1. 执行摘要

85 / 100

严重

高危

中危

低危/信息

2. 测试范围与方法

项目	详情
固件版本	4.0.24 x64 Build202601131850
样本文件	`iKuai8_x64_4.0.24_Build202601131850.bin`
MD5	`4fa9b7183ae1cc505295dc4ef5f5afbf`
SHA-256	`1bee8284ee70f633b8b88bd6bbbfc7a366f9b01f1700dac83b35171fa8b9fb63`
文件大小	41.7MB
扫描时间	2026-04-22
工具	Nyarc v1.1.0

3. 发现总览

#	级别	CVSS	发现
1	MEDIUM	5.3	User 'root' uses MD5crypt weak hash
2	MEDIUM	5.3	User 'sshd' uses MD5crypt weak hash
3	CRITICAL	6.9	密码已破解：用户 'root'
4	CRITICAL	9.1	云控客户端: 私钥与证书泄露
5	CRITICAL	6.1	控制客户端（备用）: 私钥与证书泄露
6	CRITICAL	9.1	内嵌 CA: 私钥与证书泄露
7	CRITICAL	9.1	内嵌 CA: 私钥与证书泄露
8	CRITICAL	9.1	内嵌 CA: 私钥与证书泄露
9	CRITICAL	9.1	Web 服务器: 私钥与证书泄露
10	HIGH	7.5	远程控制配置文件暴露
11	CRITICAL	7.5	OpenSSL 1.0.0 — 已停止维护

4. 详细发现

1. User 'root' uses MD5crypt weak hashMEDIUM (CVSS 5.3)

描述

MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)

证据

/etc/shadow: root:$1$9.EU8ItY$z4EfK4vQ...

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

2. User 'sshd' uses MD5crypt weak hashMEDIUM (CVSS 5.3)

描述

MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)

证据

/etc/shadow: sshd:$1$BKY7uz3G$vw5dPaPb...

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

3. 密码已破解：用户 'root'CRITICAL (CVSS 6.9)

描述

密码 '2015.ikuai8.com' 通过字典攻击破解

证据

/etc/shadow: root cracked with common password dictionary

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

4. 云控客户端: 私钥与证书泄露CRITICAL (CVSS 9.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /etc/remote2/ca-certificates.d/ikuai/client.key
Certificate: /etc/remote2/ca-certificates.d/ikuai/client.crt
主体	C = CN, ST = beijing, O = ikuai, OU = ikclient, CN = *.ikuai8.com
签发者	C = CN, ST = beijing, L = bj, O = ikuai, OU = ik, CN = *.ikuai8.com
生效时间	Aug 22 09:52:29 2019 GMT
过期时间	Aug 19 09:52:29 2029 GMT
序列号	02
SHA1 指纹	FB:07:C4:91:0E:A9:26:86:98:4D:EE:CB:33:A1:8C:B6:E1:F4:B3:2F

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

5. 控制客户端（备用）: 私钥与证书泄露CRITICAL (CVSS 6.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /usr/ikuai/ctrlclient/priv.key (4096-bit RSA)
Certificate: /usr/ikuai/ctrlclient/cert.pem
主体	C = CN, ST = BEIJING, O = IKUAI8 Ltd, OU = CERT 0001 OF CA REMOTE CONTROL 0002-01-0001 FOR IKUAI ROUTERS, CN = cert0001.rm_router0002-01-0001.ikuai8.com, emailAddress = [email protected]
签发者	C = CN, ST = BEIJING, O = IKUAI8 Ltd, OU = REMOTE CONTROL 0002-01 FOR ROUTERS, CN = remote_control.rt0002-01.ikuai8.com, emailAddress = [email protected]
生效时间	Dec 24 02:44:23 2015 GMT
过期时间	Dec 22 02:44:23 2021 GMT
序列号	100000
SHA1 指纹	9B:3C:A3:86:B7:65:80:CB:A8:B4:BA:77:8B:B8:53:B4:84:99:6A:2B

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6. 内嵌 CA: 私钥与证书泄露CRITICAL (CVSS 9.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /etc/ssl/32015/ca.key (1024-bit RSA)
Certificate: /etc/ssl/32015/ca.crt
主体	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
签发者	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
生效时间	Aug 29 04:13:19 2017 GMT
过期时间	Dec 30 04:13:19 3016 GMT
序列号	BD9552A22264C655
SHA1 指纹	68:7C:26:F4:B4:20:1B:C5:04:AD:31:58:0E:4F:C1:04:08:6C:39:B6

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7. 内嵌 CA: 私钥与证书泄露CRITICAL (CVSS 9.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /etc/ssl/32016/ca.key (1024-bit RSA)
Certificate: /etc/ssl/32016/ca.crt
主体	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
签发者	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
生效时间	Aug 29 02:15:37 2017 GMT
过期时间	Dec 30 02:15:37 3016 GMT
序列号	92EDE68AEB529720
SHA1 指纹	B8:4C:CB:B7:53:F6:70:9E:B8:D8:20:DB:8A:34:49:BE:85:E8:30:F0

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8. 内嵌 CA: 私钥与证书泄露CRITICAL (CVSS 9.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /etc/ssl/32017/ca.key (1024-bit RSA)
Certificate: /etc/ssl/32017/ca.crt
主体	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = 302.ikuai8.com
签发者	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = 302.ikuai8.com
生效时间	Sep 6 04:04:56 2017 GMT
过期时间	Jan 7 04:04:56 3017 GMT
序列号	E43325EF748B108B
SHA1 指纹	EC:29:58:77:4B:E1:99:CC:DA:74:14:A2:B9:0B:D9:D7:EF:C9:D5:36

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9. Web 服务器: 私钥与证书泄露CRITICAL (CVSS 9.1)

描述

固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。

Private Key: /usr/openresty/ssl/server.key (2048-bit RSA)
Certificate: /usr/openresty/ssl/server.crt
主体	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = ikuai8.com
签发者	C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = ikuai8.com
生效时间	Apr 21 07:23:05 2021 GMT
过期时间	Aug 22 07:23:05 3020 GMT
序列号	DB6C3FFC850ABE5E
SHA1 指纹	45:EF:86:D9:14:1C:AC:5B:45:CB:02:FD:BB:95:5B:75:5E:01:A3:EE

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

10. 远程控制配置文件暴露HIGH (CVSS 7.5)

描述

云控服务器地址在固件中明文可见

证据

etc/remote2/ikuai.conf
{
     "as_server":{
        "host":["as-v4.ikuai8.com:9444"],
        "ca_path":"/etc/remote2/ca-certificates.d/ikuai"
     }
}

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

11. OpenSSL 1.0.0 — 已停止维护CRITICAL (CVSS 7.5)

描述

OpenSSL 1.0.x 已于 2020 年停止维护，存在大量已知漏洞（含远程代码执行）

证据

/usr/lib/libssl.so.1.0.0

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5. 外连通信分析

域名	分类	引用
`yun.ikuai8.com`	🟡 cloud	15 files `/usr/ikuai/function/backup` `/usr/ikuai/function/cloud_bak` `/usr/ikuai/function/ik_web_sdwan` `/usr/ikuai/function/ikmessages` `/usr/ikuai/function/nat_ddns` `/usr/ikuai/function/register` `/usr/ikuai/script/backup.sh` `/usr/ikuai/script/cloud_bak.sh` `/usr/ikuai/script/ik_web_sdwan.sh` `/usr/ikuai/script/ikmessages.sh` `/usr/ikuai/script/nat_ddns.sh` `/usr/ikuai/script/register.sh` `/usr/ikuai/www/static/js/first.json` `/usr/openresty/lua/lib/webman.lua` `/usr/sbin/ik_wpa_ppsk`
`dis-v4.ikuai8.com`	🟡 system	2 files `/usr/sbin/cre` `/usr/sbin/tkgen`
`routers.ikuai8.com`	🟡 system	2 files `/usr/bin/ik_audit_publisher` `/usr/ikuai/script/ikaudit_update.sh`
`api.cloudflare.com`	🟡 api	2 files `/usr/ikuai/function/ddns` `/usr/ikuai/script/ddns.sh`
`dingtalk.c.app`	🟡 system	2 files `/usr/DTalkInside/sign_ikuai_x86_64` `/usr/sbin/dtalkd`
`ftp.info-zip.org`	🟡 system	2 files `/usr/bin/unzip` `/usr/bin/zip`
`as1.ikuai8.com`	🟡 system	`/usr/sbin/ik_rc_client`
`time3.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`as2.ikuai8.com`	🟡 system	`/usr/sbin/ik_rc_client`
`pkgmgr-v4.ikuai8.com`	🟡 system	`/usr/sbin/pmd`
`ntp3.ikuai8.com`	🟡 system	`/usr/sbin/ikntpget`
`schemas.microsoft.com`	🟡 system	`/usr/bin/wsdd2`
`ntp1.ikuai8.com`	🟡 system	`/usr/sbin/ikntpget`
`time2.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`restapi.amap.com`	🟡 system	`/usr/sbin/speedtest-nearby-src`
`api.weibo.com`	🟡 api	`/usr/openresty/lua/webauth/release.lua`
`time5.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`rsync.samba.org`	🟡 system	`/usr/bin/rsync`
`time6.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`cloud.ikuai8.com`	🟡 cloud	`/usr/ikuai/www/static/js/first.json`
`audit.ikuai8.com`	🟡 telemetry	`/usr/ikuai/script/ikaudit_update.sh`
`time1.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`update.ikuai8.com`	🟡 update	`/usr/ikuai/ctrlclient/conf.json`
`ntp2.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`
`listi.jpberlin.de`	🟡 system	`/usr/sbin/smartctl`
`software.es.net`	🟡 system	`/usr/bin/iperf3`
`stedolan.github.com`	🟡 system	`/usr/sbin/jq`
`patch.ikuai8.com`	🟡 system	`/usr/sbin/speedtest-nearby-src`
`ntp2.ikuai8.com`	🟡 system	`/usr/sbin/ikntpget`
`time4.aliyun.com`	🟡 system	`/usr/sbin/ikntpget`

6. 加固建议

建议：审查所有外连通信，更换默认凭据，升级过时的加密库。

固件安全审计报告

4.0.24 x64 Build202601131850

目录

1. 执行摘要

2. 测试范围与方法

3. 发现总览

4. 详细发现

5. 外连通信分析

6. 加固建议