当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0197752

漏洞标题:泛华保险Openfire后台弱口令(可命令执行)

相关厂商:泛华保险服务集团

漏洞作者: 路人甲

提交时间:2016-04-18 11:46

修复时间:2016-06-04 15:20

公开时间:2016-06-04 15:20

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-18: 细节已通知厂商并且等待厂商处理中
2016-04-20: 厂商已经确认,细节仅向厂商公开
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

泛华保险Openfire后台弱口令(可命令执行),直接获取服务器系统权限

详细说明:

http://lzguat.cninsure.net:9090/
admin
admin

漏洞证明:

openfire.png


安装插件,执行系统命令

eth0      Link encap:Ethernet  HWaddr 52:54:00:03:35:71  
          inet addr:10.249.160.147  Bcast:10.249.163.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:292022162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:154062152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:38258612676 (35.6 GiB)  TX bytes:63956569588 (59.5 GiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3723450884 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3723450884 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:247122256471 (230.1 GiB)  TX bytes:247122256471 (230.1 GiB)


UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0  2015 ?        00:00:51 /sbin/init
root         2     0  0  2015 ?        00:00:00 [kthreadd]
root         3     2  0  2015 ?        00:00:11 [migration/0]
root         4     2  0  2015 ?        00:00:14 [ksoftirqd/0]
root         5     2  0  2015 ?        00:00:00 [migration/0]
root         6     2  0  2015 ?        00:00:16 [watchdog/0]
root         7     2  0  2015 ?        00:00:12 [migration/1]
root         8     2  0  2015 ?        00:00:00 [migration/1]
root         9     2  0  2015 ?        00:00:16 [ksoftirqd/1]
root        10     2  0  2015 ?        00:00:13 [watchdog/1]
root        11     2  0  2015 ?        00:00:12 [migration/2]
root        12     2  0  2015 ?        00:00:00 [migration/2]
root        13     2  0  2015 ?        00:00:16 [ksoftirqd/2]
root        14     2  0  2015 ?        00:00:13 [watchdog/2]
root        15     2  0  2015 ?        00:00:12 [migration/3]
root        16     2  0  2015 ?        00:00:00 [migration/3]
root        17     2  0  2015 ?        00:00:15 [ksoftirqd/3]
root        18     2  0  2015 ?        00:00:13 [watchdog/3]
root        19     2  0  2015 ?        00:00:12 [migration/4]
root        20     2  0  2015 ?        00:00:00 [migration/4]
root        21     2  0  2015 ?        00:00:16 [ksoftirqd/4]
root        22     2  0  2015 ?        00:00:13 [watchdog/4]
root        23     2  0  2015 ?        00:00:12 [migration/5]
root        24     2  0  2015 ?        00:00:00 [migration/5]
root        25     2  0  2015 ?        00:00:15 [ksoftirqd/5]
root        26     2  0  2015 ?        00:00:13 [watchdog/5]
root        27     2  0  2015 ?        00:00:12 [migration/6]
root        28     2  0  2015 ?        00:00:00 [migration/6]
root        29     2  0  2015 ?        00:00:15 [ksoftirqd/6]
root        30     2  0  2015 ?        00:00:13 [watchdog/6]
root        31     2  0  2015 ?        00:00:11 [migration/7]
root        32     2  0  2015 ?        00:00:00 [migration/7]
root        33     2  0  
2015 ?        00:00:14 [ksoftirqd/7]
root        34     2  0  2015 ?        00:00:12 [watchdog/7]
root        35     2  0  2015 ?        00:05:13 [events/0]
root        36     2  0  2015 ?        00:06:19 [events/1]
root        37     2  0  2015 ?        00:08:21 [events/2]
root        38     2  0  2015 ?        00:06:16 [events/3]
root        39     2  0  2015 ?        00:06:23 [events/4]
root        40     2  0  2015 ?        00:06:17 [events/5]
root        41     2  0  2015 ?        00:07:06 [events/6]
root        42     2  0  2015 ?        00:09:02 [events/7]
root        43     2  0  2015 ?        00:00:00 [cgroup]
root        44     2  0  2015 ?        00:00:06 [khelper]
root        45     2  0  2015 ?        00:00:00 [netns]
root        46     2  0  2015 ?        00:00:00 [async/mgr]
root        47     2  0  2015 ?        00:00:00 [pm]
root        48     2  0  2015 ?        00:00:43 [sync_supers]
root        49     2  0  2015 ?        00:00:49 [bdi-default]
root        50     2  0  2015 ?        00:00:00 [kintegrityd/0]
root        51     2  0  2015 ?        00:00:00 [kintegrityd/1]
root        52     2  0  2015 ?        00:00:00 [kintegrityd/2]
root        53     2  0  2015 ?        00:00:00 [kintegrityd/3]
root        54     2  0  2015 ?        00:00:00 [kintegrityd/4]
root        55     2  0  2015 ?        00:00:00 [kintegrityd/5]
root        56     2  0  2015 ?        00:00:00 [kintegrityd/6]
root        57     2  0  2015 ?        00:00:00 [kintegrityd/7]
root        58     2  0  2015 ?        00:06:58 [kblockd/0]
root        59     2  0  2015 ?        00:08:53 [kblockd/1]
root        60     2  0  2015 ?        00:08:58 [kblockd/2]
root        61     2  0  2015 ?        00:08:46 [kblockd/3]
root        62     2  0  2015 ?        00:08:52 [kblockd/4]
root        63     2  0  2015 ?        00:08:46 [kblockd/5]
root        64     2  0  2015 ?        00:08:52 [kblockd/6]
root        65     2  0  2015 ?        00:08:41 [kblockd/7]
root        66     2  0  2015 ?        00:00:00 [kacpid]
root        67     2 
 0  2015 ?        00:00:00 [kacpi_notify]
root        68     2  0  2015 ?        00:00:00 [kacpi_hotplug]
root        69     2  0  2015 ?        00:00:00 [ata_aux]
root        70     2  0  2015 ?        00:00:00 [ata_sff/0]
root        71     2  0  2015 ?        00:00:00 [ata_sff/1]
root        72     2  0  2015 ?        00:00:00 [ata_sff/2]
root        73     2  0  2015 ?        00:00:00 [ata_sff/3]
root        74     2  0  2015 ?        00:00:00 [ata_sff/4]
root        75     2  0  2015 ?        00:00:00 [ata_sff/5]
root        76     2  0  2015 ?        00:00:00 [ata_sff/6]
root        77     2  0  2015 ?        00:00:00 [ata_sff/7]
root        78     2  0  2015 ?        00:00:00 [ksuspend_usbd]
root        79     2  0  2015 ?        00:00:00 [khubd]
root        80     2  0  2015 ?        00:00:00 [kseriod]
root        81     2  0  2015 ?        00:00:00 [md/0]
root        82     2  0  2015 ?        00:00:00 [md/1]
root        83     2  0  2015 ?        00:00:00 [md/2]
root        84     2  0  2015 ?        00:00:00 [md/3]
root        85     2  0  2015 ?        00:00:00 [md/4]
root        86     2  0  2015 ?        00:00:00 [md/5]
root        87     2  0  2015 ?        00:00:00 [md/6]
root        88     2  0  2015 ?        00:00:00 [md/7]
root        89     2  0  2015 ?        00:00:00 [md_misc/0]
root        90     2  0  2015 ?        00:00:00 [md_misc/1]
root        91     2  0  2015 ?        00:00:00 [md_misc/2]
root        92     2  0  2015 ?        00:00:00 [md_misc/3]
root        93     2  0  2015 ?        00:00:00 [md_misc/4]
root        94     2  0  2015 ?        00:00:00 [md_misc/5]
root        95     2  0  2015 ?        00:00:00 [md_misc/6]
root        96     2  0  2015 ?        00:00:00 [md_misc/7]
root        97     2  0  2015 ?        00:00:00 [linkwatch]
root        98     2  0  2015 ?        00:00:15 [khungtaskd]
root        99     2  0  2015 ?        00:00:02 [kswapd0]
root       100     2  0  2015 ?        00:00:00 [ksmd]
root       101     2  0  2015 ?        00:01:00 [khugepaged]
root       
102     2  0  2015 ?        00:00:00 [aio/0]
root       103     2  0  2015 ?        00:00:00 [aio/1]
root       104     2  0  2015 ?        00:00:00 [aio/2]
root       105     2  0  2015 ?        00:00:00 [aio/3]
root       106     2  0  2015 ?        00:00:00 [aio/4]
root       107     2  0  2015 ?        00:00:00 [aio/5]
root       108     2  0  2015 ?        00:00:00 [aio/6]
root       109     2  0  2015 ?        00:00:00 [aio/7]
root       110     2  0  2015 ?        00:00:00 [crypto/0]
root       111     2  0  2015 ?        00:00:00 [crypto/1]
root       112     2  0  2015 ?        00:00:00 [crypto/2]
root       113     2  0  2015 ?        00:00:00 [crypto/3]
root       114     2  0  2015 ?        00:00:00 [crypto/4]
root       115     2  0  2015 ?        00:00:00 [crypto/5]
root       116     2  0  2015 ?        00:00:00 [crypto/6]
root       117     2  0  2015 ?        00:00:00 [crypto/7]
root       122     2  0  2015 ?        00:00:00 [kthrotld/0]
root       123     2  0  2015 ?        00:00:00 [kthrotld/1]
root       124     2  0  2015 ?        00:00:00 [kthrotld/2]
root       125     2  0  2015 ?        00:00:00 [kthrotld/3]
root       126     2  0  2015 ?        00:00:00 [kthrotld/4]
root       127     2  0  2015 ?        00:00:00 [kthrotld/5]
root       128     2  0  2015 ?        00:00:00 [kthrotld/6]
root       129     2  0  2015 ?        00:00:00 [kthrotld/7]
root       131     2  0  2015 ?        00:00:00 [kpsmoused]
root       132     2  0  2015 ?        00:00:00 [usbhid_resumer]
root       162     2  0  2015 ?        00:00:00 [kstriped]
root       235     2  0  2015 ?        00:00:00 [scsi_eh_0]
root       236     2  0  2015 ?        00:00:00 [scsi_eh_1]
root       327     2  0  2015 ?        00:00:00 [virtio-blk]
root       348     2  0  2015 ?        02:09:09 [kjournald]
root       434     1  0  2015 ?        00:00:00 /sbin/udevd -d
root       569     2  0  2015 ?        00:00:00 [virtio-net]
root       578     2  0  2015 ?        00:00:00 [vballoon]
root       701     2  0  2015 ?        00:0
0:37 [kjournald]
root       921     1  0  2015 ?        00:02:54 auditd
root       937     2  0  2015 ?        00:03:32 [flush-252:0]
root       938     2  0  2015 ?        00:00:55 [flush-252:16]
root       940     1  0  2015 ?        00:01:02 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
dbus       952     1  0  2015 ?        00:00:00 dbus-daemon --system
root       981     1  0  2015 ?        00:00:00 /usr/sbin/acpid
root      1000     1  0  2015 ?        00:00:39 /usr/sbin/sshd
root      1037     1  0  2015 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql     1139  1037  0  2015 ?        00:56:33 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
root      1178     1  0  2015 ?        00:00:00 /usr/sbin/abrtd
root      1190     1  0  2015 ?        00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx     1191  1190  0  2015 ?        00:23:18 nginx: worker process                   
root      1210     1  0  2015 ?        00:00:00 /usr/sbin/atd
root      1228     1  0  2015 ?        00:05:25 /usr/local/agenttools/agent/agent -c /usr/local/agenttools/agent/client.conf
root      1233     1  0  2015 ?        00:00:17 /usr/local/agenttools/agent/agentPlugInD
root      1237     1  0  2015 ?        00:58:06 /usr/local/agenttools/agent/base -d5 -c1 -m4 -s /usr/local/agenttools/agent/base.conf
root      1241     1  0  2015 ?        00:02:21 /usr/local/agenttools/agent/tcvmstat
root      1253     1  0  2015 ?        00:02:24 /usr/local/agenttools/agent/sysddd
root      1265     1  0  2015 tty1     00:00:00 /sbin/mingetty /dev/tty1
root      1267     1  0  2015 tty2     00:00:00 /sbin/mingetty /dev/tty2
root      1269     1  0  2015 tty3     00:00:00 /sbin/mingetty /dev/tty3
root      1271     1  0  2015 ttyS0    00:00:00 /sbin/agetty /dev/ttyS0 9
600 vt100-nav
root      1273     1  0  2015 tty4     00:00:00 /sbin/mingetty /dev/tty4
root      1275     1  0  2015 tty5     00:00:00 /sbin/mingetty /dev/tty5
root      1277     1  0  2015 tty6     00:00:00 /sbin/mingetty /dev/tty6
root      1278   434  0  2015 ?        00:00:00 /sbin/udevd -d
root      1279   434  0  2015 ?        00:00:00 /sbin/udevd -d
root      1345     1  0  2015 ?        00:02:14 /usr/local/qcloud/stargate/sgagent -d
root      1551     1  0 Mar23 ?        00:00:13 crond
root      4410     1  2 Mar29 ?        09:41:41 /dev/java/jdk1.7.0_55/bin/java -server -Dinstall4j.jvmDir=/dev/java/jdk1.7.0_55 -Dexe4j.moduleName=/usr/local/lzg/openfire/bin/openfire -DopenfireHome=/usr/local/lzg/openfire/bin/../ -Dopenfire.lib.dir=/usr/local/lzg/openfire/lib -Dinstall4j.launcherId=22 -Dinstall4j.swt=false -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vpt=true -classpath /usr/local/lzg/openfire/.install4j/i4jruntime.jar:/usr/local/lzg/openfire/lib/activation.jar:/usr/local/lzg/openfire/lib/bcpg-jdk15on.jar:/usr/local/lzg/openfire/lib/bcpkix-jdk15on.jar:/usr/local/lzg/openfire/lib/bcprov-jdk15on.jar:/usr/local/lzg/openfire/lib/commons-el.jar:/usr/local/lzg/openfire/lib/gson-2.0.jar:/usr/local/lzg/openfire/lib/hsqldb.jar:/usr/local/lzg/openfire/lib/jasper-compiler.jar:/usr/local/lzg/openfire/lib/jasper-runtime.jar:/usr/local/lzg/openfire/lib/jdic.jar:/usr/local/lzg/openfire/lib/jtds.jar:/usr/local/lzg/openfire/lib/mail.jar:/usr/local/lzg/openfire/lib/mysql.jar:/usr/local/lzg/openfire/lib/openfire.jar:/usr/local/lzg/openfire/lib/postgres.jar:/usr/local/lzg/openfire/lib/servlet.jar:/usr/local/lzg/openfire/lib/slf4j-log4j12.jar:/usr/local/lzg/openfire/lib/startup.jar com.install4j.runtime.launcher.Launcher start org.jivesoftware.openfire.starter.ServerStarter false false /usr/local/lzg/openfire/bin/../logs/stderror.log /usr/local/lzg/openfire/bin/../logs/stdoutt.log true true false  true true 0 0  20 20 Arial 0,0,0 8 500 version 3.9.3 20 40 Arial 0,0,0 8 500 -1
root      
5718  6305  0 11:46 ?        00:00:00 [redis-server] 
root      5719  4410  0 11:46 ?        00:00:00 ps -ef
root      6305     1  0 Mar29 ?        04:00:56 redis-server /etc/redis.conf
root     14716     1  0  2015 ?        00:02:04 barad_agent                                 
root     14723 14716  0  2015 ?        00:21:57 barad_agent                                 
root     14724 14716  0  2015 ?        03:53:28 barad_agent                                 
root     24903  1000  0 09:30 ?        00:00:00 sshd: root@pts/1 
root     24946 24903  0 09:31 pts/1    00:00:00 -bash
root     25133     1  2 09:31 pts/1    00:02:47 /dev/java/jdk1.7.0_55/bin/java -Djava.util.logging.config.file=/usr/local/lzg/tomcat-lzg/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms4g -Xmx6g -XX:PermSize=256m -XX:MaxPermSize=512m -XX:MaxNewSize=512m -Djava.endorsed.dirs=/usr/local/lzg/tomcat-lzg/endorsed -classpath /usr/local/lzg/tomcat-lzg/bin/bootstrap.jar:/usr/local/lzg/tomcat-lzg/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/lzg/tomcat-lzg -Dcatalina.home=/usr/local/lzg/tomcat-lzg -Djava.io.tmpdir=/usr/local/lzg/tomcat-lzg/temp org.apache.catalina.startup.Bootstrap start
root     25188 24946  0 09:31 pts/1    00:00:00 tail -f logs/catalina.out
/lib/jasper-compiler.jar:/usr/local/lzg/openfire/lib/jasper-runtime.jar:/usr/local/lzg/openfire/lib/jdic.jar:/usr/local/lzg/openfire/lib/jtds.jar:/usr/local/lzg/openfire/lib/mail.jar:/usr/local/lzg/openfire/lib/mysql.jar:/usr/local/lzg/openfire/lib/openfire.jar:/usr/local/lzg/openfire/lib/postgres.jar:/usr/local/lzg/openfire/lib/servlet.jar:/usr/local/lzg/openfire/lib/slf4j-log4j12.jar:/usr/local/lzg/openfire/lib/startup.jar com.install4j.runtime.launcher.Launcher start org.jivesoftware.openfire.starter.ServerStarter false false /usr/local/lzg/openfire/bin/../logs/stderror.log /usr/local/lzg/openfire/bin/../logs/stdoutt.log true true false  true true 0 0  20 20 Arial 0,0,0 8 500 version 3.9.3 20 40 Arial 0,0,0 8 500 -1
root

修复方案:

修改弱密码

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-20 15:18

厂商回复:

非常感谢!

最新状态:

暂无