当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117054

漏洞标题:乐视网某云基础网络海量信息泄漏

相关厂商:乐视网

漏洞作者: 路人甲

提交时间:2015-05-30 10:49

修复时间:2015-07-16 10:26

公开时间:2015-07-16 10:26

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-30: 细节已通知厂商并且等待厂商处理中
2015-06-01: 厂商已经确认,细节仅向厂商公开
2015-06-11: 细节向核心白帽子及相关领域专家公开
2015-06-21: 细节向普通白帽子公开
2015-07-01: 细节向实习白帽子公开
2015-07-16: 细节向公众公开

简要描述:

乐视网某云基础网络海量信息泄漏,危害极大,安全问题需要得到重视,保护乐视TV用户隐私啊~~ 太可怕了。

详细说明:

http://mcache.oss.letv.com/queue/dump?type=1
LETV CDN File Manager System. 

[2015-05-29 21:42:14] TaskCount:4094/4319, FieldName:REPLY, Host:115.182.93.91
USER 	MID 	FMT 	FILESIZE 	S/R 	B/P 	HASHKEY 	ADDTIME 	CHECK_STATUS 	RESULT
acloud 	0 	0 	0 	0/0 	136098/9 	146/2 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..


http://mcache.oss.letv.com/queue/dump?type=1

漏洞证明:

[2015-05-29 21:42:14] TaskCount:4094/4319, FieldName:REPLY, Host:115.182.93.91
USER 	MID 	FMT 	FILESIZE 	S/R 	B/P 	HASHKEY 	ADDTIME 	CHECK_STATUS 	RESULT
acloud 	0 	0 	0 	0/0 	136098/9 	146/2 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	148/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	146/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	142/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..
acloud 	0 	0 	0 	0/0 	143558/9 	150/1 		[0]0/300= 0.00% 	..


http://mcache.oss.letv.com:80/ext/query?key=146/32/68/acloud/136098/mthk-vid001.gk.costoon.com/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4&remote=123.112.86.147&size=1
KEY 	VALUE
customer 	acloud
bussid 	136098
prop 	9
addlevel 	2
filename 	/mthk-vid001.gk.costoon.com/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4
outkey 	136098_273f679e383d42f88270df7af32bedde
filemd5 	0ac16432925cd781c3ac4070e7db5333
filesize 	142219311
sourceurl 	http://62ef25a1.src.ucloud.com.cn/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4
storepath 	146/32/68/acloud/136098/mthk-vid001.gk.costoon.com/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4
action 	PUSH
status 	0
addtime 	2015-05-29 21:40:40
reply 	1
replytime 	2015-05-29 22:00:14
replyok 	1
filecopy 	114(ctc:40,cnc:41,other:33)
memcachedb 	100:145,102:145,104:145,125:7,158:7,191:7,196:7,312:7,318:13,339:22,345:7,346:7,357:7,378:7,383:7,385:7,387:3,392:7,393:7,395:13,396:7,398:7,605:5,722:7,738:7,740:7,743:7,750:7,757:7,773:7,776:7,778:2,786:7,790:7,793:7,794:7,799:7,812:7,815:7,818:7,820:7,823:7,830:7,831:27,834:7,869:7,874:7,886:7,889:7,892:7,893:7,894:7,895:7,902:7,904:7,905:7,906:7,909:7,911:7,912:7,913:7,914:7,917:7,991:7,997:7,999:7,1000:7,1003:7,1004:7,1017:7,1020:7,1021:7,1022:7,1025:27,1029:7,1031:7,1033:7,1034:7,1035:7,1036:27,1039:7,1040:7,1043:7,1047:7,1049:7,1052:7,1053:7,1102:7,1105:7,1106:7,1107:2,1109:7,1113:27,1114:7,1115:7,1120:7,1122:7,1123:7,1124:7,1125:7,1126:7,1127:7,1134:7,1135:7,1136:7,1138:7,1140:3,1142:7,1144:3,1145:7,1146:7,1149:7,1150:7,9968:7
detail 	220.181.117.36:Time[2015-05-29 22:00:04],successful download url0:http://62ef25a1.src.ucloud.com.cn/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4,filepath:/letv/fet/146/32/68/acloud/136098/mthk-vid001.gk.costoon.com/shipin/video/7/7258d0e7f9d44de49f5d3fe045e044fb.mp4,size:142219311.
* 	*
* 	*

修复方案:

你们更专业~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-01 10:24

厂商回复:

谢谢对乐视安全的支持:)

最新状态:

暂无