当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120222

漏洞标题:团贷网IOS客户端敏感信息泄露(需越狱附脚本)

相关厂商:tuandai.com

漏洞作者: 高小厨

提交时间:2015-06-13 14:24

修复时间:2015-06-18 14:26

公开时间:2015-06-18 14:26

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-13: 细节已通知厂商并且等待厂商处理中
2015-06-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

你听说过cookie么

详细说明:

1、下载团贷网IOS客户端
2、使用iTools打开,找到存储cookie的文件(其实这和明文存储密码威胁一样)

cookie1.png


3、使用脚本将Cookies.binarycookies打开,并获取cookie

2.png


4、尝试使用该cookie进行越权操作

3.png

漏洞证明:

使用脚本将Cookies.binarycookies打开,并获取cookie

2.png


尝试使用该cookie进行越权操作

3.png


另附读取IOS BinaryCookies的脚本,参考地址(www.securitylearn.net)

import sys
from struct import unpack
from StringIO import StringIO
from time import strftime, gmtime
if len(sys.argv)!=2:
print "\nUsage: Python BinaryCookieReader.py [Full path to Cookies.binarycookies file] \n"
print "Example: Python BinaryCookieReader.py C:\Cookies.binarycookies"
sys.exit(0)

FilePath=sys.argv[1]
try:
binary_file=open(FilePath,'rb')
except IOError as e:
print 'File Not Found :'+ FilePath
sys.exit(0)

file_header=binary_file.read(4) #File Magic String:cook
if str(file_header)!='cook':
print "Not a Cookies.binarycookie file"
sys.exit(0)

num_pages=unpack('>i',binary_file.read(4))[0] #Number of pages in the binary file: 4 bytes
page_sizes=[]
for np in range(num_pages):
page_sizes.append(unpack('>i',binary_file.read(4))[0]) #Each page size: 4 bytes*number of pages

pages=[]
for ps in page_sizes:
pages.append(binary_file.read(ps)) #Grab individual pages and each page will contain >= one cookie

print "#*************************************************************************#"
print "# BinaryCookieReader: developed by Satishb3: http://www.securitylearn.net #"
print "#*************************************************************************#"
for page in pages:
page=StringIO(page) #Converts the string to a file. So that we can use read/write operations easily.
page.read(4) #page header: 4 bytes: Always 00000100
num_cookies=unpack('<i',page.read(4))[0] #Number of cookies in each page, first 4 bytes after the page header in every page.

cookie_offsets=[]
for nc in range(num_cookies):
cookie_offsets.append(unpack('<i',page.read(4))[0]) #Every page contains >= one cookie. Fetch cookie starting point from page starting byte
page.read(4) #end of page header: Always 00000000
cookie=''
for offset in cookie_offsets:
page.seek(offset) #Move the page pointer to the cookie starting point
cookiesize=unpack('<i',page.read(4))[0] #fetch cookie size
cookie=StringIO(page.read(cookiesize)) #read the complete cookie

cookie.read(4) #unknown

flags=unpack('<i',cookie.read(4))[0] #Cookie flags: 1=secure, 4=httponly, 5=secure+httponly
cookie_flags=''
if flags==0:
cookie_flags=''
elif flags==1:
cookie_flags='Secure'
elif flags==4:
cookie_flags='HttpOnly'
elif flags==5:
cookie_flags='Secure; HttpOnly'
else:
cookie_flags='Unknown'

cookie.read(4) #unknown

urloffset=unpack('<i',cookie.read(4))[0] #cookie domain offset from cookie starting point
nameoffset=unpack('<i',cookie.read(4))[0] #cookie name offset from cookie starting point
pathoffset=unpack('<i',cookie.read(4))[0] #cookie path offset from cookie starting point
valueoffset=unpack('<i',cookie.read(4))[0] #cookie value offset from cookie starting point

endofcookie=cookie.read(8) #end of cookie

expiry_date_epoch= unpack('<d',cookie.read(8))[0]+978307200 #Expiry date is in Mac epoch format: Starts from 1/Jan/2001
expiry_date=strftime("%a, %d %b %Y ",gmtime(expiry_date_epoch))[:-1] #978307200 is unix epoch of 1/Jan/2001 //[:-1] strips the last space

create_date_epoch=unpack('<d',cookie.read(8))[0]+978307200 #Cookies creation time
create_date=strftime("%a, %d %b %Y ",gmtime(create_date_epoch))[:-1]
#print create_date

cookie.seek(urloffset-4) #fetch domaain value from url offset
url=''
u=cookie.read(1)
while unpack('<b',u)[0]!=0:
url=url+str(u)
u=cookie.read(1)

cookie.seek(nameoffset-4) #fetch cookie name from name offset
name=''
n=cookie.read(1)
while unpack('<b',n)[0]!=0:
name=name+str(n)
n=cookie.read(1)

cookie.seek(pathoffset-4) #fetch cookie path from path offset
path=''
pa=cookie.read(1)
while unpack('<b',pa)[0]!=0:
path=path+str(pa)
pa=cookie.read(1)

cookie.seek(valueoffset-4) #fetch cookie value from value offset
value=''
va=cookie.read(1)
while unpack('<b',va)[0]!=0:
value=value+str(va)
va=cookie.read(1)

print 'Cookie : '+name+'='+value+'; domain='+url+'; path='+path+'; '+'expires='+expiry_date+'; '+cookie_flags

binary_file.close()

修复方案:

IOS程序退出后清除Cookie,否则越狱手机十分危险

版权声明:转载请注明来源 高小厨@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-18 14:26

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

暂无