百度旗下在线教育产品作业帮一处补丁不及时导致命令执行/root权限/涉及99个项目源码/可探测内网大量主机

admin
admin
admin
139701
文章
114
评论
2017年4月29日03:35:40评论249 views字数 242阅读0分48秒阅读模式
摘要

2016-04-13: 细节已通知厂商并且等待厂商处理中
2016-04-14: 厂商已经确认,细节仅向厂商公开
2016-04-24: 细节向核心白帽子及相关领域专家公开
2016-05-04: 细节向普通白帽子公开
2016-05-14: 细节向实习白帽子公开
2016-05-29: 细节向公众公开

漏洞概要 关注数(27) 关注此漏洞

缺陷编号: WooYun-2016-195955

漏洞标题: 百度旗下在线教育产品作业帮一处补丁不及时导致命令执行/root权限/涉及99个项目源码/可探测内网大量主机

相关厂商: 百度

漏洞作者: j14n

提交时间: 2016-04-13 21:28

公开时间: 2016-05-29 14:10

漏洞类型: 命令执行

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 远程命令执行 补丁不及时

2人收藏

漏洞详情

披露状态:

2016-04-13: 细节已通知厂商并且等待厂商处理中
2016-04-14: 厂商已经确认,细节仅向厂商公开
2016-04-24: 细节向核心白帽子及相关领域专家公开
2016-05-04: 细节向普通白帽子公开
2016-05-14: 细节向实习白帽子公开
2016-05-29: 细节向公众公开

简要描述:

rt

详细说明:

百度旗下在线教育产品作业帮一处补丁不及时导致命令执行/root权限/涉及99个项目源码/可探测内网大量主机

不知道这样还算不算百度的。。。

mask 区域 
1.http://**.**.**/_
 *****f140a7959c08c2adfad7.png&qu*****
 **********
 *****8e88ad9fabb1c28e0550.png&qu*****
 *****c/ho*****
 *****b6d7229fc31b9f54cdac.png&qu*****
 *****ocaldomain localhost4 l*****
 *****main localhost6 loca*****
 *****tos6u5.*****
 *****.1 o*****
 *****.0.5*****
 *****4.64 *****
 *****ed.noah.b*****
 *****de&g*****
 **********
 <*****
 **********
 *****b3b2335ac84b95bd5dcf.png&qu*****
 **********
 *****ory部*****
 **********
 *****;su je*****
 *****
 *****sh/id_ds*****
 *****> /home/homework/*****
 ***** >> /home/homewo*****
 ***** >> /home/homewo*****
 ***** >> /home/homewo*****
 ***** >> /home/homewo*****
 ***** >> /home/homewo*****
 *****t
 *****
 *****d*****
 *****l*****
 *****homew*****
 *****l*****
 *****do*****
 *****l*****
 **********
 *****L*****
 *****l*****
 *****stra*****
 *****de&g*****
 *****381a3031280926193409.png&qu*****
 **********
 *****感*****
 **********
 **********
 *****目*****
 **********
 *****1588153d2a2bd958b064.png&qu*****
 **********
 *****6758f36e5786e1530b96.png&qu*****
 *****fig*****
 *****Ethernet  HWaddr *****
 *****Bcast:192.168.255*****
 *****816:3eff:fefb:f*****
 *****G MULTICAST  MT*****
 *****errors:0 dropped*****
 *****rors:0 dropped:0 *****
 *****s:0 txqueu*****
 *****0 GiB)  TX bytes:7*****
 **********
 *****cap:Local*****
 *****27.0.0.1  M*****
 *****r: ::1/128*****
 *****UNNING  MTU:*****
 *****rors:0 dropped:0*****
 *****rors:0 dropped:0*****
 *****ons:0 txq*****
 *****6 GiB)  TX bytes:*****
 *****de&g*****
 **********
 *****网主*****
 **********
 *****.5.114) at fa:16:3e:*****
 *****) at fa:16:3e:87:*****
 *****at fa:16:3e:79:22*****
 *****) at fa:16:3e:bc:*****
 *****) at fa:16:3e:9a:*****
 *****) at fa:16:3e:a7:*****
 *****) at fa:16:3e:00:*****
 *****) at fa:16:3e:52:*****
 *****) at fa:16:3e:36:*****
 *****) at fa:16:3e:b3:*****
 *****) at fa:16:3e:04:*****
 *****at fa:16:3e:79:ee*****
 *****) at fa:16:3e:99:*****
 *****) at fa:16:3e:3f:*****
 *****at fa:16:3e:dd:f4*****
 *****) at fa:16:3e:41:*****
 *****) at fa:16:3e:74:*****
 *****at fa:16:3e:7e:d*****
 *****) at fa:16:3e:2c:*****
 *****) at fa:16:3e:8e:*****
 *****) at fa:16:3e:ce:*****
 *****) at fa:16:3e:bd:*****
 *****) at fa:16:3e:23:*****
 *****) at fa:16:3e:c5:*****
 *****) at fa:16:3e:de:*****
 *****) at fa:16:3e:d9:*****
 *****) at fa:16:3e:98:*****
 *****at fa:16:3e:df:c8*****
 *****) at fa:16:3e:37:*****
 *****) at fa:16:3e:6e:*****
 *****at fa:16:3e:e5:7e*****
 *****) at fa:16:3e:77:*****
 *****) at fa:16:3e:49:*****
 *****at fa:16:3e:34:3*****
 *****) at fa:16:3e:7a:*****
 *****) at fa:16:3e:ab:*****
 *****at fa:16:3e:0a:41*****
 *****at fa:16:3e:0b:26*****
 *****) at fa:16:3e:73:*****
 *****at fa:16:3e:3a:8e*****
 *****) at fa:16:3e:56:*****
 *****at fa:16:3e:47:13*****
 *****) at fa:16:3e:27:*****
 *****at fa:16:3e:cc:13*****
 *****) at fa:16:3e:4d:*****
 *****at fa:16:3e:4b:a*****
 *****) at fa:16:3e:b4:*****
 *****) at fa:16:3e:42:*****
 *****) at fa:16:3e:75:*****
 *****at fa:16:3e:71:a7*****
 *****) at fa:16:3e:bb:*****
 *****at fa:16:3e:d2:d5*****
 *****de&g*****
 **********
 *****7623bb554fc35ede5fc669.png*****

漏洞证明:

code 区域 
host-192-168-5-114 (192.168.5.114) at fa:16:3e:cd:13:ee [ether] on eth0
 host-192-168-2-157 (192.168.2.157) at fa:16:3e:87:78:4f [ether] on eth0
 host-192-168-4-63 (192.168.4.63) at fa:16:3e:79:22:de [ether] on eth0
 host-192-168-5-119 (192.168.5.119) at fa:16:3e:bc:59:30 [ether] on eth0
 host-192-168-2-120 (192.168.2.120) at fa:16:3e:9a:37:b4 [ether] on eth0
 host-192-168-2-151 (192.168.2.151) at fa:16:3e:a7:21:b8 [ether] on eth0
 host-192-168-2-158 (192.168.2.158) at fa:16:3e:00:85:66 [ether] on eth0
 host-192-168-3-144 (192.168.3.144) at fa:16:3e:52:a5:f5 [ether] on eth0
 host-192-168-3-139 (192.168.3.139) at fa:16:3e:36:06:16 [ether] on eth0
 host-192-168-3-142 (192.168.3.142) at fa:16:3e:b3:c0:9a [ether] on eth0
 host-192-168-2-153 (192.168.2.153) at fa:16:3e:04:e8:ff [ether] on eth0
 host-192-168-4-62 (192.168.4.62) at fa:16:3e:79:ee:ab [ether] on eth0
 host-192-168-2-139 (192.168.2.139) at fa:16:3e:99:f7:61 [ether] on eth0
 host-192-168-1-223 (192.168.1.223) at fa:16:3e:3f:cc:33 [ether] on eth0
 host-192-168-3-83 (192.168.3.83) at fa:16:3e:dd:f4:33 [ether] on eth0
 host-192-168-2-128 (192.168.2.128) at fa:16:3e:41:fd:ab [ether] on eth0
 host-192-168-2-164 (192.168.2.164) at fa:16:3e:74:a0:f8 [ether] on eth0
 host-192-168-0-2 (192.168.0.2) at fa:16:3e:7e:d2:d6 [ether] on eth0
 host-192-168-2-125 (192.168.2.125) at fa:16:3e:2c:99:c7 [ether] on eth0
 host-192-168-3-136 (192.168.3.136) at fa:16:3e:8e:5f:fe [ether] on eth0
 host-192-168-2-149 (192.168.2.149) at fa:16:3e:ce:ae:41 [ether] on eth0
 host-192-168-5-121 (192.168.5.121) at fa:16:3e:bd:bc:dd [ether] on eth0
 host-192-168-2-160 (192.168.2.160) at fa:16:3e:23:b3:7b [ether] on eth0
 host-192-168-3-135 (192.168.3.135) at fa:16:3e:c5:30:f1 [ether] on eth0
 host-192-168-3-140 (192.168.3.140) at fa:16:3e:de:52:c6 [ether] on eth0
 host-192-168-5-118 (192.168.5.118) at fa:16:3e:d9:54:a9 [ether] on eth0
 host-192-168-2-152 (192.168.2.152) at fa:16:3e:98:d1:81 [ether] on eth0
 host-192-168-2-81 (192.168.2.81) at fa:16:3e:df:c8:43 [ether] on eth0
 host-192-168-2-123 (192.168.2.123) at fa:16:3e:37:b2:ce [ether] on eth0
 host-192-168-2-138 (192.168.2.138) at fa:16:3e:6e:cc:6e [ether] on eth0
 host-192-168-2-86 (192.168.2.86) at fa:16:3e:e5:7e:61 [ether] on eth0
 host-192-168-0-122 (192.168.0.122) at fa:16:3e:77:18:1d [ether] on eth0
 host-192-168-1-200 (192.168.1.200) at fa:16:3e:49:c6:48 [ether] on eth0
 host-192-168-0-1 (192.168.0.1) at fa:16:3e:34:3b:c4 [ether] on eth0
 host-192-168-2-163 (192.168.2.163) at fa:16:3e:7a:e4:b9 [ether] on eth0
 host-192-168-2-122 (192.168.2.122) at fa:16:3e:ab:64:e5 [ether] on eth0
 host-192-168-0-45 (192.168.0.45) at fa:16:3e:0a:41:43 [ether] on eth0
 host-192-168-5-44 (192.168.5.44) at fa:16:3e:0b:26:bc [ether] on eth0
 host-192-168-2-147 (192.168.2.147) at fa:16:3e:73:2c:82 [ether] on eth0
 host-192-168-0-44 (192.168.0.44) at fa:16:3e:3a:8e:fa [ether] on eth0
 host-192-168-2-134 (192.168.2.134) at fa:16:3e:56:cd:f7 [ether] on eth0
 host-192-168-2-79 (192.168.2.79) at fa:16:3e:47:13:f9 [ether] on eth0
 host-192-168-2-141 (192.168.2.141) at fa:16:3e:27:cc:a5 [ether] on eth0
 host-192-168-5-45 (192.168.5.45) at fa:16:3e:cc:13:db [ether] on eth0
 host-192-168-5-116 (192.168.5.116) at fa:16:3e:4d:4a:09 [ether] on eth0
 host-192-168-0-3 (192.168.0.3) at fa:16:3e:4b:a3:de [ether] on eth0
 host-192-168-2-121 (192.168.2.121) at fa:16:3e:b4:a3:01 [ether] on eth0
 host-192-168-5-120 (192.168.5.120) at fa:16:3e:42:88:c1 [ether] on eth0
 host-192-168-2-145 (192.168.2.145) at fa:16:3e:75:88:7a [ether] on eth0
 host-192-168-5-47 (192.168.5.47) at fa:16:3e:71:a7:71 [ether] on eth0
 host-192-168-2-129 (192.168.2.129) at fa:16:3e:bb:58:b1 [ether] on eth0
 host-192-168-5-50 (192.168.5.50) at fa:16:3e:d2:d5:24 [ether] on eth0

修复方案:

jenkins java反序列化命令执行

版权声明:转载请注明来源 j14n@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-14 14:04

厂商回复:

感谢对百度安全的关注

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-13 21:36 | 带头大哥 ( 普通白帽子 | Rank:879 漏洞数:258 | |任意邮件伪造| |目录遍历| |任意文件读取|...)

    1

    Jin4

  2. 2016-04-13 21:40 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

    1

    @带头大哥 这都让你发现了。

  3. 2016-04-13 21:50 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    1

    甩个赞给你!

  4. 2016-04-13 21:50 | 带头大哥 ( 普通白帽子 | Rank:879 漏洞数:258 | |任意邮件伪造| |目录遍历| |任意文件读取|...)

    1

    @j14n 抓到你的特点了,哈哈 。 加油刷~~~

  5. 2016-04-14 07:53 | onpu ( 普通白帽子 | Rank:396 漏洞数:67 )

    1

    已知悉,此漏洞正在修复,感谢对百安全的关注。

  6. 2016-05-30 10:08 | atiger77 ( 路人 | Rank:4 漏洞数:2 | 熟练掌握php,python,go,ruby,c++,java,html...)

    0

    这个洞是扫C段找到的嘛

  7. 2016-05-30 10:15 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

    0

    @atiger77 不是 eye

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin