360龙虾泄露证书私钥

技术交流
1

来源: https://www.nodeseek.com/post-651897-1

继肥牛OS任意访问之后又一个重量级,这下看360危险是放任这个子域做黑产网站,还是等谷歌微软苹果拉黑360.cn根证书了 xhj007

国产厂商风是一定跟的,钱是必须捞的,但安全审计是根本没有的

789×796 80.8 KB

来源2: https://www.reddit.com/r/China_irl/comments/1rv5b94/

有众多隐私安全前科,近年来以国家安全的守护者自诩的360董事长周鸿祎在最近称龙虾是未来大方向,但由于相关风险,自己会做一个安全的,一键安装的国产龙虾。

今天早些时候来自L站(Leak 论坛)匿名用户披露,360 安全龙虾的安全证书私钥泄露,涉及 CN=*.myclaw.360.cn 位于 /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials

泄露原因为低级错误,私钥被误打包进 App 组件:
/path/to/namiclaw/components/Openclaw/openclaw.7z/credentials

该 7z 是 360Claw 内部组件,随软件包公开分发,非黑客攻击。

总体风险级别:高危

任何人可使用该私钥 + 证书伪造服务器,对 App 与 *.myclaw.360.cn 的 HTTPS/WebSocket 等连接实施中间人攻击,解密/篡改流量;用户的聊天记录、文件传输、用户账号、同步数据等均可被窃取。

证书私钥已在X(前推特)和telegram上广泛传播,可自行搜索查阅。

来源3: https://x.com/realNyarime/status/2033428417488757122

360Claw的SSL证书泄漏

-----BEGIN CERTIFICATE-----
MIIGJjCCBI6gAwIBAgIRAJjf6v3EwyNx8KtJDIo8eBkwDQYJKoZIhvcNAQELBQAw
SjELMAkGA1UEBhMCQ04xGjAYBgNVBAoTEVdvVHJ1cyBDQSBMaW1pdGVkMR8wHQYD
VQQDExZXb1RydXMgUlNBIERWIFNTTCBDQSAyMB4XDTI2MDMxMjAwMDAwMFoXDTI3
MDQxMjIzNTk1OVowGjEYMBYGA1UEAwwPKi5teWNsYXcuMzYwLmNuMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6GoA3XNAfUmduNst6xvYGphkmWpMKTC9
RCJpvKoKSuFylOwY+tGm8vmKl4Uc4SYUp3a8TdFjFtEzCuRqEo3IVYRdenk94K8G
jqg09hGg87MmUbI+PDzXJYZiCjrIHib+VK9V1RyBypA78ju6Gnpw4F4EFa3PjM1+
BUYpU3yxqx7gALSJLu6fuia+jV+LnawxB2ZVyoEgcYZYoJFQ9l9MuO6K9Wy7FK9e
MLgVwkB/ZFYl3olAJonkgmtopdWSJtort9bUxD4Oqbs6sc2YBLfcrXyX4cp3KGAr
3UfhptKlKyA0MZJJaT4NOvXrAlSd6JF3Gu6rfj/+G4x7hPCpKuIOXQIDAQABo4IC
tTCCArEwHwYDVR0jBBgwFoAU2LPS8kwDXVRDQ6AmyEVq9BSUg8gwHQYDVR0OBBYE
FD+ZRI/zTmye9mMCFP7QOfIIGC6gMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBMGA1UdIAQMMAowCAYGZ4EMAQIBMGsG
CCsGAQUFBwEBBF8wXTA3BggrBgEFBQcwAoYraHR0cDovL2NydC5jcmxvY3NwLmNu
L1dvVHJ1c1JTQURWU1NMQ0EyLmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3Au
Y3Jsb2NzcC5jbjApBgNVHREEIjAggg8qLm15Y2xhdy4zNjAuY26CDW15Y2xhdy4z
NjAuY24wggGNBgorBgEEAdZ5AgQCBIIBfQSCAXkBdwB1AByfaCzp+vBFaVD4G5aK
h93bMhDYTObIsuOCUkrEz1mfAAABnOD5fqQAAAQDAEYwRAIgav6fXo4u77J/Ta2T
OdvnF7C/t4My7dmaGFQ7aQ4JzvQCIB66E+kdquRt2EZ/2QqbdOTqMscgGVpV7Gnn
WXLNmY2hAH8AjspHC6zeavOiBrCkeoS3Rv4fxr+VPiXmm07kAkjzxugAAAGc4PmA
zgAIAAAFAAMZgWAEAwBIMEYCIQDSKSYgaC6oG7l2yjSbwtqdCtQ0Hi7Mz8yWWrUr
W5edNQIhAKQMvy6g0naB/IOEDihyq4nNejnufZ7kwDh76GnNxFnJAH0AWW5sM4aU
sllyolbIoOjdkEp26Ag92oc7AQg4KBQ87lkAAAGc4Pl96QAIAAAFAAA48LcEAwBG
MEQCIEFrHnt8cRycbZpEngvZmTa2LnOUHKmrdfX4ElNDnMyuAiAw8aUn7hWtqT58
+HI2rZBu/BCtX+6q6YjQ/eeX7LfhDjANBgkqhkiG9w0BAQsFAAOCAYEAg09UAgUz
HzknfmUBH4FGGXYKurPZh3BPyDzaA1LPJVIYfseEhR6N7+iDSDt9tSez/H0aW0sm
rzP942kUe/afF827P3h5I8qsbqrfJVKCAdFfMHqYeb4JA6um/MFWBT0Av1SpcO1y
ewBPDn+xDbsDJe5UQ8gT2N6q/ktspiA/h4AgLfIsdY/4OxcpuKubht6enzUJSzsr
0I/TF0j/G7fFtSn3a2AwQSafuuClfPeX2Dt1oiDiLhqYpGQ1ZYGIAEutVJEHbW0G
Z4CBNy+OQ8U0FeRp5UdKZxCz9ZkFg7RNUc63UP0oKpKEZhBQ8ftb2C/H0Zd1uUiJ
ayL1E4Qy80vt2XMTjNacCAF5l8T6MmfJI4w2zWsggoV6wsLxcd/AfUzXlZFQezKg
jGUSfm4dYVXoSda/lB+BZSsgfx5DCC2N6bOMazNDqCT2C23S6nLOt9TdpjaUVe4T
zuwrbXc0Rtr2iLTmZAeGET5GJWib8Zb63zqo52OzBgydQaCt3bcQVfZZ
-----END CERTIFICATE-----

key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDoagDdc0B9SZ24
2y3rG9gamGSZakwpML1EImm8qgpK4XKU7Bj60aby+YqXhRzhJhSndrxN0WMW0TMK
5GoSjchVhF16eT3grwaOqDT2EaDzsyZRsj48PNclhmIKOsgeJv5Ur1XVHIHKkDvy
O7oaenDgXgQVrc+MzX4FRilTfLGrHuAAtIku7p+6Jr6NX4udrDEHZlXKgSBxhlig
kVD2X0y47or1bLsUr14wuBXCQH9kViXeiUAmieSCa2il1ZIm2iu31tTEPg6puzqx
zZgEt9ytfJfhyncoYCvdR+Gm0qUrIDQxkklpPg069esCVJ3okXca7qt+P/4bjHuE
8Kkq4g5dAgMBAAECggEAM+r6Jn4IefRn91N+/nZJ4CcK0fqc6NaqcP3/ANY7Vl7m
ab4UFnOfB8gW3aIuwVzwYDh1+Cw+Jmq1LEm6KErj5bab6zAKUpbGsDeDHTTy732l
obpfjLVKmmdan05iRdoQFnrUgbbMh6OQwJv3BtMzQ+u8ndsl8h41eJgjwzKnvcHK
7JSSSQwI4bmclkw42PdLK77IvpPi39AGnHAbk4MhzFkVVip04tPUzQvjBL2qGWEF
hs+Pq49OXiey/OzUvs5DW/B3QpNMEq6dHENIU76A1R3sjrj6eLxyrJk0vcWaHuY8
5TZwWp8sLpcEAbjCgVf0g9aDhuN/60UN0o4Zw3ERQQKBgQD2L9METMBtr1w7dUnU
2+wRuybVNNtG5T01DMizlofuvtd6T08hTJ7X65KlukBD+AFPyxyTUfEicDpcCbqY
dcVh3oR+6XzqCRa6dW9urLrb4CpkHrWdcfvXxx7uktB+mWCiNOXRH8xK8RhwskfQ
0VjRQuj8XUhkiugXIyNtGUSdSwKBgQDxraMlzKqqG4jK/96cpX12QbjZUkeJvuAb
ziP2j7TccnxRAwG1hwC5LMsRLKPsrnHz4CKzEiqhYYseb1fwQWVT4e2O4HH9EuLl
U5Uyu8A15a8PcveXp3FHVpTr9iuzOH3lKWFkH8PlTOMHK3SGsFvMP1k1v8KaJWYf
JJnRuZMB9wKBgASRXpj105w1ZMC1rGkGq5qonk/Wazslhb02P4MVh/AmGllqn00+
3rOi61Wn3wlj0KJqYl1ZZ9/7tRmAFLY/eSoXtt2j921gPcu34hlrmwv5XM/+wd/p
/YJDb499qeCvd9uKn7kBngjF8G4m4K4/NCat1yTXlkBHU4caX83mah+BAoGBANUD
mp0ie/pbMoLaa7feFWs6GldSMkOyvY1EcGZN27fCINi2sbbyOyz70jBdDE78ouu1
TmBPTsvXUeuNcBEPUuRQajZYlZ/eGabPuN1ypsPaoiYXyyscJrgeFDy2SWY6EJz/
kBvT87ITxrb3Ekn0/7RS0aqSTk/XTt98PyefTXeZAoGBAOdHXsKGZUNhJILINaG8
STCcgiRumbadNW9FrgPGEZz7bboq1Cr06NMtCCzIhoTanW+N8hX+hry/9EJDx6Qy
FPcxi30yh7nhBR4xxPz5QmEe6PSaH5h6+zGlPKe53FZI5oiLauypJeLmTHeGhROe
qptJaz2p3wGgVUILDoJ7O4lZ
-----END PRIVATE KEY-----

个人点评:
这逼网站总算出点能看的内容了。

习主席新质生产力还指望的上你们啊