深信服数据中心2.0某处存在命令执行漏洞

漏洞文件:/src/acloglogin.php 其实就是引入的弱口令检测存在问题。

<?php
/*
 +-------------------------------------------------------------------------+
 | Copyright (C) 2006      
 | 文件名: acloglogin.php     
 | 描述:   -->用户登录
 |                             
 +-------------------------------------------------------------------------+
 | 作者:
 | 时间:
 | Email:
 +-------------------------------------------------------------------------+
 | - 相关网站 - http://www.sinfors.com.cn/ 
 +-------------------------------------------------------------------------+
*/
require_once("../inc/config.inc.php");//CONFIG_INC_PHP_PATH
require_once(ACLOG_INC_DATAPATH."usrmanage.php");
require_once(ACLOG_LANGPATH."chs.utf8.lang.php");
require_once(ACLOG_INC_CALLPATH."caclogin.php");
require_once(ACLOG_SRCPATH."formparam.php");

define("TIME_FREEZE", 60);
define("TIME_COOKIE", 3600);
global $arrDB;

if (!WorkOnLinux() && is_null($arrDB))	
{
	$errmsg = COMMON_LOG_NO_SYNC_ACCOUNT;
	viewErrmsg($errmsg);
	exit;
}
$request_forms = array (
        'login_user'      =>  array (null, null, null),
        'login_password'  =>  array (null, null, null),
        'submit'   =>  array(null, null, null),
        'logout'   =>  array(null, null, null),
        'in'       =>  array(null, null, null),
        'login'    =>  array(null, null, null),
        'auth'     =>  array(0, null, null),
        'page'     =>  array("linkconfig.php?in=1", null, null),
        'dkey'     =>  array(null, null, null),
		'dkeylogin'     =>  array(null, null, null),
        );
GetFormsRequestValue($request_forms, $forms);

if ($forms['auth'] == true) {                               //已经验证的
    $forms["login"] = true;
}
global $arrDBSrc, $needDebug;
$obj = new CAcLogin($arrDBSrc, $forms, $needDebug);
global $g_arrScript, $g_arrSkin, $g_page, $g_strLang, $_form;
$fields = array ( 
        "script"    => $g_arrScript,
        "skin"      => $g_arrSkin,
        "page"      => $g_page,
        "lang"      => $g_strLang,
        "form"      => $_form,
        "title"     => "Sinfor AC DataCenter",
        );
if (isset($forms["login"]) || isset($forms["logout"])) {
    $obj->GetData();
}
if (isset($forms["logout"]) && $forms["logout"] == true) {
    $obj->logout();
    $obj->ShowLogin($fields);
    exit;
}

$weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来
system($weak_str, $weak_status);
if( $weak_status == 1 ){
	$weak_time_str='/usr/sbin/check_weak_date.sh';
	system($weak_time_str, $weak_time_status);
	if( $weak_time_status == 1 ){
		$strError = LOGIN_WEAK_PASS;
		$obj->AddErrMessage($strError);	
		$obj->ShowLogin($fields);
		exit;
	}
}

$nSubmit = 0;
$nAllRight = 0;
//自动登陆,psw不用算md5,因为get过来的psw就是md5
$auth = $forms['auth'];
if (isset($forms["in"]) && $forms["in"] == true) {
    $location = $forms['page'];
} else {
    $location = "f.html";
}
$_SESSION["lifeTime"] = TIME_COOKIE;
$hasToLower = $forms["login_user"];
//来自webui,已经登陆,
if(isset($_SESSION["auth_user"])  && $auth == true) { 
    //该用户已经登陆
	
    if(($_SESSION["auth_user"] == $hasToLower)) {
        setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");
        header("Location: $location");          //redirect
        exit;
    } else {//新的webui用户登陆,注销以前的用户
        //标志离线
        //TODO...
    }
}

if(isset($_SESSION["auth_user"]) && strlen($_SESSION["auth_user"])) {
    $strUser = $_SESSION["auth_user"];
    setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"], "/");
    header("Location: $location");          //redirect to the dbm page
    exit;
} else {
    if(isset($forms["login_user"]) && isset($forms["login_password"])) {
        $nSubmit = 1;
    }
}

//得到冻结标志
if(isset($_SESSION["freeze"])) {
    $freeze  = $_SESSION["freeze"];
    $lefttime = time() - $_SESSION["logtime"];
    if($lefttime > TIME_FREEZE || $lefttime < 0) {
        unset($_SESSION["logtime"]);
        unset($_SESSION["logcishu"]);
        unset($_SESSION["freeze"]);	
        $freeze = false;
    }
    if($freeze) {
        $strError = LOGIN_TIP1.(TIME_FREEZE - $lefttime).LOGIN_TIP2;
    }
} else {
    $freeze = false;
}


//限制用户登陆次数
$ret = false;
//冻结了,不用登陆
//print_msg($_COOKIE);


if($freeze == false) {
    if($nSubmit) {
        $ret = $obj->Validate();
        //登陆一次,次数加一
    }


    if($ret) {
        $_SESSION["aclog_session"] = 1;
        $_SESSION["auth_user"] = $strUser;//
        $_SESSION["auth_user_pwd"] = $strPsw;
        $_SESSION["nAllRight"] = $nAllRight;


		if (isset($_COOKIE["LifeTime"])) {
			//echo "cook LifeTime is seted:".$_COOKIE["LifeTime"];
		}
		else
		{
			$strJScript = ' <script language="javascript">
					function SetCookie(name,value)//两个参数,一个是cookie的名子,一个是值
					{
						var exp  = new Date();    
						exp.setTime(exp.getTime() + %d*1000);
						document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString();
					}
					SetCookie ("LifeTime", "%d")					
					</script>';
					
			if (isset($_COOKIE["LifeTime"])) {
				echo "<script language='javascript'> alert(\"".$_COOKIE["LifeTime"]."\"); </srcipt>";
			}	
			else
			{
				//var_dump($_SESSION["lifeTime"]);
				$strJScript = sprintf($strJScript, TIME_COOKIE, $_SESSION["lifeTime"]);
				echo($strJScript);
			}	
		
			//setcookie("LifeTime", TIME_COOKIE, time() + $_SESSION["lifeTime"]);				
		}
			
			
        unset($_SESSION["logtime"]);
        unset($_SESSION["logcishu"]);
        unset($_SESSION["freeze"]);
		//die();
        $javascript = "";
        if ($forms["in"]) {
            $javascript .= 'if(typeof(eval("window.parent.frames[\"topFrame\"]")) != "undefined")window.parent.frames["topFrame"].location.reload();if(typeof(eval("window.parent.frames[\"leftFrame\"]")) != "undefined")window.parent.frames["leftFrame"].location.reload();';
        }
        $javascript .= "location.href='$location'";
        echo "<script>$javascript</script>";
		
        exit;
    } else {
        if($nSubmit) { 
            $_SESSION["logcishu"] = $_SESSION["logcishu"] +1;
            if($_SESSION["logcishu"] == 1) {
                $_SESSION["logtime"] = time();
            }
            $lefttime = time() - $_SESSION["logtime"];
            if(($lefttime < TIME_FREEZE) && $_SESSION["logcishu"] >= 3) {
                //设置冻结标志
                $_SESSION["freeze"] = true;
            }
        }
    }
}
//print_msg($strError, 10);	
if (!is_empty($strError))
    $obj->AddErrMessage($strError);

//print_msg($_SESSION, 10);
//print_msg($fields, 10);
$obj->ShowLogin($fields);
?>

问题出现在弱口令检测的地方

$weak_str='/usr/sbin/weakpasscheck -checkuser "' .$forms["login_user"]. '"'; //用户名中间可能有空格,要用双引号括起来
system($weak_str, $weak_status);
if( $weak_status == 1 ){
	$weak_time_str='/usr/sbin/check_weak_date.sh';
	system($weak_time_str, $weak_time_status);
	if( $weak_time_status == 1 ){
		$strError = LOGIN_WEAK_PASS;
		$obj->AddErrMessage($strError);	
		$obj->ShowLogin($fields);
		exit;
	}
}

1。好吧,命令执行才是关键
1

发表评论