Ib xyoos dhau los, Lub Peb Hlis 21, 2019, hauv ib tug zoo heev tuaj rau HackerOne los ntawm . Thaum qhia txog xoom byte (ASCII 0) rau hauv POST parameter ntawm ib qho ntawm cov webmail API thov uas xa rov qab HTTP redirect, tej daim ntawm lub cim xeeb tsis tsim nyog tau pom nyob rau hauv cov ntaub ntawv redirect, nyob rau hauv uas fragments los ntawm GET tsis thiab headers ntawm lwm yam kev thov rau lub tib server.
Qhov no yog qhov teeb meem tseem ceeb vim tias ... cov lus thov kuj muaj cov ncuav qab zib sib tham. Ob peb teev tom qab ntawd, kev kho ib ntus tau ua kom lim cov xoom byte (raws li nws muab tawm tom qab, qhov no tsis txaus, vim tias tseem muaj peev xwm txhaj tshuaj CRLF / ASCII 13, 10, uas tso cai rau koj los tswj cov headers thiab cov ntaub ntawv ntawm HTTP teb, qhov no yog qhov tseem ceeb tsawg, tab sis tseem tsis txaus siab). Nyob rau tib lub sijhawm, qhov teeb meem raug xa mus rau cov kws tshuaj ntsuam xyuas kev ruaj ntseg thiab cov neeg tsim khoom los nrhiav thiab tshem tawm qhov ua rau muaj kab laum.
Mail.ru mail yog ib daim ntawv thov nyuaj heev; ntau qhov sib txawv ntawm qhov sib txawv ntawm qhov kawg / rov qab-kawg, ob qho tib si qhib qhov chaw (ntau ua tsaug rau txhua tus tsim software dawb) thiab hauv tsev tsim, tuaj yeem koom nrog hauv kev tsim cov lus teb. Peb tau tswj xyuas kom tsis suav tag nrho cov khoom tshwj tsis yog nginx thiab openresty thiab localize qhov teeb meem ua ntej hu nyob rau hauv ib tsab ntawv OpenResty uas tsis coj tus cwj pwm raws li qhov xav tau (ntxig qhov null byte lossis kab noj ntawm GET tsis nrog rov sau dua hauv ngx_http_rewrite_module, uas, raws li cov ntaub ntawv, siv thiab, nws yuav zoo li, yuav tsum ua haujlwm raws nraim tib txoj kev, yuav tsis ua haujlwm). Cov txiaj ntsig tau raug tshem tawm, lim tau ntxiv kom nruj raws li qhov ua tau, thiab lim tau txheeb xyuas kom tshem tawm tag nrho cov vectors tau. Tab sis cov txheej txheem uas coj mus rau qhov xau ntawm cov ntsiab lus nco tseem yog qhov tsis paub. Ib hlis tom qab, daim ntawv ceeb toom kab laum raug kaw raws li kev daws teeb meem, thiab kev tshuaj xyuas ntawm qhov ua rau kab laum raug ncua mus txog rau lub sijhawm zoo.
OpenResty yog ib lub plugin nrov heev uas tso cai rau koj sau Lua scripts hauv nginx, thiab nws yog siv nyob rau hauv ntau txoj haujlwm Mail.ru, yog li qhov teeb meem tsis tau txiav txim siab daws. Thiab tom qab qee lub sijhawm, lawv thaum kawg rov qab los rau nws txhawm rau nkag siab qhov tseeb vim li cas, qhov tshwm sim tuaj yeem tshwm sim thiab ua cov lus pom zoo rau cov neeg tsim khoom. Koom nrog kev khawb ntawm qhov chaws ΠΈ . Nws muab tawm tias:
- Hauv nginx, thaum siv rov sau dua nrog cov neeg siv cov ntaub ntawv, muaj peev xwm ntawm cov ntawv qhia kev hla mus (thiab tej zaum SSRF) hauv qee qhov kev teeb tsa, tab sis qhov no yog qhov paub tseeb thiab yuav tsum tau kuaj pom los ntawm cov ntsuas kev ntsuas zoo li qub hauv ΠΈ los ntawm Yandex (yog, peb siv qhov ntawd, ua tsaug). Thaum siv OpenResty, qhov no yog qhov yooj yim kom nco, tab sis qhov no tsis cuam tshuam rau peb qhov kev teeb tsa.
configuration piv txwv:
location ~ /rewrite { rewrite ^.*$ $arg_x; } location / { root html; index index.html index.htm; }nyhuv
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... - Nginx muaj kab laum uas ua rau lub cim xeeb xau yog tias cov kab rov sau dua muaj qhov tsis muaj byte. Thaum ib tug redirect yog muab, nginx faib ib tug tshiab nco tsis sib xws rau tag nrho ntev ntawm kab, tab sis luam cov kab nyob rau hauv ib txoj kab muaj nuj nqi nyob rau hauv uas lub xoom byte yog ib tug terminator kab, yog li cov kab tsuas yog theej mus txog rau xoom. byte; tus so ntawm qhov tsis muaj cov ntaub ntawv tsis tsim nyog. Ib qho kev soj ntsuam ntxaws tuaj yeem pom .
configuration piv txwv (^@ zero byte)
location ~ /memleak { rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf"; } location / { root html; index index.html index.htm; }nyhuv
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Nginx tiv thaiv GET tsis tau los ntawm kev txhaj tshuaj ntawm cov cim kev pabcuam thiab ua rau nws tuaj yeem siv tsuas yog GET tsis nyob hauv kev sau dua tshiab. Yog li, nws tsis tuaj yeem siv kev txhaj tshuaj los ntawm cov neeg siv tswj tsis tau hauv nginx. POST tsis muaj kev tiv thaiv. OpenResty tso cai rau koj ua haujlwm nrog GET thiab POST tsis, yog li thaum siv POST tsis dhau los ntawm OpenResty, nws tuaj yeem txhaj cov cim tshwj xeeb.
configuration piv txwv:
location ~ /memleak { rewrite_by_lua_block { ngx.req.read_body(); local args, err = ngx.req.get_post_args(); ngx.req.set_uri( args["url"], true ); } } location / { root html; index index.html index.htm; }tshwm sim:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{...ΠΌΠΎΠΆΠ΅Ρ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ secret...}
...
Cov tshuaj tiv thaiv ntxiv
Qhov teeb meem tau tshaj tawm rau cov neeg tsim khoom ntawm nginx thiab OpenResty, cov neeg tsim khoom tsis xav txog qhov teeb meem yog kab laum kev ruaj ntseg hauv nginx, vim tias hauv nginx nws tus kheej tsis muaj txoj hauv kev los siv qhov yuam kev los ntawm kev txhaj tshuaj ntawm cov cim tshwj xeeb, kho tau tshaj tawm rau lub Kaum Ob Hlis 16. Hauv 4 lub hlis txij li daim ntawv tshaj tawm, tsis muaj kev hloov pauv rau OpenResty, txawm hais tias muaj kev nkag siab tias yuav tsum muaj kev nyab xeeb version ntawm ngx.req.set_uri() muaj nuj nqi. Thaum Lub Peb Hlis 18, 2020 peb tau tshaj tawm cov ntaub ntawv, thaum Lub Peb Hlis 21 OpenResty tso tawm , uas ntxiv URI validation.
Portswigger tsab xov xwm zoo thiab coj cov lus los ntawm OpenResty thiab Nginx (txawm hais tias cov lus hais tias tsuas yog ib feem me me ntawm lub cim xeeb raug nthuav tawm yog qhov tsis raug thiab tsis tseeb, qhov no yog txiav txim siab los ntawm qhov ntev ntawm kab tom qab null byte thiab, thaum tsis muaj kev txwv tsis pub tshaj tawm ntawm ntev, tuaj yeem tswj tau los ntawm tus neeg tawm tsam).
Yog li dab tsi yog qhov yuam kev thiab yuav ua li cas los tiv thaiv nws?
Puas muaj kab laum hauv nginx? Yog, nws yog, vim hais tias leaking nco cov ntsiab lus yog ib qho yuam kev nyob rau hauv txhua rooj plaub.
Puas muaj kab laum hauv OpenResty? Yog lawm, tsawg kawg qhov teeb meem ntawm kev ruaj ntseg ntawm kev ua haujlwm tau muab los ntawm OpenResty tsis tau tshawb xyuas thiab sau tseg.
Puas muaj kev teeb tsa / siv yuam kev nrog OpenResty? Yog lawm, vim tias tsis muaj cov lus qhia meej, qhov kev xav tsis meej tau tshwm sim txog kev nyab xeeb ntawm kev ua haujlwm raug siv.
Dab tsi ntawm cov kab no yog qhov tsis muaj kev ruaj ntseg nrog rau $ 10000 nyiaj? Rau peb, qhov no feem ntau tsis tseem ceeb. Nyob rau hauv ib qho software, tshwj xeeb tshaj yog nyob rau hauv kev sib tshuam ntawm ob peb lub Cheebtsam, tshwj xeeb tshaj yog cov muab los ntawm txawv tej yaam num thiab developers, tsis muaj leej twg yuav puas tau lees tias tag nrho cov yam ntxwv ntawm lawv cov hauj lwm yog paub thiab sau tseg thiab hais tias tsis muaj qhov yuam kev. Yog li ntawd, txhua yam kev ruaj ntseg tsis zoo tshwm sim raws nraim qhov nws cuam tshuam txog kev ruaj ntseg.
Txawm li cas los xij, nws yog ib qho kev coj ua zoo rau normalize lossis txwv / lim kom ntau li ntau tau cov ntaub ntawv tawm tswv yim uas nkag mus rau hauv ib qho chaw sab nraud / API, tshwj tsis yog muaj cov lus qhia meej thiab nkag siab meej tias qhov no tsis tas yuav tsum tau ua.
Yuam kev
Los ntawm kev paub , rau lub hom phiaj ntawm kev khaws cov purity ntawm cov lus:
bug nqi zog - kev sib tw tua kab
kab mob report - kev ceeb toom yuam kev
hloov mus - kev taw qhia
qhib qhov chaw - qhib qhov chaw
yuam kev - ua haujlwm ntawm kev ua yuam kev
Tau qhov twg los: www.hab.com