Rimwe gore rapfuura, Kurume 21, 2019, mukati yakanaka kwazvo yakauya kuHackerOne ΠΎΡ . Pakuunza zero byte (ASCII 0) muPOST parameter yeimwe yewebhumail API zvikumbiro zvakadzoreredza HTTP redirect, zvidimbu zveuninitialized memory zvaionekwa mune redirect data, umo zvidimbu kubva kuGET paramita uye misoro yezvimwe zvikumbiro kune iyo. same server.
Uku ndiko kukanganisa kwakanyanya nekuti ... zvikumbiro zvinewo makiki emusangano. Maawa mashoma gare gare, gadziriso yenguva pfupi yakaitwa iyo yakasefa zero byte (sezvazvakazoitika gare gare, izvi hazvina kukwana, nekuti pakanga pachine mukana wekubaya jekiseni CRLF / ASCII 13, 10, iyo inokutendera iwe kushandura misoro uye dhata yemhinduro yeHTTP, izvi hazvinyanyi kukosha, asi zvichiri zvisingafadzi). Panguva imwecheteyo, dambudziko rakaendeswa kune vanoongorora kuchengetedza uye vanogadzira kuti vawane uye vabvise zvikonzero zvebug.
Mail.ru mail ishandiso yakaoma kwazvo; nhamba huru yezvakasiyana kumberi-kumashure/kumashure-kumagumo zvikamu, zvese zvakavhurika sosi (zvizhinji zvekutenda kune ese emahara software vanogadzira) uye mukati meimba yakagadziridzwa, inogona kubatanidzwa mukugadzira mhinduro. Isu takakwanisa kusabvisa zvese zvikamu kunze kwe nginx uye openresty uye kugadzirisa dambudziko tisati tafona mune OpenResty script isina kuita sezvaitarisirwa (kuisa null byte kana mutsara wekudya kuburikidza neGET paramita nekunyorazve mu ngx_http_rewrite_module, iyo, maererano nezvinyorwa, inoshandiswa uye, zvingaite, inofanirwa kushanda nenzira imwecheteyo, ichaita. kwete kushanda). Migumisiro inogona kuitika yakabviswa, kusefa kwakawedzerwa zvakanyanya sezvinobvira, uye kusefa kwakasimbiswa kubvisa zvese zvinogoneka mavector. Asi magadzirirwo akatungamira mukudonha kwemukati mendangariro yakaramba iri chakavanzika. Kwapera mwedzi, chirevo chebug chakavharwa sekugadziriswa, uye kuongororwa kwezvikonzero zvebug kwakamiswa kusvika nguva dziri nani.
OpenResty ipurojekiti yakakurumbira inokubvumira kunyora zvinyorwa zveLua mukati me nginx, uye inoshandiswa mumapurojekiti akati wandei eMail.ru, saka dambudziko harina kunzi rakagadziriswa. Uye mushure menguva yakati, vakazodzokera kwairi kuti vanzwisise zvikonzero zvechokwadi, zvinogoneka mhedzisiro uye vape mazano kune vanogadzira. Akatora chikamu mukucherwa kweiyo source code ΠΈ . Zvakaitika kuti:
- Mu nginx, kana uchishandisa rewrite ne data remushandisi, pane mukana wedhairekitori rekufamba (uye pamwe SSRF) mune mamwe magadzirirwo, asi ichi ichokwadi chinozivikanwa uye chinofanira kuonekwa ne static configuration analyzers mu. ΠΈ kubva kuYandex (hongu, isu tinoshandisa iyo zvakare, ndatenda). Paunenge uchishandisa OpenResty, chimiro ichi chiri nyore kupotsa, asi izvi hazvina kukanganisa gadziriro yedu.
configuration muenzaniso:
location ~ /rewrite { rewrite ^.*$ $arg_x; } location / { root html; index index.html index.htm; }kuitika
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... - Nginx ine bug inokonzera ndangariro kudonha kana mutsara wekunyorazve uine null byte. Kana redirect yapihwa, nginx inogovera ndangariro nyowani buffer inoenderana nehurefu hwakazara hwemutsara, asi inokopa mutsara ipapo kuburikidza nemutsara webasa umo zero byte iri mutsara terminator, saka mutsara unokopwa chete kusvika zero. byte; iyo yese buffer ine uninitialized data. Ongororo yakadzama inogona kuwanikwa .
muenzaniso wekugadzirisa (^@ zero byte)
location ~ /memleak { rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf"; } location / { root html; index index.html index.htm; }kuitika
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Nginx inodzivirira GET paramita kubva kujekiseni remavara ebasa uye inoita kuti zvikwanise kushandisa chete GET paramita mukunyorazve. Naizvozvo, hazvigoneke kushandisa jekiseni kuburikidza nemushandisi-inodzorwa paramita mu nginx. POST paramita haina kuchengetedzwa. OpenResty inokutendera kuti ushande neese GET uye POST paramita, saka kana uchishandisa POST paramita kuburikidza neOpenResty, zvinoita kuti ubaye akakosha mavara.
configuration muenzaniso:
location ~ /memleak { rewrite_by_lua_block { ngx.req.read_body(); local args, err = ngx.req.get_post_args(); ngx.req.set_uri( args["url"], true ); } } location / { root html; index index.html index.htm; }mhedzisiro:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{...ΠΌΠΎΠΆΠ΅Ρ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΡ secret...}
...
Kumwe kuita
Dambudziko rakataurwa kune vanogadzira nginx uye OpenResty, ivo vanogadzira havatarise dambudziko senge bhagi rekuchengetedza munginx, nekuti. mu nginx pachayo hapana nzira yekushandisa kukanganisa kuburikidza nejekiseni reakakosha mavara, gadzirisa yakabudiswa musi waDecember 16. Mumwedzi mina kubva mushumo, hapana shanduko yakaitwa kuOpenResty, kunyangwe paive nekunzwisisa kuti shanduro yakachengeteka ye ngx.req.set_uri() basa yaidiwa. Musi waKurume 4, 18 takaburitsa ruzivo, munaKurume 2020 OpenResty yakaburitswa , iyo inowedzera URI kusimbiswa.
Portswigger chinyorwa chakanaka uye akatora zvirevo kubva kuOpenResty uye Nginx (kunyangwe chirevo chekuti chidimbu chidiki chendangariro chinoburitswa chisina kunaka uye chinorasisa, izvi zvinotemerwa nehurefu hwemutsara unotevera null byte uye, pasina zvirambidzo zvakajeka pa kureba, inogona kudzorwa neanorwisa).
Saka chii chaive chikanganiso uye chii chingaitwa kuti chidzivise?
Paive nebug munginx? Ehe, zvaive, nekuti kuburitsa ndangariro zviri mukati iko kukanganisa chero zvakadaro.
Paive nebug muOpenResty? Ehe, zvirinani nyaya yekuchengetedzeka kwekushanda kunopihwa neOpenResty haina kuongororwa uye kunyorwa.
Paive paine chikanganiso chekugadzirisa/kushandisa neOpenResty? Hongu, nekuti pasina chirevo chakajeka, fungidziro isina kusimbiswa yakaitwa nezve chengetedzo yekushanda kuri kushandiswa.
Ndeipi yemabhugi aya ine njodzi yekuchengetedza ine $10000 bounty? Kwatiri, izvi kazhinji hazvina kukosha. Mune chero software, kunyanya pamharadzano yezvikamu zvakati wandei, kunyanya izvo zvinopihwa nemapurojekiti akasiyana uye vanogadzira, hapana angambovimbisa kuti zvese zvebasa ravo zvinozivikanwa uye zvakanyorwa uye kuti hapana zvikanganiso. Naizvozvo, chero kusagadzikana kwekuchengetedza kunoitika chaiko uko kunokanganisa kuchengetedzwa.
Chero zvazvingaitika, itsika yakanaka kudzikamisa kana kumisa / kusefa zvakanyanya sezvinobvira iyo data yekupinza inopinda mune chero yekunze module / API, kunze kwekunge paine mirairo yakajeka uye kunzwisisa kwakajeka kuti izvi hazvidiwe.
Erratum
Kubva pane zvakaitika , kuitira kuchengetedza kuchena kwemutauro.
bug bounty - makwikwi ekuvhima tsikidzi
bug report - chiziviso chezvikanganiso
redirect - redirection
open source - open source
kurasika - shanda pane kukanganisa
Source: www.habr.com