Cloudflare致命bug,可盗取网站密码!

2017-2-24 网络

因为在下英文也不怎么好,看起来也非常吃力,这个大家一起理解吧

总的来说就是一位网友分析自己网站数据的时候发现了这个bug

That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.


而从这个bug中,可以抓取到网站的密码等等,甚至ssl加密也是可以被抓取的


不过幸好的是,cf公司已经停掉了相关的服务,处理速度还是不错的,而这个bug是在四天前2017-2-20,现在cf公司还没有什么明文说明解决。


原文

(It took every ounce of strength not to call this issue "cloudbleed")


Corpus distillation is a procedure we use to optimize the fuzzing we do by analyzing publicly available datasets. We've spoken a bit about this publicly in the past, for example:


https://security.googleblog.com/2011/08/fuzzing-at-scale.html

http://taviso.decsystem.org/making_software_dumber.pdf#page=11


On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.


It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.


A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.


We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.


This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn't understand what they were seeing. Seconds mattered here, emails to support on a friday evening were not going to cut it. I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people.


https://twitter.com/taviso/status/832744397800214528


After I explained the situation, cloudflare quickly reproduced the problem, told me they had convened an incident and had an initial mitigation in place within an hour.


"You definitely got the right people. We have killed the affected services"



This bug is subject to a 90 day disclosure deadline. After 90 days elapse

or a patch has been made broadly available, the bug report will become

visible to the public.


发表评论:

  • 4
  • 6
  • 1
  • 2

© CNM.EE SiteMap
基于Emlog | 邮箱:63469#163.com | mark