1. 执行摘要

79 / 100

严重

高危

中危

低危/信息

2. 测试范围与方法

项目	详情
固件版本	OpenWrt 18.06-SNAPSHOT unknown
样本文件	`xiaomi-test/rootfs`
文件大小	88.1MB
扫描时间	2026-04-22
工具	Nyarc v1.1.0

3. 发现总览

#	级别	CVSS	发现
1	HIGH	5.3	Xiaomi matool telemetry agent
2	HIGH	5.3	Xiaomi datacenter data collection service
3	MEDIUM	5.3	User 'root' uses MD5crypt weak hash
4	CRITICAL	5.3	OpenSSL libcrypto.so.1.0.0 — EOL
5	CRITICAL	7.5	OpenSSL 1.0.0 — EOL
6	CRITICAL	9.1	Private key leaked: /etc/nginx/cert.key
7	MEDIUM	5.3	User 'root' uses MD5crypt weak hash
8	CRITICAL	7.5	OpenSSL 1.0.0 — 已停止维护

4. 详细发现

1. Xiaomi matool telemetry agentHIGH (CVSS 5.3)

描述

matool collects device info, usage data, and reports to Xiaomi servers (log.miwifi.com, api.miwifi.com)

证据

/usr/bin/matool

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

2. Xiaomi datacenter data collection serviceHIGH (CVSS 5.3)

描述

datacenter service collects and uploads user data to Xiaomi cloud

证据

/usr/sbin/datacenter

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

3. User 'root' uses MD5crypt weak hashMEDIUM (CVSS 5.3)

描述

MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)

证据

/etc/shadow: root:$1$MULfKgY6$rdJYoUcz...

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4. OpenSSL libcrypto.so.1.0.0 — EOLCRITICAL (CVSS 5.3)

描述

OpenSSL 1.0.x is EOL since 2020, multiple known CVEs including RCE

证据

/usr/lib/libcrypto.so.1.0.0

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5. OpenSSL 1.0.0 — EOLCRITICAL (CVSS 7.5)

描述

OpenSSL 1.0.x is EOL since 2020, multiple known CVEs including RCE

证据

/usr/lib/libssl.so.1.0.0

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6. Private key leaked: /etc/nginx/cert.keyCRITICAL (CVSS 9.1)

描述

Private key found in firmware. Anyone with the firmware can impersonate this service.

Private Key: /etc/nginx/cert.key (1024-bit RSA)
Certificate: /etc/nginx/cert.crt
主体	C = CN, ST = ShenZhen, L = ShenZhen, O = XiaoMi, OU = XiaoMi, CN = www.miwifi.com
签发者	C = CN, ST = ShenZhen, L = ShenZhen, O = XiaoMi, OU = XiaoMi, CN = www.miwifi.com
生效时间	Jun 28 08:08:17 2020 GMT
过期时间	Jun 26 08:08:17 2030 GMT
序列号	E53763287569BE1F
SHA1 指纹	DF:3A:5F:57:E0:DB:FC:02:A7:05:0B:F5:7E:08:84:55:50:77:FA:E2

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7. User 'root' uses MD5crypt weak hashMEDIUM (CVSS 5.3)

描述

MD5crypt ($1$) is a weak algorithm, recommend migration to SHA-512 ($6$)

证据

/etc/shadow: root:$1$MULfKgY6$rdJYoUcz...

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

8. OpenSSL 1.0.0 — 已停止维护CRITICAL (CVSS 7.5)

描述

OpenSSL 1.0.x 已于 2020 年停止维护，存在大量已知漏洞（含远程代码执行）

证据

/usr/lib/libssl.so.1.0.0

📷 [截图: 请在此处插入复现截图]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5. 外连通信分析

域名	分类	引用
`log.miwifi.com`	🔴 telemetry	2 files `/etc/config/miwifi` `/usr/bin/matool`
`api.miwifi.com`	🟡 api	13 files `/etc/config/miwifi` `/etc/config/wifishare` `/etc/nginx/miwifi-webinitrd-https.conf` `/etc/nginx/miwifi-webinitrd.conf` `/lib/config_post_ota/wifishare_post_ota.sh` `/usr/bin/matool` `/usr/bin/messagingagent` `/usr/lib/lua/luci/view/web/init/guide.htm` `/usr/sbin/recovery_info_sync.sh` `/usr/sbin/wanip_check.sh` `/usr/sbin/wifishare.sh` `/www/self_diag/resource/js/helper.js` `/www/static/js/26.99691565a33a850fa3f9.js`
`bigota.miwifi.com`	🟡 update	6 files `/usr/lib/lua/luci/view/web/inc/g.js.htm` `/usr/lib/lua/luci/view/web/init/bind.htm` `/usr/lib/lua/luci/view/web/init/guide.htm` `/usr/lib/lua/luci/view/web/sysauth.htm` `/usr/sbin/wifishare.sh` `/www/static/js/25.1bc67c9fea76d27c1a01.js`
`account.xiaomi.com`	🟡 auth	4 files `/usr/lib/lua/luci/view/web/inc/agreement.htm` `/usr/lib/lua/luci/view/web/inc/agreement_HK.htm` `/usr/lib/lua/luci/view/web/inc/agreement_TW.htm` `/www/static/js/27.a6589dae1974c2685095.js`
`broker.miwifi.com`	🟡 cloud	3 files `/etc/config/miwifi` `/usr/bin/matool` `/usr/bin/messagingagent`
`stun.miwifi.com`	🟡 network	2 files `/etc/config/miwifi` `/usr/bin/matool`
`api.miwfi.com`	🟡 api	`/usr/sbin/wanip_check.sh`
`www.miwifi.com`	🟢 frontend	11 files `/etc/init.d/dnsmasq` `/etc/nginx/miwifi-webinitrd-https.conf` `/etc/nginx/miwifi-webinitrd.conf` `/etc/nginx/nginx.conf` `/etc/rc.d/S19dnsmasq` `/usr/lib/lua/luci/view/web/inc/agreement.htm` `/usr/lib/lua/luci/view/web/inc/agreement_HK.htm` `/usr/lib/lua/luci/view/web/inc/agreement_TW.htm` `/usr/lib/lua/luci/view/web/inc/privacy_US_inter.htm` `/usr/sbin/sysapi.firewall` `/www/static/js/27.a6589dae1974c2685095.js`
`www.mi.com`	🟢 frontend	10 files `/usr/lib/lua/luci/view/web/inc/agreement.htm` `/usr/lib/lua/luci/view/web/inc/agreement_KR.htm` `/usr/lib/lua/luci/view/web/inc/agreement_TW.htm` `/usr/lib/lua/luci/view/web/inc/agreement_US.htm` `/usr/lib/lua/luci/view/web/inc/agreement_US_inter.htm` `/usr/lib/lua/luci/view/web/inc/g.js.htm` `/usr/lib/lua/luci/view/web/index.htm` `/usr/lib/lua/luci/view/web/init/guide.htm` `/usr/sbin/miniupnpd` `/www/static/js/27.a6589dae1974c2685095.js`
`app.miwifi.com`	🟢 api	8 files `/etc/config/miwifi` `/usr/lib/libpackagesign.so` `/usr/lib/libpackagesign.so.1` `/usr/lib/libpackagesign.so.1.0.0` `/usr/lib/opkg/info/packagesign.list` `/usr/sbin/installplugin` `/usr/sbin/pluginControllor` `/usr/sbin/plugincenter`
`s.miwifi.com`	🟢 cdn	8 files `/etc/config/miwifi` `/etc/config/wifishare` `/etc/nginx/htdocs/wifishare.html` `/lib/config_post_ota/wifishare_post_ota.sh` `/usr/sbin/datacenter` `/usr/sbin/plugincenter` `/usr/sbin/wifishare.sh` `/www/v3.html`
`www1.miwifi.com`	🟢 frontend	7 files `/usr/lib/lua/luci/view/web/inc/footer.htm` `/usr/lib/lua/luci/view/web/inc/footermini.htm` `/usr/lib/lua/luci/view/web/inc/g.js.htm` `/usr/lib/lua/luci/view/web/inc/store.htm` `/usr/lib/lua/luci/view/web/init/guide.htm` `/usr/lib/lua/luci/view/web/sysauth.htm` `/usr/sbin/miniupnpd`
`wiki.openwrt.org`	🟢 docs	4 files `/usr/lib/opkg/info/6rd.control` `/usr/lib/opkg/info/ddns-scripts.control` `/usr/lib/opkg/info/ds-lite.control` `/usr/lib/opkg/info/map.control`
`www.balabit.com`	🟢 frontend	3 files `/usr/lib/libsyslog-ng-3.9.so.0` `/usr/lib/libsyslog-ng-3.9.so.0.0.0` `/usr/lib/libsyslog-ng.so`
`lysator.liu.se`	🟢 library	3 files `/usr/lib/libssh2.so` `/usr/lib/libssh2.so.1` `/usr/lib/libssh2.so.1.0.1`
`htp.miwifi.com`	🟢 network	3 files `/etc/nginx/miwifi-webinitrd-https.conf` `/etc/nginx/miwifi-webinitrd.conf` `/usr/sbin/ntpsetclock`
`lists.balabit.hu`	🟢 library	3 files `/usr/lib/libsyslog-ng-3.9.so.0` `/usr/lib/libsyslog-ng-3.9.so.0.0.0` `/usr/lib/libsyslog-ng.so`
`www.veracrypt.fr`	🟢 frontend	3 files `/usr/lib/libgio-2.0.so` `/usr/lib/libgio-2.0.so.0` `/usr/lib/libgio-2.0.so.0.5800.1`
`cshore.thecshore.com`	🟢 package	3 files `/usr/lib/opkg/info/rp-pppoe-common.control` `/usr/lib/opkg/info/rp-pppoe-relay.control` `/usr/lib/opkg/info/rp-pppoe-server.control`
`www.ascc.net`	🟢 frontend	3 files `/usr/lib/libxml2.so` `/usr/lib/libxml2.so.2` `/usr/lib/libxml2.so.2.9.8`
`www.duckdns.org`	🟢 frontend	2 files `/etc/ddns/services` `/etc/ddns/services_ipv6`
`www.thinkdifferent.us`	🟢 frontend	2 files `/etc/nginx/miwifi-webinitrd-https.conf` `/etc/nginx/miwifi-webinitrd.conf`
`dyndns.core-networks.de`	🟢 config	2 files `/etc/ddns/services` `/etc/ddns/services_ipv6`
`dyndns.kasserver.com`	🟢 config	2 files `/etc/ddns/services` `/etc/ddns/services_ipv6`
`www.so.com`	🟢 frontend	2 files `/usr/bin/upload_speedtest` `/usr/share/speedtest.xml`
`bugs.openwrt.org`	🟢 config	2 files `/etc/os-release` `/usr/lib/os-release`
`is.dhis.org`	🟢 config	2 files `/etc/ddns/services` `/etc/ddns/services_ipv6`
`www.udmedia.de`	🟢 frontend	2 files `/etc/ddns/services` `/etc/ddns/services_ipv6`
`www.xiaomi.cn`	🟢 frontend	2 files `/usr/lib/lua/luci/view/web/inc/footer.htm` `/usr/lib/lua/luci/view/web/inc/footermini.htm`
`appdlc.hicloud.com`	🟢 config	2 files `/etc/nginx/miwifi-webinitrd-https.conf` `/etc/nginx/miwifi-webinitrd.conf`

6. 加固建议

建议：审查所有外连通信，更换默认凭据，升级过时的加密库。

固件安全审计报告

OpenWrt 18.06-SNAPSHOT unknown

目录

1. 执行摘要

2. 测试范围与方法

3. 发现总览

4. 详细发现

5. 外连通信分析

6. 加固建议