固件安全审计报告

4.0.24 x64 Build202601131850

报告日期:2026-04-22

样本: iKuai8_x64_4.0.24_Build202601131850.bin

NYARC-2026-001

🔒 机密 — 仅供授权人员查阅

目录

1. 执行摘要

100 / 100
8
严重
1
高危
2
中危
0
低危/信息

2. 测试范围与方法

项目详情
固件版本4.0.24 x64 Build202601131850
样本文件iKuai8_x64_4.0.24_Build202601131850.bin
MD54fa9b7183ae1cc505295dc4ef5f5afbf
SHA-2561bee8284ee70f633b8b88bd6bbbfc7a366f9b01f1700dac83b35171fa8b9fb63
文件大小41.7MB
扫描时间2026-04-22
工具Nyarc v1.1.0

3. 发现总览

#级别CVSS发现
1MEDIUM5.3User 'root' uses MD5crypt weak hash
2MEDIUM5.3User 'sshd' uses MD5crypt weak hash
3CRITICAL9.1密码已破解:用户 'root'
4CRITICAL7.5云控客户端: 私钥与证书泄露
5CRITICAL9.0控制客户端(备用): 私钥与证书泄露
6CRITICAL9.0内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)
7CRITICAL9.0内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)
8CRITICAL9.0内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)
9CRITICAL9.0Web 服务器: 私钥与证书泄露
10HIGH8.1远程控制配置文件暴露
11CRITICAL9.0OpenSSL 1.0.0 — 已停止维护

4. 详细发现

1. User 'root' uses MD5crypt weak hashMEDIUM (CVSS 5.3)
描述
MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)
证据
/etc/shadow: root:$1$9.EU8ItY$z4EfK4vQ...
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2. User 'sshd' uses MD5crypt weak hashMEDIUM (CVSS 5.3)
描述
MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)
证据
/etc/shadow: sshd:$1$BKY7uz3G$vw5dPaPb...
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3. 密码已破解:用户 'root'CRITICAL (CVSS 9.1)
描述
密码 '2015.ikuai8.com' 通过字典攻击破解
证据
/etc/shadow: root cracked with common password dictionary
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4. 云控客户端: 私钥与证书泄露CRITICAL (CVSS 7.5)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /etc/remote2/ca-certificates.d/ikuai/client.key ()
Certificate: /etc/remote2/ca-certificates.d/ikuai/client.crt
主体C = CN, ST = beijing, O = ikuai, OU = ikclient, CN = *.ikuai8.com
签发者C = CN, ST = beijing, L = bj, O = ikuai, OU = ik, CN = *.ikuai8.com
生效时间Aug 22 09:52:29 2019 GMT
过期时间Aug 19 09:52:29 2029 GMT
序列号02
SHA1 指纹FB:07:C4:91:0E:A9:26:86:98:4D:EE:CB:33:A1:8C:B6:E1:F4:B3:2F
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5. 控制客户端(备用): 私钥与证书泄露CRITICAL (CVSS 9.0)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /usr/ikuai/ctrlclient/priv.key (4096-bit RSA)
Certificate: /usr/ikuai/ctrlclient/cert.pem
主体C = CN, ST = BEIJING, O = IKUAI8 Ltd, OU = CERT 0001 OF CA REMOTE CONTROL 0002-01-0001 FOR IKUAI ROUTERS, CN = cert0001.rm_router0002-01-0001.ikuai8.com, emailAddress = [email protected]
签发者C = CN, ST = BEIJING, O = IKUAI8 Ltd, OU = REMOTE CONTROL 0002-01 FOR ROUTERS, CN = remote_control.rt0002-01.ikuai8.com, emailAddress = [email protected]
生效时间Dec 24 02:44:23 2015 GMT
过期时间Dec 22 02:44:23 2021 GMT
序列号100000
SHA1 指纹9B:3C:A3:86:B7:65:80:CB:A8:B4:BA:77:8B:B8:53:B4:84:99:6A:2B
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6. 内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)CRITICAL (CVSS 9.0)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /etc/ssl/32015/ca.key (1024-bit RSA (WEAK))
Certificate: /etc/ssl/32015/ca.crt
主体C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
签发者C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
生效时间Aug 29 04:13:19 2017 GMT
过期时间Dec 30 04:13:19 3016 GMT
序列号BD9552A22264C655
SHA1 指纹68:7C:26:F4:B4:20:1B:C5:04:AD:31:58:0E:4F:C1:04:08:6C:39:B6
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7. 内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)CRITICAL (CVSS 9.0)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /etc/ssl/32016/ca.key (1024-bit RSA (WEAK))
Certificate: /etc/ssl/32016/ca.crt
主体C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
签发者C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = download.ikuai8.com
生效时间Aug 29 02:15:37 2017 GMT
过期时间Dec 30 02:15:37 3016 GMT
序列号92EDE68AEB529720
SHA1 指纹B8:4C:CB:B7:53:F6:70:9E:B8:D8:20:DB:8A:34:49:BE:85:E8:30:F0
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
8. 内嵌 CA: 私钥与证书泄露 (WEAK 1024-bit)CRITICAL (CVSS 9.0)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /etc/ssl/32017/ca.key (1024-bit RSA (WEAK))
Certificate: /etc/ssl/32017/ca.crt
主体C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = 302.ikuai8.com
签发者C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = 302.ikuai8.com
生效时间Sep 6 04:04:56 2017 GMT
过期时间Jan 7 04:04:56 3017 GMT
序列号E43325EF748B108B
SHA1 指纹EC:29:58:77:4B:E1:99:CC:DA:74:14:A2:B9:0B:D9:D7:EF:C9:D5:36
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9. Web 服务器: 私钥与证书泄露CRITICAL (CVSS 9.0)
描述
固件中发现私钥与证书配对。任何获取固件的攻击者均可冒充该服务。
Private Key: /usr/openresty/ssl/server.key (2048-bit RSA)
Certificate: /usr/openresty/ssl/server.crt
主体C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = ikuai8.com
签发者C = CN, ST = BeiJing, L = BeiJing, O = iKuai, OU = iKuai, CN = ikuai8.com
生效时间Apr 21 07:23:05 2021 GMT
过期时间Aug 22 07:23:05 3020 GMT
序列号DB6C3FFC850ABE5E
SHA1 指纹45:EF:86:D9:14:1C:AC:5B:45:CB:02:FD:BB:95:5B:75:5E:01:A3:EE
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
10. 远程控制配置文件暴露HIGH (CVSS 8.1)
描述
云控服务器地址在固件中明文可见
证据
etc/remote2/ikuai.conf { "as_server":{ "host":["as-v4.ikuai8.com:9444"], "ca_path":"/etc/remote2/ca-certificates.d/ikuai" } }
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
11. OpenSSL 1.0.0 — 已停止维护CRITICAL (CVSS 9.0)
描述
OpenSSL 1.0.x 已于 2020 年停止维护,存在大量已知漏洞(含远程代码执行)
证据
/usr/lib/libssl.so.1.0.0
📷 [截图: 请在此处插入复现截图]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

5. 外连通信分析

域名分类引用
yun.ikuai8.comcloud/usr/ikuai/function/backup /usr/ikuai/function/cloud_bak /usr/ikuai/function/ik_web_sdwan /usr/ikuai/function/ikmessages /usr/ikuai/function/nat_ddns /usr/ikuai/function/register /usr/ikuai/script/backup.sh /usr/ikuai/script/cloud_bak.sh /usr/ikuai/script/ik_web_sdwan.sh /usr/ikuai/script/ikmessages.sh /usr/ikuai/script/nat_ddns.sh /usr/ikuai/script/register.sh /usr/ikuai/www/static/js/first.json /usr/openresty/lua/lib/webman.lua /usr/sbin/ik_wpa_ppsk
lists.sourceforge.netsystem/usr/bin/snmptranslate /usr/lib/libnetsnmp.so.30 /usr/lib/libnetsnmp.so.30.0.2 /usr/sbin/snmpd /usr/sbin/snmptrapd
routers.ikuai8.comsystem/usr/bin/ik_audit_publisher /usr/ikuai/script/ikaudit_update.sh
dis-v4.ikuai8.comsystem/usr/sbin/cre /usr/sbin/tkgen
api.cloudflare.comapi/usr/ikuai/function/ddns /usr/ikuai/script/ddns.sh
ftp.info-zip.orgsystem/usr/bin/unzip /usr/bin/zip
dingtalk.c.appsystem/usr/DTalkInside/sign_ikuai_x86_64 /usr/sbin/dtalkd
bibnum.bnf.frsystem/usr/bin/wget /usr/bin/wget-ssl
pkgmgr-v4.ikuai8.comsystem/usr/sbin/pmd
time2.aliyun.comsystem/usr/sbin/ikntpget
schemas.microsoft.comsystem/usr/bin/wsdd2
git.zx2c4.comsystem/usr/bin/wg
time6.aliyun.comsystem/usr/sbin/ikntpget
stedolan.github.comsystem/usr/sbin/jq
time1.aliyun.comsystem/usr/sbin/ikntpget
bugs.debian.orgsystem/usr/sbin/cgroupfs-mount
api.weibo.comapi/usr/openresty/lua/webauth/release.lua
restapi.amap.comsystem/usr/sbin/speedtest-nearby-src
patch.ikuai8.comsystem/usr/sbin/speedtest-nearby-src
ntp2.ikuai8.comsystem/usr/sbin/ikntpget
time4.aliyun.comsystem/usr/sbin/ikntpget
ntp3.ikuai8.comsystem/usr/sbin/ikntpget
time3.aliyun.comsystem/usr/sbin/ikntpget
as1.ikuai8.comsystem/usr/sbin/ik_rc_client
miniupnp.tuxfamily.orgsystem/usr/bin/upnpc
rsync.samba.orgsystem/usr/bin/rsync
software.es.netsystem/usr/bin/iperf3
ntp1.ikuai8.comsystem/usr/sbin/ikntpget
bugs.cihar.comsystem/usr/bin/enca
cloud.ikuai8.comcloud/usr/ikuai/www/static/js/first.json

6. 加固建议

建议:审查所有外连通信,更换默认凭据,升级过时的加密库。

Nyarc v1.1.0 — Firmware Reverse Engineering Console

NYARC-2026-001 | 机密 | 2026-04-22