当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0197752

漏洞标题:泛华保险Openfire后台弱口令(可命令执行)

相关厂商:泛华保险服务集团

漏洞作者: 路人甲

提交时间:2016-04-18 11:46

修复时间:2016-06-04 15:20

公开时间:2016-06-04 15:20

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-18: 细节已通知厂商并且等待厂商处理中
2016-04-20: 厂商已经确认,细节仅向厂商公开
2016-04-30: 细节向核心白帽子及相关领域专家公开
2016-05-10: 细节向普通白帽子公开
2016-05-20: 细节向实习白帽子公开
2016-06-04: 细节向公众公开

简要描述:

泛华保险Openfire后台弱口令(可命令执行),直接获取服务器系统权限

详细说明:

http://lzguat.cninsure.net:9090/
admin
admin

漏洞证明:

openfire.png


安装插件,执行系统命令

eth0      Link encap:Ethernet  HWaddr 52:54:00:03:35:71  
inet addr:10.249.160.147 Bcast:10.249.163.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:292022162 errors:0 dropped:0 overruns:0 frame:0
TX packets:154062152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38258612676 (35.6 GiB) TX bytes:63956569588 (59.5 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3723450884 errors:0 dropped:0 overruns:0 frame:0
TX packets:3723450884 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:247122256471 (230.1 GiB) TX bytes:247122256471 (230.1 GiB)


UID        PID  PPID  C STIME TTY          TIME CMD
root 1 0 0 2015 ? 00:00:51 /sbin/init
root 2 0 0 2015 ? 00:00:00 [kthreadd]
root 3 2 0 2015 ? 00:00:11 [migration/0]
root 4 2 0 2015 ? 00:00:14 [ksoftirqd/0]
root 5 2 0 2015 ? 00:00:00 [migration/0]
root 6 2 0 2015 ? 00:00:16 [watchdog/0]
root 7 2 0 2015 ? 00:00:12 [migration/1]
root 8 2 0 2015 ? 00:00:00 [migration/1]
root 9 2 0 2015 ? 00:00:16 [ksoftirqd/1]
root 10 2 0 2015 ? 00:00:13 [watchdog/1]
root 11 2 0 2015 ? 00:00:12 [migration/2]
root 12 2 0 2015 ? 00:00:00 [migration/2]
root 13 2 0 2015 ? 00:00:16 [ksoftirqd/2]
root 14 2 0 2015 ? 00:00:13 [watchdog/2]
root 15 2 0 2015 ? 00:00:12 [migration/3]
root 16 2 0 2015 ? 00:00:00 [migration/3]
root 17 2 0 2015 ? 00:00:15 [ksoftirqd/3]
root 18 2 0 2015 ? 00:00:13 [watchdog/3]
root 19 2 0 2015 ? 00:00:12 [migration/4]
root 20 2 0 2015 ? 00:00:00 [migration/4]
root 21 2 0 2015 ? 00:00:16 [ksoftirqd/4]
root 22 2 0 2015 ? 00:00:13 [watchdog/4]
root 23 2 0 2015 ? 00:00:12 [migration/5]
root 24 2 0 2015 ? 00:00:00 [migration/5]
root 25 2 0 2015 ? 00:00:15 [ksoftirqd/5]
root 26 2 0 2015 ? 00:00:13 [watchdog/5]
root 27 2 0 2015 ? 00:00:12 [migration/6]
root 28 2 0 2015 ? 00:00:00 [migration/6]
root 29 2 0 2015 ? 00:00:15 [ksoftirqd/6]
root 30 2 0 2015 ? 00:00:13 [watchdog/6]
root 31 2 0 2015 ? 00:00:11 [migration/7]
root 32 2 0 2015 ? 00:00:00 [migration/7]
root 33 2 0
2015 ? 00:00:14 [ksoftirqd/7]
root 34 2 0 2015 ? 00:00:12 [watchdog/7]
root 35 2 0 2015 ? 00:05:13 [events/0]
root 36 2 0 2015 ? 00:06:19 [events/1]
root 37 2 0 2015 ? 00:08:21 [events/2]
root 38 2 0 2015 ? 00:06:16 [events/3]
root 39 2 0 2015 ? 00:06:23 [events/4]
root 40 2 0 2015 ? 00:06:17 [events/5]
root 41 2 0 2015 ? 00:07:06 [events/6]
root 42 2 0 2015 ? 00:09:02 [events/7]
root 43 2 0 2015 ? 00:00:00 [cgroup]
root 44 2 0 2015 ? 00:00:06 [khelper]
root 45 2 0 2015 ? 00:00:00 [netns]
root 46 2 0 2015 ? 00:00:00 [async/mgr]
root 47 2 0 2015 ? 00:00:00 [pm]
root 48 2 0 2015 ? 00:00:43 [sync_supers]
root 49 2 0 2015 ? 00:00:49 [bdi-default]
root 50 2 0 2015 ? 00:00:00 [kintegrityd/0]
root 51 2 0 2015 ? 00:00:00 [kintegrityd/1]
root 52 2 0 2015 ? 00:00:00 [kintegrityd/2]
root 53 2 0 2015 ? 00:00:00 [kintegrityd/3]
root 54 2 0 2015 ? 00:00:00 [kintegrityd/4]
root 55 2 0 2015 ? 00:00:00 [kintegrityd/5]
root 56 2 0 2015 ? 00:00:00 [kintegrityd/6]
root 57 2 0 2015 ? 00:00:00 [kintegrityd/7]
root 58 2 0 2015 ? 00:06:58 [kblockd/0]
root 59 2 0 2015 ? 00:08:53 [kblockd/1]
root 60 2 0 2015 ? 00:08:58 [kblockd/2]
root 61 2 0 2015 ? 00:08:46 [kblockd/3]
root 62 2 0 2015 ? 00:08:52 [kblockd/4]
root 63 2 0 2015 ? 00:08:46 [kblockd/5]
root 64 2 0 2015 ? 00:08:52 [kblockd/6]
root 65 2 0 2015 ? 00:08:41 [kblockd/7]
root 66 2 0 2015 ? 00:00:00 [kacpid]
root 67 2
0 2015 ? 00:00:00 [kacpi_notify]
root 68 2 0 2015 ? 00:00:00 [kacpi_hotplug]
root 69 2 0 2015 ? 00:00:00 [ata_aux]
root 70 2 0 2015 ? 00:00:00 [ata_sff/0]
root 71 2 0 2015 ? 00:00:00 [ata_sff/1]
root 72 2 0 2015 ? 00:00:00 [ata_sff/2]
root 73 2 0 2015 ? 00:00:00 [ata_sff/3]
root 74 2 0 2015 ? 00:00:00 [ata_sff/4]
root 75 2 0 2015 ? 00:00:00 [ata_sff/5]
root 76 2 0 2015 ? 00:00:00 [ata_sff/6]
root 77 2 0 2015 ? 00:00:00 [ata_sff/7]
root 78 2 0 2015 ? 00:00:00 [ksuspend_usbd]
root 79 2 0 2015 ? 00:00:00 [khubd]
root 80 2 0 2015 ? 00:00:00 [kseriod]
root 81 2 0 2015 ? 00:00:00 [md/0]
root 82 2 0 2015 ? 00:00:00 [md/1]
root 83 2 0 2015 ? 00:00:00 [md/2]
root 84 2 0 2015 ? 00:00:00 [md/3]
root 85 2 0 2015 ? 00:00:00 [md/4]
root 86 2 0 2015 ? 00:00:00 [md/5]
root 87 2 0 2015 ? 00:00:00 [md/6]
root 88 2 0 2015 ? 00:00:00 [md/7]
root 89 2 0 2015 ? 00:00:00 [md_misc/0]
root 90 2 0 2015 ? 00:00:00 [md_misc/1]
root 91 2 0 2015 ? 00:00:00 [md_misc/2]
root 92 2 0 2015 ? 00:00:00 [md_misc/3]
root 93 2 0 2015 ? 00:00:00 [md_misc/4]
root 94 2 0 2015 ? 00:00:00 [md_misc/5]
root 95 2 0 2015 ? 00:00:00 [md_misc/6]
root 96 2 0 2015 ? 00:00:00 [md_misc/7]
root 97 2 0 2015 ? 00:00:00 [linkwatch]
root 98 2 0 2015 ? 00:00:15 [khungtaskd]
root 99 2 0 2015 ? 00:00:02 [kswapd0]
root 100 2 0 2015 ? 00:00:00 [ksmd]
root 101 2 0 2015 ? 00:01:00 [khugepaged]
root
102 2 0 2015 ? 00:00:00 [aio/0]
root 103 2 0 2015 ? 00:00:00 [aio/1]
root 104 2 0 2015 ? 00:00:00 [aio/2]
root 105 2 0 2015 ? 00:00:00 [aio/3]
root 106 2 0 2015 ? 00:00:00 [aio/4]
root 107 2 0 2015 ? 00:00:00 [aio/5]
root 108 2 0 2015 ? 00:00:00 [aio/6]
root 109 2 0 2015 ? 00:00:00 [aio/7]
root 110 2 0 2015 ? 00:00:00 [crypto/0]
root 111 2 0 2015 ? 00:00:00 [crypto/1]
root 112 2 0 2015 ? 00:00:00 [crypto/2]
root 113 2 0 2015 ? 00:00:00 [crypto/3]
root 114 2 0 2015 ? 00:00:00 [crypto/4]
root 115 2 0 2015 ? 00:00:00 [crypto/5]
root 116 2 0 2015 ? 00:00:00 [crypto/6]
root 117 2 0 2015 ? 00:00:00 [crypto/7]
root 122 2 0 2015 ? 00:00:00 [kthrotld/0]
root 123 2 0 2015 ? 00:00:00 [kthrotld/1]
root 124 2 0 2015 ? 00:00:00 [kthrotld/2]
root 125 2 0 2015 ? 00:00:00 [kthrotld/3]
root 126 2 0 2015 ? 00:00:00 [kthrotld/4]
root 127 2 0 2015 ? 00:00:00 [kthrotld/5]
root 128 2 0 2015 ? 00:00:00 [kthrotld/6]
root 129 2 0 2015 ? 00:00:00 [kthrotld/7]
root 131 2 0 2015 ? 00:00:00 [kpsmoused]
root 132 2 0 2015 ? 00:00:00 [usbhid_resumer]
root 162 2 0 2015 ? 00:00:00 [kstriped]
root 235 2 0 2015 ? 00:00:00 [scsi_eh_0]
root 236 2 0 2015 ? 00:00:00 [scsi_eh_1]
root 327 2 0 2015 ? 00:00:00 [virtio-blk]
root 348 2 0 2015 ? 02:09:09 [kjournald]
root 434 1 0 2015 ? 00:00:00 /sbin/udevd -d
root 569 2 0 2015 ? 00:00:00 [virtio-net]
root 578 2 0 2015 ? 00:00:00 [vballoon]
root 701 2 0 2015 ? 00:0
0:37 [kjournald]
root 921 1 0 2015 ? 00:02:54 auditd
root 937 2 0 2015 ? 00:03:32 [flush-252:0]
root 938 2 0 2015 ? 00:00:55 [flush-252:16]
root 940 1 0 2015 ? 00:01:02 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
dbus 952 1 0 2015 ? 00:00:00 dbus-daemon --system
root 981 1 0 2015 ? 00:00:00 /usr/sbin/acpid
root 1000 1 0 2015 ? 00:00:39 /usr/sbin/sshd
root 1037 1 0 2015 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql 1139 1037 0 2015 ? 00:56:33 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
root 1178 1 0 2015 ? 00:00:00 /usr/sbin/abrtd
root 1190 1 0 2015 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 1191 1190 0 2015 ? 00:23:18 nginx: worker process
root 1210 1 0 2015 ? 00:00:00 /usr/sbin/atd
root 1228 1 0 2015 ? 00:05:25 /usr/local/agenttools/agent/agent -c /usr/local/agenttools/agent/client.conf
root 1233 1 0 2015 ? 00:00:17 /usr/local/agenttools/agent/agentPlugInD
root 1237 1 0 2015 ? 00:58:06 /usr/local/agenttools/agent/base -d5 -c1 -m4 -s /usr/local/agenttools/agent/base.conf
root 1241 1 0 2015 ? 00:02:21 /usr/local/agenttools/agent/tcvmstat
root 1253 1 0 2015 ? 00:02:24 /usr/local/agenttools/agent/sysddd
root 1265 1 0 2015 tty1 00:00:00 /sbin/mingetty /dev/tty1
root 1267 1 0 2015 tty2 00:00:00 /sbin/mingetty /dev/tty2
root 1269 1 0 2015 tty3 00:00:00 /sbin/mingetty /dev/tty3
root 1271 1 0 2015 ttyS0 00:00:00 /sbin/agetty /dev/ttyS0 9
600 vt100-nav
root 1273 1 0 2015 tty4 00:00:00 /sbin/mingetty /dev/tty4
root 1275 1 0 2015 tty5 00:00:00 /sbin/mingetty /dev/tty5
root 1277 1 0 2015 tty6 00:00:00 /sbin/mingetty /dev/tty6
root 1278 434 0 2015 ? 00:00:00 /sbin/udevd -d
root 1279 434 0 2015 ? 00:00:00 /sbin/udevd -d
root 1345 1 0 2015 ? 00:02:14 /usr/local/qcloud/stargate/sgagent -d
root 1551 1 0 Mar23 ? 00:00:13 crond
root 4410 1 2 Mar29 ? 09:41:41 /dev/java/jdk1.7.0_55/bin/java -server -Dinstall4j.jvmDir=/dev/java/jdk1.7.0_55 -Dexe4j.moduleName=/usr/local/lzg/openfire/bin/openfire -DopenfireHome=/usr/local/lzg/openfire/bin/../ -Dopenfire.lib.dir=/usr/local/lzg/openfire/lib -Dinstall4j.launcherId=22 -Dinstall4j.swt=false -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vmov=true -Di4j.vpt=true -classpath /usr/local/lzg/openfire/.install4j/i4jruntime.jar:/usr/local/lzg/openfire/lib/activation.jar:/usr/local/lzg/openfire/lib/bcpg-jdk15on.jar:/usr/local/lzg/openfire/lib/bcpkix-jdk15on.jar:/usr/local/lzg/openfire/lib/bcprov-jdk15on.jar:/usr/local/lzg/openfire/lib/commons-el.jar:/usr/local/lzg/openfire/lib/gson-2.0.jar:/usr/local/lzg/openfire/lib/hsqldb.jar:/usr/local/lzg/openfire/lib/jasper-compiler.jar:/usr/local/lzg/openfire/lib/jasper-runtime.jar:/usr/local/lzg/openfire/lib/jdic.jar:/usr/local/lzg/openfire/lib/jtds.jar:/usr/local/lzg/openfire/lib/mail.jar:/usr/local/lzg/openfire/lib/mysql.jar:/usr/local/lzg/openfire/lib/openfire.jar:/usr/local/lzg/openfire/lib/postgres.jar:/usr/local/lzg/openfire/lib/servlet.jar:/usr/local/lzg/openfire/lib/slf4j-log4j12.jar:/usr/local/lzg/openfire/lib/startup.jar com.install4j.runtime.launcher.Launcher start org.jivesoftware.openfire.starter.ServerStarter false false /usr/local/lzg/openfire/bin/../logs/stderror.log /usr/local/lzg/openfire/bin/../logs/stdoutt.log true true false true true 0 0 20 20 Arial 0,0,0 8 500 version 3.9.3 20 40 Arial 0,0,0 8 500 -1
root
5718 6305 0 11:46 ? 00:00:00 [redis-server]
root 5719 4410 0 11:46 ? 00:00:00 ps -ef
root 6305 1 0 Mar29 ? 04:00:56 redis-server /etc/redis.conf
root 14716 1 0 2015 ? 00:02:04 barad_agent
root 14723 14716 0 2015 ? 00:21:57 barad_agent
root 14724 14716 0 2015 ? 03:53:28 barad_agent
root 24903 1000 0 09:30 ? 00:00:00 sshd: root@pts/1
root 24946 24903 0 09:31 pts/1 00:00:00 -bash
root 25133 1 2 09:31 pts/1 00:02:47 /dev/java/jdk1.7.0_55/bin/java -Djava.util.logging.config.file=/usr/local/lzg/tomcat-lzg/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms4g -Xmx6g -XX:PermSize=256m -XX:MaxPermSize=512m -XX:MaxNewSize=512m -Djava.endorsed.dirs=/usr/local/lzg/tomcat-lzg/endorsed -classpath /usr/local/lzg/tomcat-lzg/bin/bootstrap.jar:/usr/local/lzg/tomcat-lzg/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/lzg/tomcat-lzg -Dcatalina.home=/usr/local/lzg/tomcat-lzg -Djava.io.tmpdir=/usr/local/lzg/tomcat-lzg/temp org.apache.catalina.startup.Bootstrap start
root 25188 24946 0 09:31 pts/1 00:00:00 tail -f logs/catalina.out
/lib/jasper-compiler.jar:/usr/local/lzg/openfire/lib/jasper-runtime.jar:/usr/local/lzg/openfire/lib/jdic.jar:/usr/local/lzg/openfire/lib/jtds.jar:/usr/local/lzg/openfire/lib/mail.jar:/usr/local/lzg/openfire/lib/mysql.jar:/usr/local/lzg/openfire/lib/openfire.jar:/usr/local/lzg/openfire/lib/postgres.jar:/usr/local/lzg/openfire/lib/servlet.jar:/usr/local/lzg/openfire/lib/slf4j-log4j12.jar:/usr/local/lzg/openfire/lib/startup.jar com.install4j.runtime.launcher.Launcher start org.jivesoftware.openfire.starter.ServerStarter false false /usr/local/lzg/openfire/bin/../logs/stderror.log /usr/local/lzg/openfire/bin/../logs/stdoutt.log true true false true true 0 0 20 20 Arial 0,0,0 8 500 version 3.9.3 20 40 Arial 0,0,0 8 500 -1
root

修复方案:

修改弱密码

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-20 15:18

厂商回复:

非常感谢!

最新状态:

暂无