LOCKet(臻至科技)漏洞一枚可直接内网渗透(Mail泄露/Getshell/Gitlab/Redis可致服务器沦陷)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-04: 细节已通知厂商并且等待厂商处理中
2016-05-04: 厂商已经确认,细节仅向厂商公开
2016-05-14: 细节向核心白帽子及相关领域专家公开
2016-05-24: 细节向普通白帽子公开
2016-06-03: 细节向实习白帽子公开
2016-06-18: 细节向公众公开

简要描述:

臻至科技是一个专注于独立第三方的数据安全团队,现已获得著名投资方投资。目前成员大多是来自于世界500强和纳斯达克上市的知名企业,我们年轻,不安于现状,想做一些多年后值得回忆、能和别人“吹牛海侃”的事情。年轻,不仅指我们的年龄,还指我们所做的领域。

详细说明:

臻至科技



安全团队招人吧~



1、

http://blog.zenzet.com:8010/wordpress/

blog 123456789a



QQ20160504-0@2x.png





可以直接根据 plugins 插件写shell



QQ20160504-8@2x.png





内网:

code 区域
/>uname -a
Linux ubuntu-14-04-3 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


/>ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:02:1a:20
inet addr:192.168.10.161 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe02:1a20/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:285900085 errors:0 dropped:137967 overruns:0 frame:0
TX packets:268148077 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38541408148 (38.5 GB) TX bytes:53052633261 (53.0 GB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:610735383 errors:0 dropped:0 overruns:0 frame:0
TX packets:610735383 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:52625363320 (52.6 GB) TX bytes:52625363320 (52.6 GB)



/>arp -a
? (192.168.10.32) at 94:eb:cd:53:d7:bd [ether] on eth0
zenzet (192.168.10.39) at a0:99:9b:04:8e:53 [ether] on eth0
? (192.168.10.79) at 6c:40:08:bf:c4:e8 [ether] on eth0
? (192.168.10.182) at 00:0c:29:a0:1e:8b [ether] on eth0
zpf (192.168.10.33) at a4:5e:60:f3:16:61 [ether] on eth0
Rongde-iPhone (192.168.10.40) at 60:92:17:88:0d:b2 [ether] on eth0
? (192.168.10.66) at a4:5e:60:ef:f6:11 [ether] on eth0
? (192.168.10.22) at ec:55:f9:69:8d:33 [ether] on eth0
? (192.168.10.29) at 1c:5c:f2:b8:31:f7 [ether] on eth0
? (192.168.10.176) at 00:0c:29:bc:df:2d [ether] on eth0
? (192.168.10.198) at 00:0c:29:d7:43:04 [ether] on eth0
? (192.168.10.96) at 78:f5:fd:6c:a6:7a [ether] on eth0
? (192.168.10.85) at 70:3e:ac:ed:e2:d0 [ether] on eth0
android-3313730458e50d0a (192.168.10.34) at ac:cf:85:ca:af:73 [ether] on eth0
? (192.168.10.246) at dc:53:60:6f:04:64 [ether] on eth0
? (192.168.10.41) at 60:92:17:88:0d:b2 [ether] on eth0
? (192.168.10.67) at fc:3d:93:16:b0:d7 [ether] on eth0
? (192.168.10.30) at a4:5e:60:ef:f6:11 [ether] on eth0
? (192.168.10.166) at 00:0c:29:cf:ff:78 [ether] on eth0
DESKTOP-L19Q5EU (192.168.10.97) at dc:53:60:6f:04:64 [ether] on eth0
? (192.168.10.199) at 00:0c:29:bc:5f:3f [ether] on eth0
? (192.168.10.53) at b8:e8:56:34:ec:ba [ether] on eth0
Janky (192.168.10.35) at b8:e8:56:34:ec:ba [ether] on eth0
? (192.168.10.42) at ac:bc:32:89:32:63 [ether] on eth0
xuzhens-iPhone (192.168.10.93) at f4:31:c3:61:5a:c9 [ether] on eth0
android-c2dde5ee21615c29 (192.168.10.68) at f0:25:b7:80:aa:17 [ether] on eth0
? (192.168.10.24) at 48:6b:2c:a6:ae:eb [ether] on eth0
? (192.168.10.178) at <incomplete> on eth0
JeffinBaos-Air (192.168.10.6) at 2c:f0:ee:07:40:ee [ether] on eth0
xiaogeer (192.168.10.31) at 80:ea:96:4a:5d:9d [ether] on eth0
? (192.168.10.98) at ac:cf:85:ca:af:73 [ether] on eth0
? (192.168.10.61) at a4:5e:60:c0:fe:0f [ether] on eth0
? (192.168.10.36) at a4:5e:60:f3:16:61 [ether] on eth0
Cc-2 (192.168.10.94) at 6c:40:08:bf:c4:e8 [ether] on eth0
? (192.168.10.43) at b8:e8:56:34:ec:ba [ether] on eth0
? (192.168.10.99) at 78:92:9c:7e:54:3e [ether] on eth0
wangziruideMBP (192.168.10.37) at 6c:40:08:a9:72:2e [ether] on eth0
caolinjdeiPhone (192.168.10.44) at 70:48:0f:44:11:98 [ether] on eth0
suxiaobgandeAir (192.168.10.70) at a4:d1:8c:f1:4c:f2 [ether] on eth0
? (192.168.10.95) at fc:3d:93:16:b0:d7 [ether] on eth0
router.asus.com (192.168.10.1) at c4:04:15:25:31:48 [ether] on eth0
heysbkukanzheli (192.168.10.100) at fc:e9:98:7c:2f:ba [ether] on eth0
? (192.168.10.82) at 6c:40:08:a9:72:2e [ether] on eth0
? (192.168.10.63) at 60:c5:47:05:b7:3e [ether] on eth0
? (192.168.10.71) at 2c:d0:5a:b1:6c:d3 [ether] on eth0
? (192.168.10.2) at c4:04:15:25:31:48 [ether] on eth0
? (192.168.10.196) at 00:0c:29:10:7b:08 [ether] on eth0





2、

Redis

未授权访问

115.29.203.54:6379

115.29.203.54:7000

115.29.203.54:6789



code 区域
Connected.
115.29.203.54:0>info
# Server
redis_version:2.8.17
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:899a50dd343b0f96
redis_mode:standalone
os:Linux 2.6.32-358.6.2.el6.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.4.7
process_id:20493
run_id:29a859ecf22adfa374f77a992289339978377132
tcp_port:6379
uptime_in_seconds:35225407
uptime_in_days:407
hz:10
lru_clock:2710515
config_file:

# Clients
connected_clients:13
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:1067992
used_memory_human:1.02M
used_memory_rss:7475200
used_memory_peak:1117904
used_memory_peak_human:1.07M
used_memory_lua:33792
mem_fragmentation_ratio:7.00
mem_allocator:jemalloc-3.6.0

# Persistence
loading:0
rdb_changes_since_last_save:4
rdb_bgsave_in_progress:0
rdb_last_save_time:1449471155
rdb_last_bgsave_status:err
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:4169
total_commands_processed:21271
instantaneous_ops_per_sec:0
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:4785
evicted_keys:0
keyspace_hits:5340
keyspace_misses:156
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:291

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:13952.89
used_cpu_user:9476.04
used_cpu_sys_children:2241.05
used_cpu_user_children:175.00

# Keyspace
db0:keys=1,expires=0,avg_ttl=0

115.29.203.54:0>keys *
crackit





貌似被人撸了

QQ20160504-1@2x.png





QQ20160504-2@2x.png





QQ20160504-3@2x.png





赶紧查查



3、

gitlab

http://git.zenzet.com/ 可以http://git.zenzet.com/explore 直接看所有项目



QQ20160504-5@2x.png





QQ20160504-6@2x.png





QQ20160504-4@2x.png





4、

Mail

QQ20160504-7@2x.png





ok



其他的

code 区域
blog.zenzet.com:122.234.56.66
sso.zenzet.com:121.40.222.125
smtp.zenzet.com:42.120.219.29
ftp.zenzet.com:192.168.10.168
dev.zenzet.com:115.29.203.54
monitor.zenzet.com:121.40.222.125
m.zenzet.com:42.121.103.112
wiki.zenzet.com:115.29.203.54
jobs.zenzet.com:120.55.249.149
pop3.zenzet.com:42.120.219.25
reg.zenzet.com:192.168.10.188
developer.zenzet.com:120.55.196.208
cas.zenzet.com:121.40.222.125
imap.zenzet.com:42.120.219.28
bi.zenzet.com:192.168.10.166
seo.zenzet.com:122.234.56.66
jira.zenzet.com:115.29.203.54
mail.zenzet.com:42.156.140.99
vm.zenzet.com:122.234.56.66
nexus.zenzet.com:192.168.10.188
git.zenzet.com:120.26.71.228
solr.zenzet.com:122.234.56.66
console.zenzet.com:120.55.199.46
review.zenzet.com:115.29.203.54
jump.zenzet.com:122.234.56.66
zk.zenzet.com:122.234.56.66
openapi.zenzet.com:120.55.139.31
jenkins.zenzet.com:192.168.10.188
http://review.zenzet.com/admin/login-default.do
http://115.29.203.54:8060/login
http://115.29.203.54:8090/forgotuserpassword.action
http://jira.zenzet.com/secure/Dashboard.jspa



等等。。。 不在测试



ok 就这样

漏洞证明:

···

修复方案:

努力加强安全

版权声明:转载请注明来源 爱上平顶山@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-04 17:59

厂商回复:

[email protected]对我公司的关注与支持,收到提示后我们立刻进行确认和响应,对问题逐一进行排查,现已将发现的漏洞修复,修复情况通报如下:
ess 弱密码被破
解决方案:已使用强密码替换。

ess 插件被利用
解决方案:禁用不必要插件,规范第三方组件的使用,并在以后加强对第三方产品的审核、验证。

未加安全访问限制
解决方案: 该 Redis 实为废弃数据库,已在2015年初停止使用,现已彻底下线。以后必将及时下线历史废弃服务。

公开项目可被外部直接访问
解决方案:加强内部开发人员权限控制和安全培训,禁止建立公开项目

5.员工测试邮箱账户通过公开项目泄露
解决方案: 加强内部开发人员权限控制和安全培训,禁止使用个人邮箱进行开发测试

作为一家初创企业, 此次事件暴露公司在内部管理方面存在不足,尤其是在新员工内部账户管理培训衔接上存在问题。团队相关负责人和事故责任人晚上睡不好觉了,因为负责人明天例会时得给大家做检讨,老板要求他做到漏洞问题讲解到市场部和行政部的同事也能听懂。
并且,后续公司在加强管理和严格执行制度流程方面,这次事件要作为案例了。

最新状态:

2016-05-04:补充未显示部分 1.WordPress 弱密码被破 2.WordPress 插件被利用 3.Redis 未加安全访问限制 4.GitLab 公开项目可被外部直接访问


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:LOCKet(臻至科技)漏洞一枚可直接内网渗透(Mail泄露/Getshell/Gitlab/Redis可致服务器沦陷) - https://www.15qq.cn/wooyun/671.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知