当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075680

漏洞标题:奇虎360核心业务依然存在心脏滴血

相关厂商:奇虎360

漏洞作者: Jannock

提交时间:2014-09-10 16:15

修复时间:2014-10-25 16:16

公开时间:2014-10-25 16:16

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-10: 细节已通知厂商并且等待厂商处理中
2014-09-10: 厂商已经确认,细节仅向厂商公开
2014-09-20: 细节向核心白帽子及相关领域专家公开
2014-09-30: 细节向普通白帽子公开
2014-10-10: 细节向实习白帽子公开
2014-10-25: 细节向公众公开

简要描述:

奇虎360核心业务依然存在心脏滴血,用户登陆接口?不深入。。。

详细说明:

无意间发现
IP:220.181.150.247:443
存在openssl 信息泄露:

220.181.150.247  js.login.360.cn
.@.T /api.php HTTP/1.0..X-QIHOO-IP: 211.138.5.40..X-Forwarded-For: 211.138.5.40..Host: passport.360.cn..Connection: close..Content-Length: 431..Content-Type: application/x-www-form-urlencoded..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)....parad=ARjz%2BzN55d%2FedKS6NzhXizuh1VrfU7%2BbAp11FCdIKCwdx%2B7c7QITti6TlR6Ow%2FPxRydnfvS4eGoRJgvH9PLVymDGvUhC4iYKWIecg8J3%2Fc9VQ9MpqFHLUB2dhibgXh7PD%2B69cOMGjRRuyW95IRuUKYhCHayBTg0ZMW1cHie8XlmtN7NyrhfL989ijLwedB499CzRvqHFAldWD761NbzP61KHuiPC185n9ABWkKRducVXTI0OL8g7QEz5psLBd5bF3HfbI%2FjtVi8lKsYn7CfkAm6oSL28ztnUamhhm8NmxHzM%2FqLf%2Fxa0UgWVL9xadUtFsje9tyCJatllaoNmS%2BxXhdqAXxK9%2F4kNZIBcCMd4sCFFnb4%2BT01WWg&from=mpl_mobileGuard_and^.j.5Q.....<).8.........................d6%2FvrFym1g%2Ftog%2BauNm6QoHkvwdUwUCJI8KbVMzOIx2SGwunzK58MiRD23yleZ10SDknJRhw0hY7uewvMICimCjt76oC%2B6xia7UEjhOzNtdSa2oBKGltBuI2c5emT5V5MA09q8PjW1Nszs0nZLupc28rAF2f0ZnaT6zwbqkteu4SuZSbGEZ2ffxiJRtiphUa5mvGZFwxIsECOf1zesDf6KPMDpx%2BoKVfW267VUoJbH5%2FSUAgPN3ttDegnTL72GRZIsZ1zSjbaxM&from=mpl_zhushouB%.&*...:.Ndv ..........xNzWTehY6hlE7a29LxvMrRm6Ln2VKKwAg&from=mpl_mobileGuard_and+h.e.'.......k...KB.......{./R1...........T/.HlPD[. ..}<.........A......../<......."h..!@Gq....%.y...M%)VJ..)T.....g3p.>S5..w._.R.?3.,wCr...e&.....5l;dkB.~.gg...}.e....X.%z.K...7O..z.M...L...h'{.9;....7W!....}1........B...........-...............SNJT1xyIXfKgVRltbJ%2FgsO6Os8EXSTFclZkJxZ1NMHGTGJSwS9XaRwlNEX5ZzAAvcypyUArvIWIFyKLKlgv5Lp%2BvkY4frlLDMlH8rdPRvEQV8yshevlA&from=mpl_mobileGuard_and..[..,...p?..E..%..<...........!(7.............OT49H) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 UCBrowser/9.9.3.478 U3/0.8.0 Mobile Safari/533.1..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,UC/145,plugin/1,alipay/un..X-UCBrowser-UA: dv(G4LTE03);pr(UCBrowser/9.9.3.478);ov(Android 4.4.2);ss(540*922);bt(UM);pm(1);bv(1);nm(0);im(0);sr(0);nt(0);.......`.+.N...f.Y..5..~.............text/html, image/png, image/jpeg, image/gif, */*;q=0.1..Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7..Accept-Encoding: gzip..Cookie: Q=u%3D%25R1%25S7%25P1%25Q4%25P5%25NR%25P9%25S1%25Q6%25NR%25P5%25NQ%26n%3D%25Q4%25QN%25Q3%25QN%25PP%25RP%25O1%25P8%25O8%25QS%26le%3DZwZ3ZGt2BGHjWGDjpKRhL29g%26m%3DZGtmWGWOWGWOWGWOWGWOWGWOZmp1%26qid%3D293233026%26im%3D220255dq9816%26src%3Dmpc_open_ms_201200641%26t%3D1; T=s%3D8ea3b968163aa93bda596fb1e962c721%26t%3D1407220238%26lm%3D%26lf%3D1%26sk%3Dc8e9811b1ad6b1c48a098ca63ef256d2%26mt%3D1410308431%26rc%3D1%26v%3D2.0%26a%3D1; __guid=59808745.1763000124756271400.1403078126964.7295....A#T~L...,......U......................q. .t..@(;.*5.MV.T....C......L$......sp.d*.....`....X;.y].T..w.b.!,.Pk...[....7.[..y.PS6U!.d2E....F.KsA.n...#..RMC6...=

漏洞证明:

xxx.jpg

修复方案:

你们懂得!

版权声明:转载请注明来源 Jannock@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-09-10 18:37

厂商回复:

感谢Jannock@乌云的及时反馈,此漏洞已得到紧急修复。
出现漏洞的机器属于近期上线的热备机,排查时确认该主机影响范围较小,因此漏洞rank定为10。
对于运维人员未经安全测试违规上线机器的工作失误,我们会严肃调查处理以避免类似情况再次发生。同时也欢迎广大白帽子向360反馈漏洞,谢谢!

最新状态:

暂无