当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092415

漏洞标题:光大证券交易系统资金账号可被穷举攻击

相关厂商:光大证券

漏洞作者: 猪猪侠

提交时间:2015-01-17 15:28

修复时间:2015-03-03 15:30

公开时间:2015-03-03 15:30

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-17: 细节已通知厂商并且等待厂商处理中
2015-01-21: 厂商已经确认,细节仅向厂商公开
2015-01-31: 细节向核心白帽子及相关领域专家公开
2015-02-10: 细节向普通白帽子公开
2015-02-20: 细节向实习白帽子公开
2015-03-03: 细节向公众公开

简要描述:

光大证券交易系统资金账号可被穷举攻击,验证码太过简单,被100%识别,误入土豪账号,就可以打压股市了
自从很多系统加入了验证码机制,单个账号尝试5次锁定账号的机制后,越来越多的人觉得系统很安全了,弱口令也越来越不受人待见,但他们却忽略了类似银行、证券的系统,银行卡号,资金账号的ID都是按顺序生成的,验证码这道墙被绕过后,完完全全可以用888888的密码去挨个撞账号嘛。
随着安全对抗的发展,几年前的防御技术好像又过时了,利用(Python Image Library、tesseract-ocr、pytesser)这几个python第三方库,仅二值化,文字分割两个选项就能轻松识别互联网60%以上的验证码。常见验证码的弱点与验证码识别 http://drops.wooyun.org/tips/141

详细说明:

#1 网络投票系统可用交易系统的资金账号登陆
https://116.236.247.174/vote/views/login.html?r=0.6828486339654773

1.png


sc1.png


验证码太过简单,可被100%识别
二值化,阈值100,反色,OCR立马识别

soft1.jpg


https://116.236.247.174/servlet/Image

Image.jpeg


http://www.80vul.com/yzm/v.php?url=http://wimg.zone.ci/upload/201501/17151946732f854ecd3668a574a72e076d7c0a7d.jpeg


8267.jpg


e.ebscn.com 连在线交易系统也直接被识别

login.png


http://www.80vul.com/yzm/v.php?url=https://e.ebscn.com/servlet/Image

ebscn_online.jpg


#2 有密码控件,通过从客户端模拟插件提交,就能自动化攻击了(按键精灵),更重要的是后面的文件泄露漏洞,导致整个服务端算法泄露
在线交易系统的登录过程

POST /servlet/json HTTP/1.1
Host: e.ebscn.com
Content-Length: 401
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://e.ebscn.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://e.ebscn.com/fortune/views/login/login.html?pageCode=c9uqlQ6BD4s+5tn1CfS2ofvHHmtKwYn5OXD/fMt+2ILmROaEyaeL/dpqgC+b7G8NHFpGo7aib7U=
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: CNZZDATA1253545433=1426607054-1421495858-%7C1421495858; JSESSIONID=abcPl8LLMD2KZbN_xW3Ru; user=JqcYG4oOxWE=
Connection: Keep-Alive
funcNo=1001103&fund_account=20431103&trade_pwd=BDE46B39A09835E813E196C2C30E3737B0A63F346A729F2FB99163157901B3B2B5FA249936F999E9C16871C38921182EE89D52028608B00D6ABC2378E77BF78126594BDF4F1D91457686820662D940BD8C2351D79502BC4783C337D6E84C7B83231B0E0C8ADE6A916E5F42295A5DBC7BCEE1D7F3F5C240EFE93DA3A96789A43%257C7cW5peJvDxQ%253D&ticket=gde8&mac=EC-17-2F-77-FF-E2%257C00-50-56-C0-00-01%257C00-50-56-C0-00-08


POST /servlet/json HTTP/1.1
Host: 116.236.247.174
Content-Length: 473
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://116.236.247.174
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://116.236.247.174/vote/views/login.html?r=0.39641681080684066
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: JSESSIONID=abcCqhi9V75DU4i4xUZRu; ip=192.168.198.1|192.168.68.1|192.168.199.120; mac=EC-17-2F-77-FF-E2|00-50-56-C0-00-01|00-50-56-C0-00-08
Connection: Keep-Alive
funcNo=940001&branch_no=&type=pc&account=20431113&password=31AE0E880987FCBC2A2209B77E2DE3C513FC4B50FEDFC1D923550AE0FBC30425FF1D33363195F1B581813502114B88E01E9D80BBFA5C317C389BC1F295EE4E636441030CD56038133A82C6E182A4DA081C53D5335F9E4FB0DC1F6647D7B8DE1C5AC45BE3648D3666EBC72299C0F065583D36112139B2ACFC80ACD9254BB702C1%257CIyv8VycBegk%253D&verify_code=6768&mac=EC-17-2F-77-FF-E2%257C00-50-56-C0-00-01%257C00-50-56-C0-00-08&ip=192.168.198.1%257C192.168.68.1%257C192.168.199.120


#3 资金账号8位有序生成
account=20441102,遍历账号穷举
#4 风险测评,同样验证码可被识别,可以用账号撞密码

http://www.80vul.com/yzm/v.php?url=https://cust.ebscn.com/ValidateCode.aspx

6281.jpg


custlogin.jpg

漏洞证明:

#4 任意文件可下载(包括服务端的password解密算法、验证码生成算法等等)
由于光大证券网络投票系统服务端配置不当,导致服务端任意文件可读取
https://116.236.247.174/WEB-INF/web.xml

webxml.jpg


登陆验证接口的servlet,验证码的servlet都在,jd-gui一上,就能反向编译成源码了

<servlet-mapping>
<servlet-name>BusService</servlet-name>
<url-pattern>/servlet/json</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>BusService</servlet-name>
<servlet-class>com.thinkive.tbservice.action.TBClientServlet</servlet-class>
<init-param>


<display-name>web</display-name>
<!--  filter definition begin  -->
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, HEAD, PUT, DELETE</param-value>
</init-param>
</filter>
<filter>
<filter-name>Encoding</filter-name>
<filter-class>
com.thinkive.web.common.filter.SetCharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<!--  filter-mapping definition begin  -->
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Encoding</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Encoding</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Encoding</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Encoding</filter-name>
<url-pattern>/cgi-bin/*</url-pattern>
</filter-mapping>
<!--  filter-mapping definition end  -->
<!--  listener definition begin  -->
<listener>
<listener-class>
com.thinkive.base.listener.ApplicationLifecycleListener
</listener-class>
</listener>
<!--  listener definition end  -->
<!--  servlet definition begin  -->
<servlet>
<servlet-name>FastServlet</servlet-name>
<servlet-class>com.thinkive.web.base.FastServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>SSIServlet</servlet-name>
<servlet-class>com.thinkive.web.common.servlet.SSIServlet</servlet-class>
<init-param>
<param-name>encoding</param-name>
<param-value>GBK</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>fxckhTicketImg</servlet-name>
<servlet-class>com.thinkive.tbservice.action.BuildImageServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>BusService</servlet-name>
<servlet-class>com.thinkive.tbservice.action.TBClientServlet</servlet-class>
<init-param>
<param-name>isSaveResult</param-name>
<param-value>0</param-value>


# 利用jd-gui反逆java class,还原明文代码,甚至可以重构整个网站
WooYun: 去哪儿任意文件读取(基本可重构该系统原工程)
https://116.236.247.174/WEB-INF/classes/com/thinkive/base/listener/ApplicationLifecycleListener.class

jd_ebscn.jpg


在这个国家,提起股票和钱都很敏感,让人神经脆弱,被尝试了很多次的账号,在移动端可以登录,并没有被锁号

login2.jpg

修复方案:

# 加强验证码算法
# 删除泄露文件

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-01-21 10:09

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给上海分中心,由上海分中心后续协调网站管理单位处置。

最新状态:

暂无