当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075265

漏洞标题:看我如何在2小时内控制100+天融信安全设备的

相关厂商:天融信

漏洞作者: 大大灰狼

提交时间:2014-09-06 15:01

修复时间:2014-10-21 15:02

公开时间:2014-10-21 15:02

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-06: 细节已通知厂商并且等待厂商处理中
2014-09-06: 厂商已经确认,细节仅向厂商公开
2014-09-16: 细节向核心白帽子及相关领域专家公开
2014-09-26: 细节向普通白帽子公开
2014-10-06: 细节向实习白帽子公开
2014-10-21: 细节向公众公开

简要描述:

看我如何2小时内入侵100台TopSec安全设备,获取admin权限,组建僵尸网络的。内含防火墙、VPN什么的,画面血腥、惨不忍睹!!!!

详细说明:

“Heartbleed”的漏洞,过去快5个月了,各大安全厂商都说自己的设备已经修复,你们真的修复了吗?
乌云上也后好多大牛提交过这类漏洞,但都是个别设备“Heartbleed”的漏洞。由于数量有限,不能形成强有利的威胁。
今天“灰狼哥”带你一起对天融信136台安全设备进行“心跳”利用,获取admin权限、组建僵尸网络。
好了,下面利用开始,对136台天融信设备进行批量“心跳”利用。
(一)首先列举NGFW4000(TG-4508-CU)型号设备。
https://183.234.20.148/ (账号密码superman:talent)

1.jpg


1.jpg


登陆设备,管理员权限。

1.jpg


再来,https://218.91.210.30

1.jpg


再登陆https://61.158.253.204(账号密码superman:talent)

1.jpg


1.jpg


(二)在列举NGFW4000(NGFW4000(TG-21109))型号设备。
再来,https://120.199.19.122/(账号密码superman:talent)

2.jpg


1.jpg


(三)在列举NGFW4000(NGFW4000(TG-11406-VPN))型号设备。
再来,在登陆https://211.98.23.200(账号密码superman:talent)

3.jpg


1.jpg


通过指纹特征,可对天融信设备进行批量,如下136台设备,经抓取审计,发现存在“Heartbleed”的漏洞,批量利用,可以管理员的身份成功登陆,控制所有设备,轻松组建自己想要的僵尸网络。
测试代码,你们也是做安全的,这个应该有,就不附上了吧!!!
抓取的被害设备,如下136台设备均存在心脏滴血漏洞!为你们测试方便给你们15个分一个漏洞小组,够贴心吧!!!

TOPSEC Heartbleed of  1
['ip=111.75.254.105', 'ip=61.158.253.204', 'ip=58.62.173.234', 'ip=221.231
.122.11', 'ip=123.7.84.170', 'ip=123.7.85.140', 'ip=123.7.84.92', 'ip=12
3.7.87.52', 'ip=123.7.84.241', 'ip=183.247.178.34', 'ip=218.29.12.121',
'ip=218.76.215.80', 'ip=219.153.48.134', 'ip=111.39.44.35', 'ip=222.132.86
.74', 'ip=221.131.86.40', 'ip=221.206.167.54', 'ip=221.229.114.102', 'ip
=218.75.151.24', 'ip=123.133.65.72']
TOPSEC Heartbleed of 2
['ip=119.254.231.85', 'ip=113.247.235.243', 'ip=113.247.235.86', 'ip=221.1
3.140.142', 'ip=218.249.32.129', 'ip=218.25.29.94', 'ip=183.234.20.148',
'ip=202.104.33.190', 'ip=218.85.77.106', 'ip=58.222.181.18', 'ip=61.161.2
05.2', 'ip=61.161.206.50', 'ip=61.161.205.98', 'ip=112.25.139.26', 'ip=1
12.25.138.211', 'ip=222.88.103.3', 'ip=222.82.91.139', 'ip=218.59.233.219"
>', 'ip=113.200.76.98', 'ip=60.15.183.228']
TOPSEC Heartbleed of 3
['ip=210.22.19.27', 'ip=171.8.148.101', 'ip=14.158.211.1', 'ip=111.63.16.8
3', 'ip=125.39.137.0', 'ip=202.101.149.205', 'ip=116.113.93.50', 'ip=61.
158.186.89', 'ip=58.213.122.69', 'ip=58.213.126.138', 'ip=58.213.122.68'
, 'ip=58.213.123.226', 'ip=60.172.12.142', 'ip=60.172.12.134', 'ip=14.208.
55.93', 'ip=123.7.84.43', 'ip=123.7.82.250', 'ip=123.7.83.107', 'ip=113.
204.80.51', 'ip=123.150.47.98']
TOPSEC Heartbleed of 4
['ip=123.150.47.27', 'ip=36.7.150.194', 'ip=113.107.155.66', 'ip=218.21.40
.130', 'ip=120.209.81.172', 'ip=125.73.131.235', 'ip=125.46.96.70', 'ip=
124.207.168.87', 'ip=58.23.113.32', 'ip=218.94.34.38', 'ip=218.94.39.210
', 'ip=218.2.112.242', 'ip=218.95.73.13', 'ip=60.190.165.218', 'ip=61.154.
118.109', 'ip=123.84.202.196', 'ip=123.84.202.202', 'ip=61.156.218.11',
'ip=118.112.181.68', 'ip=60.191.133.39']
TOPSEC Heartbleed of 5
['ip=60.191.133.53', 'ip=60.191.133.42', 'ip=60.191.133.34', 'ip=60.191.13
3.59', 'ip=60.191.133.41', 'ip=60.191.133.48', 'ip=60.191.133.36', 'ip=6
0.191.133.55', 'ip=60.191.133.46', 'ip=60.191.133.54', 'ip=60.191.133.57
', 'ip=60.191.133.35', 'ip=60.191.133.60', 'ip=60.191.133.44', 'ip=60.167.
63.172', 'ip=27.17.62.242', 'ip=125.46.31.53', 'ip=125.46.30.130', 'ip=1
24.47.25.18', 'ip=60.29.145.170']
TOPSEC Heartbleed of 6
['ip=112.80.18.21', 'ip=112.80.18.18', 'ip=112.80.18.20', 'ip=175.19.140.1
06', 'ip=175.19.140.122', 'ip=120.205.198.214', 'ip=111.75.204.70', 'ip=
121.28.76.34', 'ip=121.28.74.251', 'ip=121.28.74.227', 'ip=61.161.205.187"
>', 'ip=61.184.93.218', 'ip=60.166.23.92', 'ip=60.166.23.180', 'ip=60.166.
23.114', 'ip=60.166.23.91', 'ip=60.166.23.90', 'ip=60.166.23.118', 'ip=6
0.166.23.115', 'ip=60.166.23.93']
TOPSEC Heartbleed of 7
['ip=60.166.23.94', 'ip=60.166.23.117', 'ip=60.166.23.116', 'ip=125.71.30.
160', 'ip=218.91.212.30', 'ip=218.91.214.126', 'ip=218.91.210.30', 'ip=6
1.187.187.178', 'ip=218.66.50.61', 'ip=218.66.50.198', 'ip=180.173.161.230
', 'ip=211.148.172.69', 'ip=113.0.128.154', 'ip=113.0.128.130', 'ip=61.1
36.184.98', 'ip=124.202.195.54', 'ip=203.88.36.67', 'ip=122.156.220.2',
'ip=122.156.218.125', 'ip=61.177.143.19']
TOPSEC Heartbleed of 8
['ip=113.4.133.170', 'ip=113.4.132.99', 'ip=61.48.138.15', 'ip=112.122.11.
186', 'ip=112.122.9.36', 'ip=112.122.9.37', 'ip=111.160.178.62', 'ip=60.
191.133.51', 'ip=60.191.133.58', 'ip=60.191.133.50', 'ip=60.191.133.43',
'ip=60.191.133.52', 'ip=60.191.133.37', 'ip=60.191.133.49', 'ip=120.38.62
.58', 'ip=61.153.76.94', 'ip=61.153.73.66', 'ip=61.153.73.90', 'ip=218.2
06.210.157', 'ip=202.98.60.114']
TOPSEC Heartbleed of 9
['ip=202.98.60.122', 'ip=202.98.60.116', 'ip=202.98.60.100', 'ip=202.98.60
.125', 'ip=202.98.60.115', 'ip=202.98.60.120', 'ip=202.98.60.103', 'ip=2
02.98.60.121', 'ip=202.98.60.102', 'ip=202.98.60.118', 'ip=202.98.60.110
', 'ip=202.98.60.119', 'ip=202.98.60.113', 'ip=202.98.60.117', 'ip=202.98.
60.101', 'ip=183.129.186.109', 'ip=183.129.186.108', 'ip=183.129.186.106
', 'ip=183.129.186.107', 'ip=183.129.186.154']
TOPSEC Heartbleed of 10
['ip=61.187.94.197', 'ip=61.187.94.196', 'ip=123.127.76.52', 'ip=58.213.11
6.20', 'ip=120.194.66.142', 'ip=122.141.66.210', 'ip=61.181.72.14', 'ip=
202.97.177.157', 'ip=58.217.107.178', 'ip=218.28.130.18', 'ip=218.28.130.2
2', 'ip=218.28.130.106', 'ip=61.167.37.34', 'ip=175.19.208.197', 'ip=118
.122.33.239', 'ip=180.168.181.162', 'ip=218.92.37.122', 'ip=106.120.136.25
4', 'ip=60.30.27.5', 'ip=14.158.215.140']
TOPSEC Heartbleed of 11
['ip=119.48.73.134', 'ip=119.48.73.126', 'ip=58.211.51.178', 'ip=61.163.12
7.142', 'ip=61.163.127.34', 'ip=61.163.124.24', 'ip=180.212.94.36', 'ip=
60.30.162.10', 'ip=218.3.136.172', 'ip=61.158.111.178', 'ip=60.31.185.66
', 'ip=60.31.190.242', 'ip=60.214.69.95', 'ip=120.199.19.122', 'ip=111.26.
192.14', 'ip=182.116.61.241', 'ip=113.107.52.4', 'ip=124.133.48.244', 'i
p=59.39.58.126', 'ip=211.98.23.200']
TOPSEC Heartbleed of 12
['ip=1.189.195.124', 'ip=202.104.147.42', 'ip=117.117.117.72', 'ip=218.94.
23.114', 'ip=61.191.126.61', 'ip=113.3.56.127', 'ip=61.160.91.18', 'ip=1
20.44.125.62', 'ip=218.92.10.18', 'ip=59.175.173.178', 'ip=124.207.56.226"
>', 'ip=113.128.206.130', 'ip=202.100.111.170', 'ip=123.138.180.210', 'ip=
180.96.16.182', 'ip=202.207.177.60', 'ip=202.207.177.250', 'ip=202.207.176
.62', 'ip=111.160.7.234', 'ip=111.160.0.135']
TOPSEC Heartbleed of 13
['ip=111.160.2.126', 'ip=111.160.7.250']


只求一个闪电足矣!!

漏洞证明:

(一)首先列举NGFW4000(TG-4508-CU)型号设备。
https://183.234.20.148/ (账号密码superman:talent)

1.jpg


1.jpg


登陆设备,管理员权限。

1.jpg


再来,https://218.91.210.30

1.jpg


再登陆https://61.158.253.204(账号密码superman:talent)

1.jpg


1.jpg


(二)在列举NGFW4000(NGFW4000(TG-21109))型号设备。
利用过程同上,https://120.199.19.122/(账号密码superman:talent)

2.jpg


1.jpg


(三)在列举NGFW4000(NGFW4000(TG-11406-VPN))型号设备。
https://211.98.23.200(账号密码superman:talent)

3.jpg


1.jpg


抓取的被害设备,如下136台设备均存在心脏滴血漏洞!为你们测试方便给你们15个分一个漏洞小组,够贴心吧!!!

TOPSEC Heartbleed of  1
['ip=111.75.254.105', 'ip=61.158.253.204', 'ip=58.62.173.234', 'ip=221.231
.122.11', 'ip=123.7.84.170', 'ip=123.7.85.140', 'ip=123.7.84.92', 'ip=12
3.7.87.52', 'ip=123.7.84.241', 'ip=183.247.178.34', 'ip=218.29.12.121',
'ip=218.76.215.80', 'ip=219.153.48.134', 'ip=111.39.44.35', 'ip=222.132.86
.74', 'ip=221.131.86.40', 'ip=221.206.167.54', 'ip=221.229.114.102', 'ip
=218.75.151.24', 'ip=123.133.65.72']
TOPSEC Heartbleed of 2
['ip=119.254.231.85', 'ip=113.247.235.243', 'ip=113.247.235.86', 'ip=221.1
3.140.142', 'ip=218.249.32.129', 'ip=218.25.29.94', 'ip=183.234.20.148',
'ip=202.104.33.190', 'ip=218.85.77.106', 'ip=58.222.181.18', 'ip=61.161.2
05.2', 'ip=61.161.206.50', 'ip=61.161.205.98', 'ip=112.25.139.26', 'ip=1
12.25.138.211', 'ip=222.88.103.3', 'ip=222.82.91.139', 'ip=218.59.233.219"
>', 'ip=113.200.76.98', 'ip=60.15.183.228']
TOPSEC Heartbleed of 3
['ip=210.22.19.27', 'ip=171.8.148.101', 'ip=14.158.211.1', 'ip=111.63.16.8
3', 'ip=125.39.137.0', 'ip=202.101.149.205', 'ip=116.113.93.50', 'ip=61.
158.186.89', 'ip=58.213.122.69', 'ip=58.213.126.138', 'ip=58.213.122.68'
, 'ip=58.213.123.226', 'ip=60.172.12.142', 'ip=60.172.12.134', 'ip=14.208.
55.93', 'ip=123.7.84.43', 'ip=123.7.82.250', 'ip=123.7.83.107', 'ip=113.
204.80.51', 'ip=123.150.47.98']
TOPSEC Heartbleed of 4
['ip=123.150.47.27', 'ip=36.7.150.194', 'ip=113.107.155.66', 'ip=218.21.40
.130', 'ip=120.209.81.172', 'ip=125.73.131.235', 'ip=125.46.96.70', 'ip=
124.207.168.87', 'ip=58.23.113.32', 'ip=218.94.34.38', 'ip=218.94.39.210
', 'ip=218.2.112.242', 'ip=218.95.73.13', 'ip=60.190.165.218', 'ip=61.154.
118.109', 'ip=123.84.202.196', 'ip=123.84.202.202', 'ip=61.156.218.11',
'ip=118.112.181.68', 'ip=60.191.133.39']
TOPSEC Heartbleed of 5
['ip=60.191.133.53', 'ip=60.191.133.42', 'ip=60.191.133.34', 'ip=60.191.13
3.59', 'ip=60.191.133.41', 'ip=60.191.133.48', 'ip=60.191.133.36', 'ip=6
0.191.133.55', 'ip=60.191.133.46', 'ip=60.191.133.54', 'ip=60.191.133.57
', 'ip=60.191.133.35', 'ip=60.191.133.60', 'ip=60.191.133.44', 'ip=60.167.
63.172', 'ip=27.17.62.242', 'ip=125.46.31.53', 'ip=125.46.30.130', 'ip=1
24.47.25.18', 'ip=60.29.145.170']
TOPSEC Heartbleed of 6
['ip=112.80.18.21', 'ip=112.80.18.18', 'ip=112.80.18.20', 'ip=175.19.140.1
06', 'ip=175.19.140.122', 'ip=120.205.198.214', 'ip=111.75.204.70', 'ip=
121.28.76.34', 'ip=121.28.74.251', 'ip=121.28.74.227', 'ip=61.161.205.187"
>', 'ip=61.184.93.218', 'ip=60.166.23.92', 'ip=60.166.23.180', 'ip=60.166.
23.114', 'ip=60.166.23.91', 'ip=60.166.23.90', 'ip=60.166.23.118', 'ip=6
0.166.23.115', 'ip=60.166.23.93']
TOPSEC Heartbleed of 7
['ip=60.166.23.94', 'ip=60.166.23.117', 'ip=60.166.23.116', 'ip=125.71.30.
160', 'ip=218.91.212.30', 'ip=218.91.214.126', 'ip=218.91.210.30', 'ip=6
1.187.187.178', 'ip=218.66.50.61', 'ip=218.66.50.198', 'ip=180.173.161.230
', 'ip=211.148.172.69', 'ip=113.0.128.154', 'ip=113.0.128.130', 'ip=61.1
36.184.98', 'ip=124.202.195.54', 'ip=203.88.36.67', 'ip=122.156.220.2',
'ip=122.156.218.125', 'ip=61.177.143.19']
TOPSEC Heartbleed of 8
['ip=113.4.133.170', 'ip=113.4.132.99', 'ip=61.48.138.15', 'ip=112.122.11.
186', 'ip=112.122.9.36', 'ip=112.122.9.37', 'ip=111.160.178.62', 'ip=60.
191.133.51', 'ip=60.191.133.58', 'ip=60.191.133.50', 'ip=60.191.133.43',
'ip=60.191.133.52', 'ip=60.191.133.37', 'ip=60.191.133.49', 'ip=120.38.62
.58', 'ip=61.153.76.94', 'ip=61.153.73.66', 'ip=61.153.73.90', 'ip=218.2
06.210.157', 'ip=202.98.60.114']
TOPSEC Heartbleed of 9
['ip=202.98.60.122', 'ip=202.98.60.116', 'ip=202.98.60.100', 'ip=202.98.60
.125', 'ip=202.98.60.115', 'ip=202.98.60.120', 'ip=202.98.60.103', 'ip=2
02.98.60.121', 'ip=202.98.60.102', 'ip=202.98.60.118', 'ip=202.98.60.110
', 'ip=202.98.60.119', 'ip=202.98.60.113', 'ip=202.98.60.117', 'ip=202.98.
60.101', 'ip=183.129.186.109', 'ip=183.129.186.108', 'ip=183.129.186.106
', 'ip=183.129.186.107', 'ip=183.129.186.154']
TOPSEC Heartbleed of 10
['ip=61.187.94.197', 'ip=61.187.94.196', 'ip=123.127.76.52', 'ip=58.213.11
6.20', 'ip=120.194.66.142', 'ip=122.141.66.210', 'ip=61.181.72.14', 'ip=
202.97.177.157', 'ip=58.217.107.178', 'ip=218.28.130.18', 'ip=218.28.130.2
2', 'ip=218.28.130.106', 'ip=61.167.37.34', 'ip=175.19.208.197', 'ip=118
.122.33.239', 'ip=180.168.181.162', 'ip=218.92.37.122', 'ip=106.120.136.25
4', 'ip=60.30.27.5', 'ip=14.158.215.140']
TOPSEC Heartbleed of 11
['ip=119.48.73.134', 'ip=119.48.73.126', 'ip=58.211.51.178', 'ip=61.163.12
7.142', 'ip=61.163.127.34', 'ip=61.163.124.24', 'ip=180.212.94.36', 'ip=
60.30.162.10', 'ip=218.3.136.172', 'ip=61.158.111.178', 'ip=60.31.185.66
', 'ip=60.31.190.242', 'ip=60.214.69.95', 'ip=120.199.19.122', 'ip=111.26.
192.14', 'ip=182.116.61.241', 'ip=113.107.52.4', 'ip=124.133.48.244', 'i
p=59.39.58.126', 'ip=211.98.23.200']
TOPSEC Heartbleed of 12
['ip=1.189.195.124', 'ip=202.104.147.42', 'ip=117.117.117.72', 'ip=218.94.
23.114', 'ip=61.191.126.61', 'ip=113.3.56.127', 'ip=61.160.91.18', 'ip=1
20.44.125.62', 'ip=218.92.10.18', 'ip=59.175.173.178', 'ip=124.207.56.226"
>', 'ip=113.128.206.130', 'ip=202.100.111.170', 'ip=123.138.180.210', 'ip=
180.96.16.182', 'ip=202.207.177.60', 'ip=202.207.177.250', 'ip=202.207.176
.62', 'ip=111.160.7.234', 'ip=111.160.0.135']
TOPSEC Heartbleed of 13
['ip=111.160.2.126', 'ip=111.160.7.250']


只求一个闪电足矣!!

修复方案:

作为知名的安全设备厂商,这么高危的漏洞,Opnell都过去5个月了,没能及时打补丁,觉得还是要引起重视和思考的。
还回继续关注天融信安全的,希望你们越做越好。

版权声明:转载请注明来源 大大灰狼@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-06 18:12

厂商回复:

感谢您的反馈,我们会尽快打补丁修复。

最新状态:

暂无