当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126606

漏洞标题:中邮人寿保险旗下中邮团团保APP(IOS)漏洞打包(6万员工帐号任意登录)

相关厂商:中邮人寿保险股份有限公司

漏洞作者: prolog

提交时间:2015-07-14 07:12

修复时间:2015-08-31 11:54

公开时间:2015-08-31 11:54

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-17: 厂商已经确认,细节仅向厂商公开
2015-07-27: 细节向核心白帽子及相关领域专家公开
2015-08-06: 细节向普通白帽子公开
2015-08-16: 细节向实习白帽子公开
2015-08-31: 细节向公众公开

简要描述:

中邮人寿保险旗下中邮团团保APP(IOS)漏洞打包(6万员工帐号任意登录)

详细说明:

Host: slb1.gtintel.cn
1.短信验证码形同虚设--在app端生成验证码...造成任意手机号注册,任意手机号密码重置

1111.PNG


2.注册人员有内外部之分,通过手机号和身份识别号匹配,但是可以绕过---->经验分享功能,泄漏用户的手机号,造成内部人员信息泄漏,加上漏洞1就可以登录内部帐号

IMG_0743.PNG


IMG_0744.PNG


IMG_0745.PNG


IMG_0746.PNG


IMG_0747.PNG


1114.PNG


{"data":{"List":[{"CN_NAME":"新朋友","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1436806577000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"13509873676","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":525063},{"CN_NAME":"王雪","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1422864069000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王雪","PHONE":"18651802429","PHOTO_NAME":"c6bad1ae-37f0-439d-8377-ef2fcfe6476e.jpg","STAR":null,"STATE":null,"USER_ID":520266},{"CN_NAME":"新朋友","CONTEXT":"我打了1分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1422240040000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":520962},{"CN_NAME":"新朋友","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1422239987000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":520962},{"CN_NAME":"新朋友","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1422239979000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":520962},{"CN_NAME":"杜玉阳","CONTEXT":"\ud83d\ude0d\ud83d\ude0d","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1421373127000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":1,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"杜玉阳","PHONE":"13401923256","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":518916},{"CN_NAME":"王罡","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1419577676000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王罡","PHONE":"15151889158","PHOTO_NAME":"8821D975-3C5B-4597-B17C-402C38951FE2.jpg","STAR":null,"STATE":null,"USER_ID":12640},{"CN_NAME":"王垚","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1419407398000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王垚","PHONE":"13809025090","PHOTO_NAME":"E00CA2E2-3054-4AAD-BAB1-D4EBDCE53A4D.jpg","STAR":null,"STATE":null,"USER_ID":520182},{"CN_NAME":"王罡","CONTEXT":"s\ud83d\udc36","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1418783148000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":1,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王罡","PHONE":"15151889158","PHOTO_NAME":"8821D975-3C5B-4597-B17C-402C38951FE2.jpg","STAR":null,"STATE":null,"USER_ID":12640},{"CN_NAME":"杜玉阳","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1418353736000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"杜玉阳","PHONE":"13401923256","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":518916},{"CN_NAME":"王梦","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1417507069000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王梦","PHONE":"15851850988","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":12638},{"CN_NAME":"陶理国","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1416931874000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"陶理国","PHONE":"13770638808","PHOTO_NAME":"259B5DD6-BCE7-4813-BFAC-C66AB7ECCE16.jpg","STAR":null,"STATE":null,"USER_ID":517401},{"CN_NAME":"新朋友","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1415778183000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"17768130752","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":517993},{"CN_NAME":"王欣慰","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1415156104000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"王欣慰","PHONE":"13913999035","PHOTO_NAME":"4C59821B-589B-44E2-9BBD-8EB17319E57E.jpg","STAR":null,"STATE":null,"USER_ID":517864},{"CN_NAME":"罗文","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1415154797000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"罗文","PHONE":"15150548618","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":517861},{"CN_NAME":"殷鑫","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1415154770000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"殷鑫","PHONE":"13151057987","PHOTO_NAME":"3448E58A-3A65-4965-AA9C-E83BB5C0FE18.jpg","STAR":null,"STATE":null,"USER_ID":517862},{"CN_NAME":"周全","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1415154708000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"周全","PHONE":"18951648591","PHOTO_NAME":"thumb_0ae13403-a490-41b9-915d-3df46b51635a.jpg","STAR":null,"STATE":null,"USER_ID":517860},{"CN_NAME":"李辰昱","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1414567043000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"李辰昱","PHONE":"13770508988","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":500958},{"CN_NAME":"新朋友","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1414408854000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"新朋友","PHONE":"","PHOTO_NAME":null,"STAR":null,"STATE":null,"USER_ID":504467},{"CN_NAME":"李福洲","CONTEXT":"我打了5分!","CONTEXT_TYPE":"TXT","CREATE_TIME":"\/Date(1414133136000+0800)\/","DEVICE_ID":null,"ENTITY_TYPE":null,"FLAG":null,"ISSTAR":0,"LENGTH":0,"MOB_YEL_NOTICE_COMMENT_ID":null,"MOB_YEL_NOTICE_ID":null,"NICK_NAME":"李福洲","PHONE":"13611579257","PHOTO_NAME":"thumb_8bae7500-74b4-40ce-a451-64480e26af46.jpg","STAR":null,"STATE":null,"USER_ID":500877}],"PageInfo":{"FirstIndex":0,"PageCount":3,"PageIndex":1,"PageSize":20,"RecordCount":53}},"message":"获取成功","result":1}


3.任意帐号密码重置

IMG_0752.PNG


重置密码处还是app生成的短信验证码

1115.PNG


密码改成123456

1116.PNG


IMG_0753.PNG


该账户是内部员工

IMG_0756.PNG


IMG_0754.PNG


4.工作计划存在越权,修改参数里的userId即可(功能几乎没人用。。略过)

IMG_0749.PNG


5.通讯录泄漏
通过搜索%返回所有员工姓名,手机

IMG_0755.PNG


默认每次返回20条,通过修改参数,(app的签名参数不起作用,可以忽略)可以一次返回大量的数据,共有6万用户信息,可以任意登录。。PageCount":61,"PageIndex":1,"PageSize":1000,"RecordCount":60722

1117.PNG


E":"SEARCH","PHONE":"13665279920","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"戴燕","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13665280800","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"谢华","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13665299000","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"王来有","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675124590","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"李大力","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675136300","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"李广杰","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675151290","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"陈道进","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675163150","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"王媛","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675177750","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0},{"COMPANY_NAME":"","DATA_TYPE":"4","DUTY":"","ENTITY_INTRO_ID":0,"ENTITY_INTRO_ID_PER":0,"GROUP_CODE":"-1","GROUP_NAME":"赵建华","GUID":null,"INSTANT_MESSAGE":"0","INTRO_NUM":0,"ISAUTH":0,"ISAUTH_PER":0,"IS_INNER_PUBLIC":1,"LEAF":null,"NODE_TYPE":"PERSON_NODE","NUM":0,"PARENT_GROUP_CODE":"SEARCH","PHONE":"13675179260","PHONE_SOURCE":"","PHOTO_NAME":"","PageId":null,"SOURCE_PER":null,"STATE":"UNREGISTER","UPDATE_TIME_STRING":"2015\/7\/14 1:20:30","USER_ID":0}],"Num":60722,"PageInfo":{"FirstIndex":0,"PageCount":61,"PageIndex":1,"PageSize":1000,"RecordCount":60722}},"message":"获取成功","result":1


漏洞证明:

...

修复方案:

...

版权声明:转载请注明来源 prolog@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-07-17 11:52

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无