漏洞描述

存在/AJAX/ajaxget接口可以非授權(quán)訪問，通過ajaxmsg搭配上功能函數(shù)可以調(diào)用讀取一些敏感信息，通過對(duì)信息泄露進(jìn)行深入檢查，發(fā)現(xiàn)可以泄露管理數(shù)據(jù)登入后臺(tái)，可以實(shí)現(xiàn)RCE

（存在前提條件==需要管理員賬號(hào)密碼和wifi密碼一致，該情況為默認(rèn)情況）

版本：

<=MagicR100V100R005?

<=MagciR100V200R00

漏洞分析與復(fù)現(xiàn)

一、固件獲取和解包

雖然我有物理機(jī)，但是我還是從官網(wǎng)下的更新固件包，https://download.h3c.com.cn/download.do?id=3342938

通過binwalk R100V100R100進(jìn)行解包,發(fā)現(xiàn)可以直接查看到內(nèi)容，

ZHEFOX@ZHEFOX-MacOS:~/Desktop$?binwalk?R100V100R005.bin?

DECIMAL???????HEXADECIMAL?????DESCRIPTION
--------------------------------------------------------------------------------
33280?????????0x8200??????????LZMA?compressed?data,?properties:?0x5D,?dictionary?size:?8388608?bytes,?uncompressed?size:?4145728?bytes
1245184???????0x130000????????Squashfs?filesystem,?little?endian,?version?4.0,?compression:lzma,?size:?2269691?bytes,?534?inodes,?blocksize:?131072?bytes,?created:?2018-01-17?03:54:08

使用binwalk -eM R100V100R100進(jìn)行提取

ZHEFOX@ZHEFOX-MacOS:~/Desktop$?binwalk?-eM?R100V100R005.bin?

Scan?Time:?????2022-03-31?19:12:49
Target?File:???/home/ZHEFOX/Desktop/R100V100R005.bin
MD5?Checksum:??42ec9ec3de32216ae2d93ad1ff3a208b
Signatures:????411

DECIMAL???????HEXADECIMAL?????DESCRIPTION
--------------------------------------------------------------------------------
33280?????????0x8200??????????LZMA?compressed?data,?properties:?0x5D,?dictionary?size:?8388608?bytes,?uncompressed?size:?4145728?bytes

WARNING:?Symlink?points?outside?of?the?extraction?directory:?/home/ZHEFOX/Desktop/_R100V100R005.bin.extracted/squashfs-root/web?->?/var/web;?changing?link?target?to?/dev/null?for?security?purposes.

WARNING:?Symlink?points?outside?of?the?extraction?directory:?/home/ZHEFOX/Desktop/_R100V100R005.bin.extracted/squashfs-root/dev/log?->?/var/tmp/log;?changing?link?target?to?/dev/null?for?security?purposes.
1245184???????0x130000????????Squashfs?filesystem,?little?endian,?version?4.0,?compression:lzma,?size:?2269691?bytes,?534?inodes,?blocksize:?131072?bytes,?created:?2018-01-17?03:54:08


Scan?Time:?????2022-03-31?19:12:51
Target?File:???/home/ZHEFOX/Desktop/_R100V100R005.bin.extracted/8200
MD5?Checksum:??4b2d56fb09ee2c3feafac6513c01f7c6
Signatures:????411

DECIMAL???????HEXADECIMAL?????DESCRIPTION
--------------------------------------------------------------------------------
0?????????????0x0?????????????uImage?header,?header?size:?64?bytes,?header?CRC:?0xFB26C18E,?created:?2018-01-17?03:51:29,?image?size:?4145664?bytes,?Data?Address:?0x80001000,?Entry?Point:?0x800044B0,?data?CRC:?0x9E4BD9D4,?OS:?Linux,?CPU:?MIPS,?image?type:?OS?Kernel?Image,?compression?type:?none,?image?name:?"Linux?Kernel?Image"
3194976???????0x30C060????????Linux?kernel?version?2.6.30
3260544???????0x31C080????????CRC32?polynomial?table,?little?endian
3274176???????0x31F5C0????????SHA256?hash?constants,?big?endian
3281920???????0x321400????????CRC32?polynomial?table,?big?endian
3475335???????0x350787????????Neighborly?text,?"neighbor?%.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x?lost?on?port?%d(%s)(%s)"
3477803???????0x35112B????????HTML?document?header
3477966???????0x3511CE????????HTML?document?footer
3666048???????0x37F080????????AES?S-Box
3974025???????0x3CA389????????Microsoft?executable,?MS-DOS
4145216???????0x3F4040????????ASCII?cpio?archive?(SVR4?with?no?CRC),?file?name:?"/dev",?file?name?length:?"0x00000005",?file?size:?"0x00000000"
4145332???????0x3F40B4????????ASCII?cpio?archive?(SVR4?with?no?CRC),?file?name:?"/dev/console",?file?name?length:?"0x0000000D",?file?size:?"0x00000000"
4145456???????0x3F4130????????ASCII?cpio?archive?(SVR4?with?no?CRC),?file?name:?"/root",?file?name?length:?"0x00000006",?file?size:?"0x00000000"
4145572???????0x3F41A4????????ASCII?cpio?archive?(SVR4?with?no?CRC),?file?name:?"TRAILER!!!",?file?name?length:?"0x0000000B",?file?size:?"0x00000000"

成功提取后，進(jìn)入發(fā)現(xiàn)是squashfs架構(gòu)，在squashfs-root發(fā)現(xiàn)了www目錄，跟進(jìn)發(fā)現(xiàn)是一個(gè)asp網(wǎng)站

二、漏洞實(shí)現(xiàn)和分析

曾經(jīng)在攻擊該接口時(shí)，因?yàn)闊o法改參數(shù)無法實(shí)現(xiàn)RCE，但是我還在思考到會(huì)不會(huì)這個(gè)接口可以有別利用前途呢，我將服務(wù)器的http的binary丟入IDA進(jìn)行分析查閱。

 366: function AjaxGetWan1State()
  367  {
  368      XMLHttpReqtmp = createXMLHttpRequest();
  369      if (XMLHttpReqtmp)
  370      {
  371:         var url = "AJAX/ajaxget";
  372          var msg="ajaxmsg=aspGetGroup(Wan1BasicState)";
  373          XMLHttpReqtmp.open("POST", url, true);
  ...
  385      	 { // D??￠ò??-3é1|·μ??￡??aê?′|àíD??￠
  386          	XMLHttpReq=null;
  387:         	setTimeout("AjaxGetWan1State();",2000);
  388           }
  389           else 
  ...
  399      if (XMLHttpReq)
  400      {
  401:         var url = "AJAX/ajaxget";
  402          var msg="ajaxmsg=aspGetGroup(Wan1Ping)";
  403          XMLHttpReq.open("POST", url+"?IsVersionCheck=1", true);

通過已知的可利用接口在IDA直接搜索字符串，并追蹤。

交叉引用繼續(xù)跟進(jìn)，

發(fā)現(xiàn)存在很多的接口，這些都是可以調(diào)用的函數(shù)方法，可以通過此處打印出一些信息，初步嘗試打印出了系統(tǒng)的日志文件。

在觀察和不斷讀取泄露信息時(shí)，通過字符串去尋找可能存在的可泄露的賬號(hào)密碼數(shù)據(jù)

通過對(duì)ssid admin 等關(guān)鍵詞 進(jìn)行查找，發(fā)現(xiàn)了一個(gè)位置泄露了主人和訪客路由器的密碼

在下面的位置我們可以看到管理員和訪客路由器的賬號(hào)密碼，連接設(shè)備等信息，再訪問下圖接口，可以查看網(wǎng)站管理密碼是否和wifi密碼一致，如果和wifi密碼一樣就是1

POC：

—————————————————————————————————???獲取管理員賬號(hào)密碼???———————————————————————————————————
POST?/AJAX/ajaxget?HTTP/1.1
Host:?192.168.124.1
User-Agent:?Mozilla/5.0?(Windows?NT?10.0;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/99.0.4844.74?Safari/537.36?Edg/99.0.1150.55
Accept:?text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language:?zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding:?gzip,?deflate
Content-Type:?application/x-www-form-urlencoded
Content-Length:?78430
Origin:?http://192.168.124.1
Connection:?close
Referer:?http://192.168.124.1/AJAX/ajaxget
Upgrade-Insecure-Requests:?1
Pragma:?no-cache
Cache-Control:?no-cache

ajaxmsg=#####此處因?yàn)樯婕罢鏅C(jī)，暫時(shí)不公開exp######

拿到了密碼，我們就可以去訪問系統(tǒng)的管理界面，

先把討厭的防御關(guān)了，發(fā)現(xiàn)該機(jī)器存在telnet，

同時(shí)發(fā)現(xiàn)存在http://192.168.124.1/debug.asp 這個(gè)調(diào)試網(wǎng)頁

補(bǔ)充說明：

通過之前提交的兩個(gè)CNVD-2022-33422和CNVD-2022-33848，我們知道存在一處非授權(quán)訪問接口，同時(shí)該路由器支持，通過訪問 http://192.168.124.1/debug.asp 和H3C Magic R100 系統(tǒng)管理http://192.168.124.1/home.asp的遠(yuǎn)程管理，可以開啟telnet，通過非授權(quán)訪問接口獲取的管理員密碼就可以進(jìn)行telnet訪問進(jìn)行RCE。

—————————————————————————————————???獲取管理員賬號(hào)密碼???———————————————————————————————————
POST?/AJAX/ajaxget?HTTP/1.1
Host:?192.168.124.1
User-Agent:?Mozilla/5.0?(Windows?NT?10.0;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/99.0.4844.74?Safari/537.36?Edg/99.0.1150.55
Accept:?text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language:?zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding:?gzip,?deflate
Content-Type:?application/x-www-form-urlencoded
Content-Length:?
Origin:?http://192.168.124.1
Connection:?close
Referer:?http://192.168.124.1/AJAX/ajaxget
Upgrade-Insecure-Requests:?1
Pragma:?no-cache
Cache-Control:?no-cache

ajaxmsg=#####此處因?yàn)樯婕罢鏅C(jī)，暫時(shí)不公開exp######

可以通過

—————————————————————————————————???獲取管理員賬號(hào)密碼???———————————————————————————————————
POST?/AJAX/ajaxget?HTTP/1.1
Host:?192.168.124.1
User-Agent:?Mozilla/5.0?(Windows?NT?10.0;?Win64;?x64)?AppleWebKit/537.36?(KHTML,?like?Gecko)?Chrome/99.0.4844.74?Safari/537.36?Edg/99.0.1150.55
Accept:?text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language:?zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding:?gzip,?deflate
Content-Type:?application/x-www-form-urlencoded
Content-Length:?
Origin:?http://192.168.124.1
Connection:?close
Referer:?http://192.168.124.1/AJAX/ajaxget
Upgrade-Insecure-Requests:?1
Pragma:?no-cache
Cache-Control:?no-cache

ajaxmsg=#####此處因?yàn)樯婕罢鏅C(jī)，暫時(shí)不公開exp######

如果返回值為1，則管理員賬號(hào)和wifi密碼一致，所以該方法有個(gè)限制前提，需要管理密碼要和wifi密碼相同(默認(rèn)是adminwifi的密碼)

下圖是telnet連接成功的截圖，