delay*****
*****ot;: &quo*****
*****count&qu*****
*****delay&q*****
*****s_delay&*****
*****_delay&*****
*****cess_dela*****
*****count&qu*****
*****count&qu*****
*****delay&qu*****
*****y_delay&*****
*****count&qu*****
*****y_count&*****
*****ta_count&*****
*****data_coun*****
*****;: "1*****
*****ot*****
*****
*****
*****ode&*****
**********
*****e&gt*****
***** "log*****
*****: "w*****
*****AVI-vcyHb6s_*****
*****ion&qu*****
*****e&quot*****
*****ce&quo*****
*****/34-600489713,**.**.**.**,TCP,2026,首页,**.**.**.**,2596,77212,45,1149.83,58,540,79476,中国联通移动网,中华人民共和国,广东省,,,,,,,,,,0,,*****
*****ot*****
*****ot;: &quo*****
*****;2016-01-14T06:*****
*****quot;**.*******
*****quot;/tmp/*****
***** "w-*****
*****16-01-12 08:22:*****
*****016-01-12 08:2*****
*****"460018*****
*****t;: "3*****
*****;35203007216*****
*****uot;: &quo*****
*****;: "^*****
*****ot;: "^*****
*****quot;: &qu*****
*****ot;: "^*****
*****": &*****
***** "HK*****
*****quot;HKSAE*****
*****t;: &quot*****
*****: "*****
*****ot;46001586*****
*****;: "正^*****
*****"**.*******
*****t;中华人^*****
***** "海^*****
*****quot;海^*****
*****"3gn*****
*****t;中国联^*****
*****;: "国*****
*****/01/12/08/22/34*****
*****quot;**.**.*****
*****": &qu*****
*****_time&quo*****
*****"首*****
*****quot;**.*******
*****":*****
*****ow&quot*****
*****et&quot*****
*****"*****
*****cket&qu*****
*****n_time&qu*****
*****n_byte&qu*****
*****ot;中国联^*****
*****"中华人*****
*****: "广^*****
*****ot;: &quo*****
*****quot;: &q*****
*****_delay&*****
*****ss_delay*****
*****quot;: &q*****
*****count&qu*****
*****TL&quo*****
*****quot;: &q*****
*****elay&q*****
*****_count&q*****
*****delay&q*****
*****y_count&q*****
*****elay&q*****
*****_count&q*****
*****up_count&*****
*****down_coun*****
*****count&q*****
*****lay&quot*****
*****unt"*****
*****delay&qu*****
*****_count&q*****
*****_byte&qu*****
*****;: "*****
*****ount&q*****
*****elay&q*****
*****delay&qu*****
*****try_count*****
*****: "*****
***** "1*****
*****t;: &quot*****
*****delay&q*****
*****se_delay*****
*****delay&qu*****
*****se_delay&*****
*****_delay&q*****
*****cess_delay*****
*****lay&quo*****
*****se_delay&*****
*****_delay&q*****
*****cess_delay*****
*****ot;: &quo*****
*****op_count*****
*****q_delay&*****
*****ccess_dela*****
*****n_req_dela*****
*****q_success_de*****
*****_req_dela*****
*****uccess_del*****
*****_delay&*****
*****cess_dela*****
*****q_delay&q*****
*****ccess_del*****
*****q_delay&*****
*****ess_delay*****
*****ot;: &quo*****
*****count&qu*****
*****delay&q*****
*****s_delay&*****
*****_delay&*****
*****cess_dela*****
*****count&qu*****
*****count&qu*****
*****delay&qu*****
*****y_delay&*****
*****count&qu*****
*****y_count&*****
*****ta_count&*****
*****data_coun*****
*****ot;: &quo*****
*****
*****
*****ode&*****
**********
**********
*****b1380688cde933168d25.png&qu*****
**********
*****3c09b0e467e78850b364.png&qu*****
**********
*****12w^*****
**********
*****f27a54541a248e572bf45f.png*****

漏洞证明:

**.**.**.**:9200/

111.png


**.**.**.**:9200/_plugin/head/
看名字就知道是广西移动。。

111.png


**.**.**.**:9200/_plugin/head/

111.png


{
"_index": ".kibana",
"_type": "dashboard",
"_id": "广西移动缓存状态",
"_version": 9,
"_score": 1,
"_source": {
"title": "广西移动缓存状态",
"hits": 0,
"description": "",
"panelsJSON": "[{"col":7,"id":"广西各ats每秒访问次数","row":1,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"广西移动atsHIT-slash-MISS-slash-ERR比例","row":6,"size_x":3,"size_y":3,"type":"visualization"},{"col":1,"id":"湖南移动ats每秒访问次数","row":1,"size_x":3,"size_y":2,"type":"visualization"},{"col":10,"id":"广西移动各台ats请求次数比","row":1,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"id":"广西移动回源吐出速率","row":1,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"id":"广西移动ats状态码分布","row":6,"size_x":3,"size_y":3,"type":"visualization"},{"col":7,"id":"广西移动ats流量top50域名及其回源流量","row":3,"size_x":6,"size_y":3,"type":"visualization"},{"id":"广西移动ats响应错误次数top、","type":"visualization","size_x":6,"size_y":3,"col":1,"row":3},{"id":"ats单个域名总流量","type":"visualization","size_x":3,"size_y":3,"col":7,"row":6}]",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{"filter":[{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}}}]}"
}
}
}


用户手机号码/IMEI/IMSI/上网时间/地点等

{
"_index": "log_youku",
"_type": "w-log",
"_id": "AVI-vc0Bb6s_dT585pUZ",
"_version": 1,
"_score": 1,
"_source": {
"message": "2016-01-12 15:53:45.817000,2016-01-12 15:53:48.206000,460011951963824,iPhone4S,0136050026673423,3G,浏览,优酷,60000:HTTP超时未响应,无响应,文昌市,HKMME05,**.**.**.**,,,WCW0509A0文昌抱罗东排W1,超时未合成,**.**.**.**,中华人民共和国,海南省,海口市,3gnet,中国联通移动网,省内漫游,2016/01/12/15/53/45-600523929,**.**.**.**,TCP,2388,首页,**.**.**.**,874,92,4,2.83,2,2237,810,,,,,,,,,,,,,0,,62,,118,,3,1,212991,6760,1,70,,,,,get,1,151,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,0,0,0,0,0,13111925386
",
"@version": "1",
"@timestamp": "2016-01-14T06:06:12.048Z",
"host": "**.**.**.**",
"path": "/tmp/a.log",
"type": "w-log",
"start_t": "2016-01-12 15:53:45.817000",
"stop_t": "2016-01-12 15:53:48.206000",
"user_IMSI": "460011951963824",
"client_type": "iPhone4S",
"IMEI": "0136050026673423",
"access_type": "3G",
"event_type": "浏览",
"event_sub_type": "优酷",
"faild_reason": "60000:HTTP超时未响应",
"process_result": "无响应",
"access_city": "文昌市",
"SGSN": "HKMME05",
"GGSN": "**.**.**.**",
"RNC_BSC": "",
"RAC": "",
"CELL": "WCW0509A0文昌抱罗东排W1",
"synthetic_mark": "超时未合成",
"user_ip": "**.**.**.**",
"country": "中华人民共和国",
"province": "海南省",
"city": "海口市",
"APN": "3gnet",
"dst_ISP": "中国联通移动网",
"roaming_type": "省内漫游",
"TDRID": "2016/01/12/15/53/45-600523929",
"DST_IP": "**.**.**.**",
"connection_type": "TCP",
"application_time": 2388,
"XDR": "首页",
"HOST": "**.**.**.**",
"up_flow": 874,
"down_flow": 92,
"up_packet": 4,
"speed": 2,
"down_packet": 2,
"transmission_time": 2237,
"transmission_byte": 810,
"client_isp": "",
"client_country": "",
"client_province": "",
"client_city": "",
"DNS_type": "",
"DNS_result": "",
"DNS_req_delay": 0,
"DNS_success_delay": 0,
"DNS_domain": "",
"DNS_tran_count": 0,
"DNS_TTL": 0,
"DNS_server": "",
"syn_delay": 0,
"syn_retry_count": 0,
"synACK_delay": 62,
"synACK_retry_count": 0,
"ack_delay": 118,
"ack_retry_count": 0,
"tcp_window_up_count": 3,
"tcp_window_down_count": 1,
"tcp_window_up_size": 212991,
"tcp_window_down_size": 6760,
"up_RTT_count": 1,
"up_RTT_delay": 70,
"down_RTT_count": 0,
"down_RTT_delay": 0,
"tcp_retry_count": 0,
"tcp_retry_byte": 0,
"method": "get",
"req_count": 1,
"req_delay": 151,
"response_delay": 0,
"response_retry_count": 0,
"URL": "",
"UA": "",
"IM_type": "",
"IM_req_delay": 0,
"IM_response_delay": 0,
"smtp_req_delay": 0,
"smtp_response_delay": 0,
"smtp_send_delay": 0,
"smtp_send_success_delay": 0,
"pop_delay": "",
"pop_response_delay": "",
"pop_resv_delay": "",
"pop_resv_success_delay": "",
"stream_q": "",
"stream_stop_count": 0,
"stream_req_delay": 0,
"stream_req_success_delay": 0,
"stream_session_req_delay": 0,
"stream_session_req_success_delay": 0,
"stream_down_req_delay": 0,
"stream_down_success_delay": 0,
"ftp_req_delay": 0,
"ftp_req_success_delay": 0,
"ftp_down_req_delay": 0,
"ftp_down_success_delay": 0,
"ftp_up_req_delay": 0,
"ftp_up_success_delay": 0,
"peer_num": "",
"peer_num_count": 0,
"cx_req_delay": 0,
"cx_success_delay": 0,
"cx_resv_delay": 0,
"cx_resv_success_delay": 0,
"ack_pack_count": 0,
"date_ack_count": 0,
"up_retry_delay": 0,
"down_retry_delay": 0,
"up_retry_count": 0,
"down_retry_count": 0,
"up_retry_data_count": 0,
"down_retry_data_count": 0,
"user_num": "13111925386
"
}
}


{
"_index": "log_youku",
"_type": "w-log",
"_id": "AVI-vcyHb6s_dT585pRt",
"_version": 1,
"_score": 1,
"_source": {
"message": "2016-01-12 08:22:34.656000,2016-01-12 08:22:36.682000,460018979902282,35203007,3520300721647006,3G,浏览,优酷,,成功,,HKMME05,HKSAEGW03,,,460015863108330,正常合成,**.**.**.**,中华人民共和国,海南省,海口市,3gnet,中国联通移动网,国内漫出,2016/01/12/08/22/34-600489713,**.**.**.**,TCP,2026,首页,**.**.**.**,2596,77212,45,1149.83,58,540,79476,中国联通移动网,中华人民共和国,广东省,,,,,,,,,,0,,66,,97,,44,57,128689,15848,1,66,33,93,1,1,get,1,117,183,,**.**.**.**/051000005693d29e6714c05b2d0038dd ,tudou/15120714 cfnetwork/711.4.6 darwin/14.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,0,0,0,0,1,13198935212
",
"@version": "1",
"@timestamp": "2016-01-14T06:06:12.075Z",
"host": "**.**.**.**",
"path": "/tmp/a.log",
"type": "w-log",
"start_t": "2016-01-12 08:22:34.656000",
"stop_t": "2016-01-12 08:22:36.682000",
"user_IMSI": "460018979902282",
"client_type": "35203007",
"IMEI": "3520300721647006",
"access_type": "3G",
"event_type": "浏览",
"event_sub_type": "优酷",
"faild_reason": "",
"process_result": "成功",
"access_city": "",
"SGSN": "HKMME05",
"GGSN": "HKSAEGW03",
"RNC_BSC": "",
"RAC": "",
"CELL": "460015863108330",
"synthetic_mark": "正常合成",
"user_ip": "**.**.**.**",
"country": "中华人民共和国",
"province": "海南省",
"city": "海口市",
"APN": "3gnet",
"dst_ISP": "中国联通移动网",
"roaming_type": "国内漫出",
"TDRID": "2016/01/12/08/22/34-600489713",
"DST_IP": "**.**.**.**",
"connection_type": "TCP",
"application_time": 2026,
"XDR": "首页",
"HOST": "**.**.**.**",
"up_flow": 2596,
"down_flow": 77212,
"up_packet": 45,
"speed": 1149,
"down_packet": 58,
"transmission_time": 540,
"transmission_byte": 79476,
"client_isp": "中国联通移动网",
"client_province": "中华人民共和国",
"client_city": "广东省",
"DNS_type": "",
"DNS_result": "",
"DNS_req_delay": 0,
"DNS_success_delay": 0,
"DNS_domain": "",
"DNS_tran_count": 0,
"DNS_TTL": 0,
"DNS_server": "",
"syn_delay": 0,
"syn_retry_count": 0,
"synACK_delay": 0,
"synACK_retry_count": 66,
"ack_delay": 0,
"ack_retry_count": 97,
"tcp_window_up_count": 0,
"tcp_window_down_count": 44,
"up_RTT_count": 57,
"up_RTT_delay": 128689,
"down_RTT_count": 15848,
"down_RTT_delay": 1,
"tcp_retry_count": 66,
"tcp_retry_byte": 33,
"method": "93",
"req_count": 1,
"req_delay": 1,
"response_delay": 0,
"response_retry_count": 1,
"URL": "117",
"UA": "183",
"IM_type": "",
"IM_req_delay": 0,
"IM_response_delay": 0,
"smtp_req_delay": 0,
"smtp_response_delay": 0,
"smtp_send_delay": 0,
"smtp_send_success_delay": 0,
"post_delay": 0,
"post_response_delay": 0,
"post_resv_delay": 0,
"post_resv_success_delay": 0,
"stream_q": "",
"stream_stop_count": 0,
"stream_req_delay": 0,
"stream_req_success_delay": 0,
"stream_session_req_delay": 0,
"stream_session_req_success_delay": 0,
"stream_down_req_delay": 0,
"stream_down_success_delay": 0,
"ftp_req_delay": 0,
"ftp_req_success_delay": 0,
"ftp_down_req_delay": 0,
"ftp_down_success_delay": 0,
"ftp_up_req_delay": 0,
"ftp_up_success_delay": 0,
"peer_num": "",
"peer_num_count": 0,
"cx_req_delay": 0,
"cx_success_delay": 0,
"cx_resv_delay": 0,
"cx_resv_success_delay": 0,
"ack_pack_count": 0,
"date_ack_count": 0,
"up_retry_delay": 0,
"down_retry_delay": 0,
"up_retry_count": 0,
"down_retry_count": 0,
"up_retry_data_count": 0,
"down_retry_data_count": 0,
"user_num": "0"
}
}


111.png


111.png


一共112w条

111.png


修复方案:

Elasticsearch配置不当

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-18 18:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无