中国联通某省份WLAN认证计费系统存在命令执行（疑似被境外人员利用） | wooyun-2015-0103151

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0103151

漏洞标题：

中国联通某省份WLAN认证计费系统存在命令执行（疑似被境外人员利用）

漏洞详情

披露状态：

2015-03-23：细节已通知厂商并且等待厂商处理中
2015-03-27：厂商已经确认，细节仅向厂商公开
2015-04-06：细节向核心白帽子及相关领域专家公开
2015-04-16：细节向普通白帽子公开
2015-04-26：细节向实习白帽子公开
2015-05-11：细节向公众公开

简要描述：

RT~

详细说明：

http://202.96.74.3:8081/loginAction.action

uid=502(dhcp) gid=501(pin) ?=501(pin) ??=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 202.96.74.3:22              103.41.124.121:55181        ESTABLISHED -                   
tcp        0      0 202.96.74.3:22              103.41.124.115:52093        ESTABLISHED -                   
tcp        0      0 202.96.74.3:22              182.100.67.113:54314        ESTABLISHED -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      1 202.96.74.3:60286           107.160.159.92:46463        SYN_SENT    -                   
tcp        0      0 202.96.74.3:22              182.100.67.113:44473        ESTABLISHED -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:51789               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      -                   
tcp        0      0 202.96.74.3:22              42.121.111.24:15282         ESTABLISHED -                   
tcp        0      1 202.96.74.3:44491           107.160.159.92:46463        SYN_SENT    -                   
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:127.0.0.1:8006       :::*                        LISTEN      -                   
tcp        0      0 :::8009                     :::*                        LISTEN      18373/java          
tcp        0      0 :::8010                     :::*                        LISTEN      -                   
tcp        0      0 :::8011                     :::*                        LISTEN      -                   
tcp        0      0 ::ffff:202.96.74.3:8012     :::*                        LISTEN      4166/java           
tcp        0      0 ::ffff:127.0.0.1:8015       :::*                        LISTEN      -                   
tcp        0      0 :::111                      :::*                        LISTEN      -                   
tcp        0      0 :::8080                     :::*                        LISTEN      -                   
tcp        0      0 :::8081                     :::*                        LISTEN      18373/java          
tcp        0      0 ::ffff:202.96.74.3:9011     :::*                        LISTEN      4166/java           
tcp        0      0 :::56597                    :::*                        LISTEN      -                   
tcp        0      0 :::22                       :::*                        LISTEN      -                   
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:25                      :::*                        LISTEN      -                   
tcp        0      0 :::8090                     :::*                        LISTEN      -

发现如下可以ip，都是链接的ssh的22端口，美国的这最可疑，所有链接都是晚上22-23点的时间段：
107.160.159.92:46463  -->  本站主数据：美国, 参考数据一：ARIN
182.100.67.113:44473  -->  本站主数据：江西省新余市 电信, 参考数据一：江西省 电信
42.121.111.24:15282   -->  本站主数据：浙江省杭州市 阿里云计算有限公司 阿里巴巴, 参考数据一：浙江省杭州市 阿里软件有限公司
107.160.159.92:46463  -->  本站主数据：美国, 参考数据一：ARIN
103.41.124.121:55181  -->  本站主数据：香港特别行政区, 参考数据一：APNIC
103.41.124.115:52093  -->   本站主数据：香港特别行政区,参考数据一：APNIC

硬盘空间还是蛮大的，
????	      ??  ??  ?? ??%% ???
/dev/mapper/VolGroup-lv_root
                       50G   21G   26G  45% /
tmpfs                 127G  804K  127G   1% /dev/shm
/dev/sda1             485M   40M  420M   9% /boot
/dev/mapper/VolGroup-lv_home
                      3.8T  3.2G  3.6T   1% /home

四块HBA卡，使用了NFS
-+-[0000:70]-+-00.0-[71-75]--+-00.0-[72-74]--
 |           |               \-00.1-[75]--
 |           +-01.0-[79-7b]--
 |           +-02.0-[87]--
 |           +-03.0-[84-86]--+-00.0  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           |               \-00.1  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           +-04.0-[88]--
 |           +-05.0-[89]--
 |           +-06.0-[8a]--
 |           +-07.0-[76-78]--+-00.0  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           |               \-00.1  QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA
 |           +-08.0-[8b]--
 |           +-09.0-[8c]--
 |           +-0a.0-[8d]--
 |           \-14.0  Intel Corporation 5520/5500/X58 I/O Hub System Management Registers
 \-[0000:00]-+-00.0  Intel Corporation 5520/5500/X58 I/O Hub to ESI Port
             +-01.0-[0e-10]--
             +-02.0-[14]--
             +-03.0-[04]--+-00.0  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            +-00.1  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            +-00.2  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             |            \-00.3  NetXen Incorporated NX3031 Multifunction 1/10-Gigabit Server Adapter
             +-04.0-[15]--
             +-05.0-[11-13]--
             +-06.0-[16]--
             +-07.0-[0b-0d]--
             +-08.0-[17]--
             +-09.0-[08-0a]--
             +-0a.0-[05-07]--
             +-14.0  Intel Corporation 5520/5500/X58 I/O Hub System Management Registers
             +-1c.0-[03]----00.0  Hewlett-Packard Company Smart Array G6 controllers
             +-1c.4-[02]--+-00.0  Hewlett-Packard Company Integrated Lights-Out Standard Slave Instrumentation & System Support
             |            +-00.2  Hewlett-Packard Company Integrated Lights-Out Standard Management Processor Support and Messaging
             |            \-00.4  Hewlett-Packard Company Integrated Lights-Out Standard Virtual USB Controller
             +-1d.0  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #1
             +-1d.1  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #2
             +-1d.2  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #3
             +-1d.3  Intel Corporation 82801JI (ICH10 Family) USB UHCI Controller #6
             +-1d.7  Intel Corporation 82801JI (ICH10 Family) USB2 EHCI Controller #1
             +-1e.0-[01]----03.0  Advanced Micro Devices [AMD] nee ATI ES1000
             +-1f.0  Intel Corporation 82801JIB (ICH10) LPC Interface Controller
             \-1f.2  Intel Corporation 82801JI (ICH10 Family) 4 port SATA IDE Controller #1

漏洞证明：

====================================================================================================================================
eth0      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C4  
          inet addr:202.96.74.3  Bcast:202.96.74.31  Mask:255.255.255.224
          inet6 addr: fe80::da9d:67ff:fe77:79c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39175926 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30504733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7603077388 (7.0 GiB)  TX bytes:5867632669 (5.4 GiB)
          Interrupt:88 
eth1      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C5  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:92 
eth2      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C6  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:96 
eth3      Link encap:Ethernet  HWaddr D8:9D:67:77:79:C7  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:100 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:191051048 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191051048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:9978430086 (9.2 GiB)  TX bytes:9978430086 (9.2 GiB)

还有一台数据库机器，Oracle对外开放了1521端口
202.96.74.2:1521

修复方案：

1.升级
2.查查内网是不是被渗透了吧~

版权声明：转载请注明来源 MyKings@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-03-27 13:54

厂商回复：

CNVD确认并复现所述漏洞情况，已经转由CNCERT下发给辽宁分中心，由辽宁分中心后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 MyKings@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 MyKings@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞