当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084474

漏洞标题:酷派手机某处缺陷可以远程定位、操作他人手机

相关厂商:yulong.com

漏洞作者: 问题来了

提交时间:2014-11-24 15:33

修复时间:2015-01-08 15:34

公开时间:2015-01-08 15:34

漏洞类型:非授权访问/认证绕过

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-24: 细节已通知厂商并且等待厂商处理中
2014-11-25: 厂商已经确认,细节仅向厂商公开
2014-12-05: 细节向核心白帽子及相关领域专家公开
2014-12-15: 细节向普通白帽子公开
2014-12-25: 细节向实习白帽子公开
2015-01-08: 细节向公众公开

简要描述:

酷派手机某处缺陷可以远程定位、操作他人手机

详细说明:

找回手机功能存在平行权限问题,可以通过deviceID定位他人手机、发送消息、拍照等功能

deviceID2.jpg

漏洞证明:

尝试fuzz一些deviceID:

[{"deviceId":"coolyun19700102080252-000000000000000","date":"2014-10-26 23:58","time":1414339116014,"longitude":"114.503604","latitude":"38.048936","type":"baidu","address":"河北省石家庄市桥东区大经街22-1号"},{"deviceId":"coolyun19700102080252-000000000000000","date":"2014-10-26 21:16","time":1414329410908,"longitude":"114.503604","latitude":"38.048936","type":"baidu","address":"河北省石家庄市桥东区大经街22-1号"},{"deviceId":"coolyun19700102080252-000000000000000","date":"2014-10-26


[{"deviceId":"coolyun19700102080300-000000000000000","date":"2014-10-29 12:12","time":1414555979136,"longitude":"113.959322","latitude":"22.565076","type":"baidu","address":"广东省深圳市南山区群芳街108号"},{"deviceId":"coolyun19700102080300-000000000000000","date":"2014-10-29 10:52","time":1414551171150,"longitude":"105.830809","latitude":"32.440571","type":"baidu","address":"四川省广元市利州区蜀门北路1段-27"},{"deviceId":"coolyun19700102080300-000000000000000","date":"2014-10-29 10:52","time":1414551171145,"longitude":"105.830809","latitude":"32.440571","type":"baidu","address":"四川省广元市利州区蜀门北路1段-27"},{"deviceId":"coolyun19700102080300-000000000000000","date":"2014-10-28


[{"deviceId":"coolyun19700102080259-000000000000000","date":"2014-10-29 09:28","time":1414546133991,"longitude":"106.58566","latitude":"29.566148","type":"baidu","address":"重庆市渝中区解放碑商圈民族路166号"},{"deviceId":"coolyun19700102080259-000000000000000","date":"2014-10-29 09:28","time":1414546127167,"longitude":"106.58566","latitude":"29.566148","type":"baidu","address":"重庆市渝中区解放碑商圈民族路166号"},{"deviceId":"coolyun19700102080259-000000000000000","date":"2014-10-29 09:28","time":1414546123949,"longitude":"106.58566","latitude":"29.566148","type":"baidu","address":"重庆市渝中区解放碑商圈民族路166号"},{"deviceId":"coolyun19700102080259-000000000000000","date":"2014-10-29


[{"deviceId":"coolyun19700102080306-000000000000000","date":"2014-10-28 21:11","time":1414501863375,"longitude":"115.90467","latitude":"28.67896","type":"baidu","address":"江西省南昌市西湖区算子桥街6号"},{"deviceId":"coolyun19700102080306-000000000000000","date":"2014-10-27 13:28","time":1414387721365,"longitude":"115.93452","latitude":"28.676067","type":"baidu","address":"江西省南昌市青山湖区洪都中大道216号"},{"deviceId":"coolyun19700102080306-000000000000000","date":"2014-10-26 21:21","time":1414329698518,"longitude":"115.904671","latitude":"28.679","type":"baidu","address":"江西省南昌市西湖区算子桥街6号"},{"deviceId":"coolyun19700102080306-000000000000000","date":"2014-10-26


东莞市

[{"deviceId":"coolyun19700102080302-000000000000000","date":"2014-10-29 12:30","time":1414557057831,"longitude":"114.139349","latitude":"22.867021","type":"baidu","address":"广东省东莞市东莞市市辖区罗马路"},{"deviceId":"coolyun19700102080302-000000000000000","date":"2014-10-29 12:30","time":1414557057645,"longitude":"114.139349","latitude":"22.867021","type":"baidu","address":"广东省东莞市东莞市市辖区罗马路"},{"deviceId":"coolyun19700102080302-000000000000000","date":"2014-10-29 12:30","time":1414557057364,"longitude":"114.139349","latitude":"22.867021","type":"baidu","address":"广东省东莞市东莞市市辖区罗马路"},{"deviceId":"coolyun19700102080302-000000000000000","date":"2014-10-29

修复方案:

版权声明:转载请注明来源 问题来了@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2014-11-25 14:38

厂商回复:

此问题属于已知漏洞,前期已修复,属于重复提交。感谢您关注酷派安全

最新状态:

暂无