Chaka chapitacho, pa Marichi 21, 2019. Wabwino kwambiri adabwera ku HackerOne от Pamene null byte (ASCII 0) idalowetsedwa mu gawo la POST la pempho la webmail API lomwe lidabwezanso kuwongolera kwa HTTP, machunks a kukumbukira kosasinthika adawonekera muzowongolera, zomwe nthawi zambiri zimawulula zidutswa za magawo a GET ndi mitu ya zopempha zina ku seva yomweyo.
Izi ndizovuta kwambiri, chifukwa zopempha zili ndi makeke agawo. Maola angapo pambuyo pake, kukonza kwakanthawi kunakhazikitsidwa komwe kunasefa null byte (monga momwe zinakhalira pambuyo pake, izi sizinali zokwanira, monga CRLF / ASCII 13, 10 jekeseni inakhalabe yotheka, kulola kusokoneza mitu ya mayankho a HTTP ndi deta. Izi ndizochepa, koma zokhumudwitsa). Nthawi yomweyo, nkhaniyi idasamutsidwa kwa akatswiri azachitetezo ndi opanga mapulogalamu kuti afufuze ndikukonza chomwe chimayambitsa vutoli.
Mail.ru Mail ndi ntchito yovuta kwambiri; chiwerengero chachikulu cha zigawo zosiyana za kutsogolo / kumbuyo, zonse zotseguka (zikomo kwambiri kwa onse opanga mapulogalamu aulere) ndi eni ake, akhoza kutenga nawo mbali pakupanga yankho. Tinatha kuchotsa zigawo zonse kupatula nginx ndi openresty ndikulekanitsa vutoli lisanachitike. Zolemba za OpenResty zinali kuchitika mosayembekezereka (kuyika null byte kapena newline kudzera pa GET magawo ndikulembanso mu ngx_http_rewrite_module, zomwe, malinga ndi zolembedwazo, zimagwiritsidwa ntchito ndipo ziyenera kuwoneka kuti zikugwira ntchito chimodzimodzi, sizinagwire ntchito). Zotsatira zomwe zingatheke zidayankhidwa, kusefa kwakukulu kunawonjezedwa, ndipo zidatsimikiziridwa kuti kusefako kunathetsa ma vector onse omwe angathe. Koma njira yomwe idapangitsa kuti kukumbukira kutayike idakhalabe chinsinsi. Patatha mwezi umodzi, lipoti la cholakwika lidatsekedwa monga momwe adathetsedwera, ndipo kufufuza komwe kudayambitsa vutoli kudayimitsidwa mpaka nthawi yabwinoko.
OpenResty ndi pulogalamu yowonjezera yodziwika bwino yomwe imalola kulemba zolemba za Lua mkati mwa Nginx, ndipo imagwiritsidwa ntchito m'mapulojekiti angapo a Mail.ru, kotero kuti nkhaniyi siidayankhidwe. Patapita nthawi, adasinthidwanso kuti amvetsetse zomwe zimayambitsa, zotsatira zake, ndikupereka malingaliro kwa omanga. Anthu otsatirawa adatenga nawo gawo pakufukula kwa code source: и Zinapezeka kuti:
- Mu nginx, mukamagwiritsa ntchito kulembanso ndi deta ya ogwiritsa ntchito, pali kuthekera kwakusintha kwa chikwatu (ndipo mwina SSRF) pamasinthidwe ena, koma ichi ndi chodziwika bwino ndipo chiyenera kuzindikiridwa ndi osanthula ma static configuration. и Kuchokera ku Yandex (inde, timagwiritsanso ntchito, zikomo). Ndizosavuta kuphonya izi mukamagwiritsa ntchito OpenResty, koma sizinakhudze kasinthidwe kwathu.
Chitsanzo chokonzekera:
location ~ /rewrite { rewrite ^.*$ $arg_x; } location / { root html; index index.html index.htm; }zotsatira
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... - Nginx ili ndi cholakwika chomwe chimapangitsa kukumbukira kukumbukira ngati chingwe cholemberanso chili ndi null byte. Popereka kuwongolera, Nginx imagawira chosungira chatsopano chofanana ndi kutalika kwa chingwe, koma amakopera chingwecho pogwiritsa ntchito chingwe chomwe null byte ndi choyimira chingwe. Chifukwa chake, chingwecho chimakopedwa mpaka pa null byte; chotsalira cha buffer chili ndi data yosadziwika. Kusanthula mwatsatanetsatane kungapezeke apa. .
Chitsanzo chokonzekera (^@ null byte)
location ~ /memleak { rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf"; } location / { root html; index index.html index.htm; }zotsatira
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Nginx imateteza magawo a GET ku jakisoni wamakhalidwe ndipo imalola magawo a GET okha kuti agwiritsidwe ntchito polembanso. Chifukwa chake, jekeseni kudzera pazigawo zoyendetsedwa ndi ogwiritsa ntchito sizingatheke mu Nginx. POST magawo, komabe, samatetezedwa. OpenResty imathandizira magawo onse a GET ndi POST, kotero kugwiritsa ntchito magawo a POST kudzera pa OpenResty kumapangitsa kuti pakhale jekeseni wapadera.
Chitsanzo chokonzekera:
location ~ /memleak { rewrite_by_lua_block { ngx.req.read_body(); local args, err = ngx.req.get_post_args(); ngx.req.set_uri( args["url"], true ); } } location / { root html; index index.html index.htm; }zotsatira:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{...может содержать secret...}
...
Zomwe anachita
Vutoli lidanenedwa kwa opanga nginx ndi OpenResty, opanga samawona vutoli ngati cholakwika chachitetezo mu nginx, popeza mu nginx palokha palibe kuthekera kogwiritsa ntchito cholakwikacho kudzera mu jakisoni wa zilembo zapadera, konzani. idasindikizidwa pa Disembala 16. M'miyezi 4 kuchokera pa lipotilo, OpenResty sinasinthe, ngakhale kuti zinkamveka kuti mtundu wotetezedwa wa ngx.req.set_uri() ntchito unkafunika. Pa Marichi 18, 2020, tidafalitsa zambiri, ndipo pa Marichi 21, OpenResty idatulutsidwa. , zomwe zimawonjezera kufufuza kwa URI.
Portswigger nkhani yabwino ndipo adatenga ndemanga kuchokera ku OpenResty ndi Nginx (ngakhale ndemanga yoti kachigawo kakang'ono chabe ka kukumbukira kamene kamawululidwa ndi kolakwika komanso kosocheretsa, izi zimatsimikiziridwa ndi kutalika kwa chingwe chotsatira null byte ndipo, popanda malire omveka pautali, akhoza kuwongoleredwa ndi wowukira).
Ndiye kulakwa kunali kotani ndipo tingatani kuti tipewe?
Kodi munali cholakwika mu nginx? Inde, zinalipo, chifukwa kutayikira kukumbukira ndi cholakwika mulimonse.
Kodi munali nsikidzi ku OpenResty? Inde, osachepera, chitetezo cha magwiridwe antchito operekedwa ndi OpenResty sichinafufuzidwe ndikulembedwa.
Kodi panali cholakwika chosinthira / kugwiritsa ntchito ndi OpenResty? Inde, chifukwa kulibe chitsogozo chomveka bwino, lingaliro losatsimikizirika lidapangidwa ponena za chitetezo cha magwiridwe antchito omwe akugwiritsidwa ntchito.
Ndi ziti mwazovutazi zomwe zili pachiwopsezo chachitetezo cha $10000? Kwa ife, izi sizofunikira kwenikweni. Mu mapulogalamu aliwonse, makamaka pamene zigawo zambiri zimadutsana, makamaka zomwe zimaperekedwa ndi mapulojekiti osiyanasiyana ndi omanga, palibe amene angatsimikizire kuti tsatanetsatane wa ntchito yawo imadziwika ndi kulembedwa, komanso kuti palibe zolakwika. Chifukwa chake, chiwopsezo chilichonse chachitetezo chimachitika pomwe chimakhudza chitetezo.
Mulimonsemo, ndizochita bwino kuti muzisintha kapena kuchepetsa / kusefa momwe mungathere deta yolowera yomwe imapita ku gawo lililonse lakunja / API pokhapokha ngati pali malangizo omveka bwino komanso kumvetsetsa bwino kuti izi sizikufunika.
Zolakwitsa
Kuchokera pa zomwe zinachitikira , pofuna kusunga chiyero cha chinenero;
phindu la bug - mpikisano wosaka nsikidzi
lipoti la cholakwika - chidziwitso cholakwika
tumizaninso - kulowera kwina
gwero lotseguka - gwero lotseguka
zolakwika - gwirani ntchito pazolakwa
Source: www.habr.com
