Binciken tsaro na dandalin girgije na MCS

SkyShip Dusk ta SeeLight

Gina kowane sabis dole ya haɗa da aiki akai-akai akan tsaro. Tsaro tsari ne mai ci gaba wanda ya haɗa da bincike akai-akai da inganta tsaro na samfur, sa ido kan labarai game da rauni da ƙari mai yawa. Ciki har da tantancewa. Ana gudanar da binciken ne a cikin gida da kuma masana na waje, waɗanda za su iya taimakawa sosai da tsaro saboda ba su nutse cikin aikin ba kuma suna da hankali.

Labarin shine game da wannan ra'ayi mafi sauƙi na masana waje waɗanda suka taimaka wa ƙungiyar Mail.ru Cloud Solutions (MCS) gwada sabis na girgije, kuma game da abin da suka samo. A matsayin "ƙarfi na waje," MCS ya zaɓi Kamfanin Tsaro na Digital, wanda aka sani da babban gwaninta a cikin da'irar tsaro na bayanai. Kuma a cikin wannan labarin za mu bincika wasu lahani masu ban sha'awa da aka samo a matsayin wani ɓangare na binciken waje - don ku guje wa rake ɗaya lokacin da kuka ƙirƙiri sabis ɗin girgije na ku.

Описание продукта

Mail.ru Cloud Solutions (MCS) dandamali ne don gina kayan aikin kama-da-wane a cikin gajimare. Ya haɗa da IaaS, PaaS, da kuma kasuwa na shirye-shiryen hotunan aikace-aikacen don masu haɓakawa. Yin la'akari da gine-ginen MCS, ya zama dole a duba amincin samfurin a cikin waɗannan yankuna:

• kare ababen more rayuwa na yanayin haɓakawa: hypervisors, routing, firewalls;
• kariyar kayan aikin kwastomomi: ware daga juna, gami da hanyar sadarwa, cibiyoyin sadarwa masu zaman kansu a cikin SDN;
• OpenStack da abubuwan da aka bude;
• S3 na tsarin mu;
• IAM: Ayyukan masu haya da yawa tare da abin koyi;
• Hangen nesa (hangen kwamfuta): APIs da rauni lokacin aiki tare da hotuna;
• shafukan yanar gizo da kuma hare-haren yanar gizo na yau da kullum;
• raunin abubuwan PaaS;
• API na duk abubuwan da aka gyara.

Wataƙila wannan shine duk abin da ke da mahimmanci don ƙarin tarihi.

Wane irin aiki aka gudanar kuma me yasa ake buƙata?

Binciken tsaro yana nufin gano lahani da kurakuran daidaitawa waɗanda za su iya haifar da zubewar bayanan sirri, gyara mahimman bayanai, ko rushewar samar da sabis.

A lokacin aikin, wanda ya kasance a matsakaicin watanni 1-2, masu dubawa suna sake maimaita ayyukan masu kai hari kuma suna neman lahani a cikin abokin ciniki da sassan sabar na sabis ɗin da aka zaɓa. A cikin mahallin bincike na dandalin girgije na MCS, an gano maƙasudai masu zuwa:

1. Binciken tantancewa a cikin sabis ɗin. Rashin lahani a cikin wannan bangaren zai taimaka nan da nan shiga cikin asusun wasu.
2. Nazarin abin koyi da ikon shiga tsakanin asusun daban-daban. Ga maharin, ikon samun damar yin amfani da na'urar kama-da-wane ta wani manufa ce mai kyawawa.
3. Lalacewar gefen abokin ciniki. XSS/CSRF/CRLF/da sauransu. Shin yana yiwuwa a kai hari ga wasu masu amfani ta hanyar mahaɗan mugaye?
4. Lalacewar gefen uwar garken: RCE da kowane irin allura (SQL/XXE/SSRF da sauransu). Lalacewar uwar garke gabaɗaya sun fi wahalar samu, amma suna haifar da sasantawa na masu amfani da yawa lokaci guda.
5. Binciken keɓewar ɓangaren mai amfani a matakin cibiyar sadarwa. Ga mai kai hari, rashin keɓewa yana ƙara girman kai hari akan sauran masu amfani.
6. Nazarin dabaru na kasuwanci. Shin zai yiwu a yaudari kasuwanci da ƙirƙirar injuna kyauta?

A cikin wannan aikin, an gudanar da aikin bisa ga tsarin "Gray-box": masu dubawa sun yi hulɗa tare da sabis tare da gata na masu amfani na yau da kullun, amma wani ɓangare sun mallaki lambar tushe na API kuma suna da damar bayyana cikakkun bayanai tare da masu haɓakawa. Wannan yawanci shine mafi dacewa, kuma a lokaci guda mafi kyawun samfurin aikin: bayanan ciki har yanzu ana iya tattarawa ta hanyar maharin, lokaci ne kawai.

An sami rauni

Kafin mai binciken ya fara aika kaya daban-daban (nauyin da aka yi amfani da shi don kai harin) zuwa wuraren bazuwar, ya zama dole a fahimci yadda abubuwa ke aiki da kuma irin ayyukan da aka bayar. Yana iya zama kamar wannan motsa jiki mara amfani ne, saboda a yawancin wuraren da aka yi nazari ba za a sami lahani ba. Amma kawai fahimtar tsarin aikace-aikacen da kuma dabaru na aikin sa zai ba da damar samun mafi hadaddun ɓangarorin harin.

Yana da mahimmanci a nemo wuraren da suke kama da tuhuma ko kuma sun bambanta da wasu ta wata hanya. Kuma an sami rauni na farko mai haɗari ta wannan hanyar.

IDOR

IDOR (Insecure Direct Object Reference) lahani ɗaya ne daga cikin mafi yawan lahani a cikin dabarun kasuwanci, wanda ke ba da damar ɗaya ko wani don samun damar yin amfani da abubuwan da ba a yarda da su ba. Rashin lahani na IDOR yana haifar da yuwuwar samun bayanai game da mai amfani da matakan mahimmanci daban-daban.

Ɗaya daga cikin zaɓuɓɓukan IDOR shine yin ayyuka tare da abubuwa na tsarin (masu amfani, asusun banki, abubuwa a cikin keken siyayya) ta hanyar sarrafa abubuwan gano damar zuwa waɗannan abubuwan. Wannan yana haifar da mafi girman sakamako mara tabbas. Alal misali, yiwuwar maye gurbin asusun mai aikawa da kuɗi, ta hanyar da za ku iya sace su daga wasu masu amfani.

A cikin yanayin MCS, masu duba kawai sun gano raunin IDOR mai alaƙa da masu gano marasa tsaro. A cikin keɓaɓɓen asusun mai amfani, an yi amfani da masu gano UUID don isa ga kowane abu, wanda da alama, kamar yadda masana tsaro suka ce, ba su da tsaro sosai (wato, an kare su daga hare-haren ƙarfi). Amma ga wasu ƙungiyoyi, an gano cewa ana amfani da lambobi na yau da kullun don samun bayanai game da masu amfani da aikace-aikacen. Ina tsammanin za ku iya tsammanin cewa yana yiwuwa a canza ID na mai amfani da ɗaya, sake aika buƙatar kuma ta haka nemo bayanan da ke ƙetare ACL (jerin sarrafawa, dokokin samun bayanai don matakai da masu amfani).

Buƙatar Sashin Sabar Sabar (SSRF)

Abu mai kyau game da samfurori na OpenSource shine cewa suna da adadi mai yawa na dandalin tattaunawa tare da cikakkun bayanan fasaha na matsalolin da suka taso kuma, idan kun yi sa'a, bayanin bayani. Amma wannan tsabar kudin yana da juzu'i: an kuma bayyana raunin da aka sani dalla-dalla. Misali, akwai kyawawan kwatancen rashin ƙarfi akan dandalin OpenStack [XSS] и [SSRF], wanda saboda wasu dalilai babu wanda yake gaggawar gyarawa.

Ayyukan gama gari na aikace-aikace shine ikon mai amfani don aika hanyar haɗi zuwa uwar garken, wanda uwar garken ya danna (misali, don zazzage hoto daga ƙayyadadden tushe). Idan kayan aikin tsaro ba su tace hanyoyin haɗin kai da kansu ko martanin da aka dawo daga uwar garken ga masu amfani ba, irin wannan aikin na iya amfani da shi cikin sauƙi ta hanyar maharan.

Rashin lahani na SSRF na iya haɓaka haɓakar hari sosai. Mai hari zai iya samun:

• iyakance damar shiga cibiyar sadarwar gida da aka kai hari, alal misali, ta wasu sassan cibiyar sadarwa kawai da amfani da wata ƙa'ida;
• cikakken damar yin amfani da hanyar sadarwa na gida, idan ragewa daga matakin aikace-aikacen zuwa matakin sufuri yana yiwuwa kuma, a sakamakon haka, cikakken sarrafa kaya a matakin aikace-aikacen;
• samun damar karanta fayilolin gida akan uwar garken (idan fayil: /// makirci yana tallafawa);
• da yawa.

An daɗe da sanin raunin SSRF a cikin OpenStack, wanda shine “makaho” a yanayi: lokacin da kuka tuntuɓar uwar garken, ba ku sami amsa daga gare ta ba, amma kuna karɓar nau'ikan kurakurai / jinkiri daban-daban, dangane da sakamakon buƙatar. . Dangane da wannan, zaku iya yin sikanin tashar jiragen ruwa akan runduna a kan hanyar sadarwa na ciki, tare da duk sakamakon da bai kamata a yi la'akari da shi ba. Misali, samfur na iya samun API na ofishin baya wanda ke samun dama daga cibiyar sadarwar kamfani. Tare da takaddun shaida (kar a manta game da masu ciki), mai hari zai iya amfani da SSRF don samun damar hanyoyin ciki. Misali, idan kun sami damar samun kimanin lissafin URLs masu amfani, to ta amfani da SSRF zaku iya shiga ta su kuma ku aiwatar da buƙatu - in mun gwada da magana, canja wurin kuɗi daga asusu zuwa asusu ko canza iyaka.

Wannan ba shine karo na farko da aka gano raunin SSRF a OpenStack ba. A baya, yana yiwuwa a zazzage hotunan VM ISO daga hanyar haɗin kai tsaye, wanda kuma ya haifar da sakamako iri ɗaya. Yanzu an cire wannan fasalin daga OpenStack. A bayyane yake, al'umma sun ɗauki wannan a matsayin mafi sauƙi kuma mafi aminci ga matsalar.

Kuma a cikin wannan Rahoton da aka samu a bainar jama'a daga sabis na HackerOne (h1), cin gajiyar SSRF da ba makaho ba tare da ikon karanta metadata misali yana kaiwa ga Tushen samun dama ga duk kayan aikin Shopify.

A cikin MCS, an gano raunin SSRF a wurare biyu masu aiki iri ɗaya, amma kusan ba su yiwuwa a yi amfani da su saboda tawul ɗin wuta da sauran kariya. Wata hanya ko wata, ƙungiyar MCS ta gyara wannan matsala ta wata hanya, ba tare da jiran al'umma ba.

XSS maimakon loda harsashi

Duk da ɗaruruwan binciken da aka rubuta, shekara bayan shekara XSS (rubutun giciye) shine hari mafi girma akai-akai ci karo raunin yanar gizo (ko kai hari?).

Loda fayil ɗin wuri ne da aka fi so ga kowane mai binciken tsaro. Sau da yawa ya bayyana cewa zaku iya loda rubutun sabani (asp/jsp/php) da aiwatar da umarnin OS, a cikin ma'anar pentesters - "harsashi loda". Amma shaharar irin wannan raunin yana aiki a cikin bangarorin biyu: ana tunawa da su kuma an haɓaka magunguna a kansu, don haka kwanan nan yuwuwar "ɗorawa harsashi" yana da alaƙa da sifili.

Tawagar masu kai hari (wakilta ta Digital Security) ta yi sa'a. Ok, a MCS a gefen uwar garken an duba abubuwan da ke cikin fayilolin da aka sauke, hotuna kawai aka yarda. Amma SVG kuma hoto ne. Ta yaya hotunan SVG zai iya zama haɗari? Domin zaku iya shigar da snippets na JavaScript a cikin su!

Ya bayyana cewa fayilolin da aka sauke suna samuwa ga duk masu amfani da sabis na MCS, wanda ke nufin cewa yana yiwuwa a kai hari ga sauran masu amfani da girgije, wato masu gudanarwa.

Misalin harin XSS akan sigar shiga ta phishing

Misalai na amfani da harin XSS:

• Me yasa kayi ƙoƙarin satar zama (musamman tunda yanzu kukis na HTTP-kawai suna ko'ina, ana kiyaye su daga sata ta amfani da rubutun js), idan rubutun da aka ɗora zai iya samun dama ga API albarkatun nan da nan? A wannan yanayin, nauyin biyan kuɗi na iya amfani da buƙatun XHR don canza saitunan uwar garken, misali, ƙara maɓallin SSH na jama'a na maharin kuma samun damar SSH zuwa sabar.
• Idan manufar CSP (manufar kariyar abun ciki) ta hana JavaScript allurar, mai hari zai iya samun ta ba tare da shi ba. Yin amfani da HTML mai tsafta, ƙirƙiri fom ɗin shiga na karya don rukunin yanar gizon kuma sata kalmar sirrin mai gudanarwa ta hanyar wannan ci gaba na phishing: shafin phishing na mai amfani yana ƙarewa a URL ɗaya, kuma yana da wahala mai amfani ya gano shi.
• A ƙarshe, maharin zai iya shirya abokin ciniki DoS - saita Kukis mafi girma fiye da 4 KB. Mai amfani kawai yana buƙatar buɗe hanyar haɗin yanar gizo sau ɗaya, kuma duk rukunin yanar gizon ya zama ba zai iya isa ba har sai mai amfani ya yi tunanin tsaftace mai binciken musamman: a mafi yawan lokuta, sabar gidan yanar gizo za ta ƙi karɓar irin wannan abokin ciniki.

Bari mu kalli misalin wani XSS da aka gano, wannan lokacin tare da amfani mai wayo. Sabis na MCS yana ba ku damar haɗa saitunan wuta zuwa ƙungiyoyi. Sunan ƙungiyar shine inda aka gano XSS. Babban abin da ya fi dacewa shi ne cewa ba a kunna vector nan da nan ba, ba lokacin kallon jerin dokoki ba, amma lokacin share rukuni:

Wato, yanayin ya juya ya zama kamar haka: mai kai hari ya haifar da ka'idar Tacewar zaɓi tare da "load" a cikin sunan, mai gudanarwa ya lura da shi bayan wani lokaci kuma ya fara aikin sharewa. Kuma wannan shine inda JS mai cutarwa ke aiki.

Don masu haɓaka MCS don kare XSS a cikin hotunan SVG da aka ɗora (idan ba za a iya cire su ba), ƙungiyar Tsaron Dijital ta ba da shawarar:

• Sanya fayilolin da masu amfani suka ɗora akan wani yanki daban wanda bashi da alaƙa da "kukis". Za a aiwatar da rubutun a cikin mahallin wani yanki na daban kuma ba zai haifar da barazana ga MCS ba.
• A cikin martanin HTTP na uwar garken, aika da "Content-disposition: attachment" header. Sa'an nan fayiloli za a sauke da browser da ba a kashe.

Bugu da kari, yanzu akwai hanyoyi da yawa da ake samu ga masu haɓakawa don rage haɗarin yin amfani da XSS:

• ta yin amfani da tutar “HTTP Kawai”, zaku iya sanya taken “Kukis” zama ba su isa ga JavaScript na mugunta ba;
• aiwatar da manufofin CSP daidai zai sa ya fi wahala ga maharin yin amfani da XSS;
• Injunan samfuri na zamani kamar Angular ko React suna tsabtace bayanan mai amfani ta atomatik kafin fitar da su zuwa burauzar mai amfani.

Lalacewar tantance abubuwa biyu

Don inganta tsaro na asusu, ana ba masu amfani shawarar koyaushe don kunna 2FA (tabbacin abubuwa biyu). Tabbas, wannan hanya ce mai inganci don hana maharin samun damar yin amfani da sabis idan an lalata bayanan mai amfani.

Amma yin amfani da matakin tantancewa na biyu koyaushe yana ba da garantin amincin asusu? Akwai batutuwan tsaro masu zuwa a cikin aiwatar da 2FA:

• Binciken ƙarfin ƙarfi na lambar OTP (lambobin lokaci ɗaya). Duk da sauƙi na aiki, kurakurai kamar rashin kariya daga ƙarfin OTP kuma manyan kamfanoni suna cin karo da su: Harka mai laushi, Kasuwar Facebook.
• Algorithm tsararraki mai rauni, misali ikon hango kodi na gaba.
• Kurakurai masu ma'ana, kamar ikon neman OTP na wani akan wayarka, kamar wannan ya kasance daga Shopify.

A cikin yanayin MCS, ana aiwatar da 2FA akan Google Authenticator da Duo. An riga an gwada ƙa'idar kanta akan lokaci, amma aiwatar da tabbatar da lambar a gefen aikace-aikacen ya cancanci dubawa.

Ana amfani da MCS 2FA a wurare da yawa:

• Lokacin tabbatar da mai amfani. Akwai kariya daga ƙoƙarce-ƙoƙarce: mai amfani kawai yana da ƴan yunƙurin shigar da kalmar wucewa ta lokaci ɗaya, sannan an toshe shigarwar na ɗan lokaci. Wannan yana toshe yuwuwar zaɓin OTP mai ƙarfi.
• Lokacin samar da lambobin ajiya na layi don yin 2FA, da kuma kashe shi. Anan, ba a aiwatar da kariyar ƙarfin ƙarfi ba, wanda ya ba da damar, idan kuna da kalmar sirri don asusun da kuma zama mai aiki, don sabunta lambobin ajiya ko kashe 2FA gaba ɗaya.

Idan aka yi la'akari da cewa lambobin ajiyar suna cikin kewayon ƙimar kirtani iri ɗaya kamar waɗanda aikace-aikacen OTP suka ƙirƙira, damar samun lambar a cikin ɗan gajeren lokaci ya fi girma.

Tsarin zaɓin OTP don kashe 2FA ta amfani da kayan aikin "Burp: Intruder".

sakamakon

Gabaɗaya, MCS ya bayyana yana da aminci azaman samfur. A yayin binciken, ƙungiyar masu ba da izini ba ta iya samun damar yin amfani da VM na abokin ciniki da bayanansu ba, kuma ƙungiyar MCS ta gyara raunin da aka samu cikin sauri.

Amma a nan yana da mahimmanci a lura cewa tsaro aiki ne mai ci gaba. Sabis ɗin ba a tsaye suke ba, koyaushe suna haɓakawa. Kuma ba shi yiwuwa a haɓaka samfur gaba ɗaya ba tare da lahani ba. Amma zaka iya samun su cikin lokaci kuma ka rage damar sake dawowarsu.

Yanzu duk raunin da aka ambata a cikin MCS an riga an gyara su. Kuma don kiyaye adadin sababbi mafi ƙanƙanta da rage rayuwarsu, ƙungiyar dandamali ta ci gaba da yin haka:

• gudanar da bincike akai-akai ta kamfanonin waje;
• tallafawa da haɓaka shiga a cikin shirin Bug Bounty Group na Mail.ru;
• shiga cikin tsaro. 🙂

source: www.habr.com