优酷 (Youku) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 百度 (Baidu.com)
(1) 域名:
youku.com
"优酷是中国领先的视频分享网 站,由古永锵在2006年6月21日创立,优酷网以 “快者为王”为产品理念,注重用户体验,不断完善服务策略,其卓尔不群的“快速播放,快速发布,快速搜索”的产品特性,充分满足用户日益增长的多元化互动 需求,使之成为中国视频网站中的领军势力。优酷网现已成为互联网拍客聚集的阵营。美国东部时间2010年12月8日,优酷网成功在纽约证券交易所挂牌上 市。2014年4月28日,优酷土豆集团宣布与阿里巴巴(滚动资讯)集团建立战略投资与合作伙伴关系。2014年,优酷正式宣布多屏日视频播放量(VV) 突破6亿,截至2014年6月,中国网络视频用户规模达4.39亿。" (百度百科)
(2) 漏洞描述:
优酷网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。
这个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。
漏洞地点 "click.php?",参数"&url", e.g.
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.163.com
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.163.com
但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此,Youku 用户意识不到他会被先从 Youku 跳转到有漏洞的网页,然后从此网页跳转到有害的网页。这与从 Youku 直接跳转到有害网页是一样的。
下面是一个有漏洞的 domain:
baidu.com
(2.2) 用了一个页面进行了测试, 页面是 "http://aibiyi.lofter.com/". 可以假定它是有害的。
Youku 与 baidu.com 有关的有漏洞的 URL:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com
POC:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.tetraph.com/chinese.html
POC 视频:
https://www.youtube.com/watch?v=m7_NSa9CJ2A
博客细节:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html
(3) 什么是隐蔽重定向?
隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS - Cross-site Scripting) 问题。
隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF - Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。
相关文章:
http://tetraph.com/security/covert-redirect/youku
http://ittechnology.lofter.com/post/1cfbf60d_7063549
http://securityrelated.blogspot.com/2014/10/youkucovertredirectbaiducom.html
https://tetraph.wordpress.com/2014/10/15/youku
http://webcabinet.tumblr.com/post/119496186352/securitypost#notes
https://mathfas.wordpress.com/2014/10/15/youku
https://twitter.com/essayjeans/status/558977106223190016
http://www.inzeed.com/kaleidoscope/covert-redirect/youku
http://tetraph.blog.163.com/blog/static/234603051201445102713900/
http://computerobsess.blogspot.com/2014/10/youkucovertredirectbaiducom.html
http://diebiyi.com/articles/security/covert-redirect/youku_bug
==========
Youku Online Website Covert Redirect Web Security Bugs Based on Baidu.com
(1) Domain:
Youku.com
"Youku Inc., formerly Youku.com Inc., doing business as Youku (simplified Chinese: 优酷; traditional Chinese: 優酷; pinyin: yōukù; literally: "excellent (and) cool"), is a video hosting service based in China. Youku has its headquarters on the fifth floor of Sinosteel Plaza (S: 中钢国际广场, T: 中鋼國際廣場, P: Zhōnggāng Guójì Guǎngchǎng) in Haidian District, Beijing. On March 12, 2012, Youku reached an agreement to acquire Tudou in a stock-for-stock transaction, the new entity being named Youku Tudou Inc. It has more than 500 million active users." (Wikipedia)
(2) Vulnerability Description:
Youku web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
(1) Domain:
Youku.com
"Youku Inc., formerly Youku.com Inc., doing business as Youku (simplified Chinese: 优酷; traditional Chinese: 優酷; pinyin: yōukù; literally: "excellent (and) cool"), is a video hosting service based in China. Youku has its headquarters on the fifth floor of Sinosteel Plaza (S: 中钢国际广场, T: 中鋼國際廣場, P: Zhōnggāng Guójì Guǎngchǎng) in Haidian District, Beijing. On March 12, 2012, Youku reached an agreement to acquire Tudou in a stock-for-stock transaction, the new entity being named Youku Tudou Inc. It has more than 500 million active users." (Wikipedia)
(2) Vulnerability Description:
Youku web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
The programming code flaw occurs at "click.php?" page with "&url" parameter, i.e.
(2.1) When a user is redirected from Youku to another site, Youku will check whether the redirected URL belongs to domains in its white-list, e.g.
baidu.com
If this is true, the redirection will be allowed.
However, if the
URLs in a redirected domain have open URL redirection vulnerabilities
themselves, a user could be redirected from Youku to a vulnerable URL in
that domain first and later be redirected from this vulnerable site to a
malicious site. This is as if being redirected from Youku directly.
One of the vulnerable domain is,
baidu.com
(2.2) Use one webpage for the following tests. The webpage address is "http://www.inzeed.com/ kaleidoscope". Can suppose that this webpage is malicious.
Vulnerable URL:
POC:
POC video:
https://www.youtube.com/watch?v=m7_NSa9CJ2A
Blog Detail:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html
(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and
redirects a user to the parameter value without sufficient validation.
This often makes use of Open Redirect and XSS (Cross-site Scripting)
vulnerabilities in third-party applications.
Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all
OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect
can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.
Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
More Details:
http://ittechnology.lofter.com/post/1cfbf60d_7063549
http://securityrelated.blogspot.com/2014/10/youkucovertredirectbaiducom.html
https://tetraph.wordpress.com/2014/10/15/youku
http://webcabinet.tumblr.com/post/119496186352/securitypost#notes
https://mathfas.wordpress.com/2014/10/15/youku
https://twitter.com/essayjeans/status/558977106223190016
http://www.inzeed.com/kaleidoscope/covert-redirect/youku
http://tetraph.blog.163.com/blog/static/234603051201445102713900/
http://computerobsess.blogspot.com/2014/10/youkucovertredirectbaiducom.html
http://diebiyi.com/articles/security/covert-redirect/youku_bug