I-ProHoster > Блог > Ukuphatha > Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS

Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS

Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS
I-SkyShip Dusk ngu-SeerLight

Ukwakha noma iyiphi insizakalo kuhlanganisa ukusebenza njalo kwezokuphepha. Ukuvikeleka kuyinqubo eqhubekayo ehlanganisa ukuhlaziywa njalo kanye nokwenza ngcono ukuphepha komkhiqizo, ukuqapha izindaba ezimayelana nokuba sengozini nokunye okuningi. Kubandakanya ukucwaninga. Ukucwaningwa kwamabhuku kwenziwa kokubili ngaphakathi endlini kanye nochwepheshe bangaphandle, abangasiza kakhulu ngokuvikeleka ngoba abagxilile kuphrojekthi futhi banomqondo ovulekile.

I-athikili imayelana nalo mbono oqonde kakhulu wochwepheshe bangaphandle abasize ithimba le-Mail.ru Cloud Solutions (MCS) ukuthi lihlole isevisi yefu, kanye nokuthi yini abayitholile. “Njengamandla angaphandle,” i-MCS yakhetha inkampani yeDigital Security, eyaziwa ngobungcweti bayo obuphezulu emibuthanweni yokuvikela ulwazi. Futhi kulesi sihloko sizohlaziya ubungozi obuthile obuthakaselayo obutholakala njengengxenye yocwaningo lwangaphandle - ukuze ugweme ireki efanayo lapho udala eyakho isevisi yefu.

Описание продукта

I-Mail.ru Cloud Solutions (MCS) iyinkundla yokwakha ingqalasizinda ebonakalayo emafini. Ihlanganisa i-IaaS, i-PaaS, kanye nemakethe yezithombe zohlelo lokusebenza ezenziwe ngomumo zonjiniyela. Kucatshangelwa ukwakheka kwe-MCS, bekudingeka ukuthi kubhekwe ukuphepha komkhiqizo kulezi zindawo ezilandelayo:

  • ukuvikela ingqalasizinda yendawo ye-virtualization: ama-hypervisors, umzila, izindonga zomlilo;
  • ukuvikelwa kwengqalasizinda ebonakalayo yamakhasimende: ukuhlukaniswa komunye nomunye, kufaka phakathi inethiwekhi, amanethiwekhi angasese ku-SDN;
  • I-OpenStack kanye nezingxenye zayo ezivulekile;
  • S3 yomklamo wethu;
  • I-IAM: amaphrojekthi aqashisayo amaningi anesibonelo esihle;
  • Umbono (umbono wekhompyutha): Ama-API kanye nokuba sengozini lapho usebenza ngezithombe;
  • isikhombimsebenzisi sewebhu kanye nokuhlaselwa kwewebhu kwakudala;
  • ubungozi bezingxenye ze-PaaS;
  • I-API yazo zonke izingxenye.

Mhlawumbe yilokho kuphela okubalulekile emlandweni owengeziwe.

Hlobo luni lomsebenzi owenziwa futhi kungani wawudingeka?

Ukuhlolwa kokuvikeleka kuhloselwe ukuhlonza ubungozi kanye namaphutha okulungiselela angaholela ekuvuzeni kwedatha yomuntu siqu, ukuguqulwa kolwazi olubucayi, noma ukuphazamiseka kokutholakala kwesevisi.

Phakathi nomsebenzi, othatha isilinganiso sezinyanga ezingu-1-2, abacwaningi mabhuku baphinda izenzo zabangase babe abahlaseli futhi babheke ubungozi ezingxenyeni zeklayenti neseva zesevisi ekhethiwe. Kumongo wokuhlolwa kwenkundla yefu ye-MCS, lezi zinhloso ezilandelayo zikhonjiwe:

  1. Ukuhlaziywa kokuqinisekisa kusevisi. Ukuba sengozini kule ngxenye kungasiza ukungena ngokushesha kuma-akhawunti abanye abantu.
  2. Ifunda imodeli kanye nokulawula ukufinyelela phakathi kwama-akhawunti ahlukene. Kumhlaseli, ikhono lokufinyelela emshinini womunye umuntu liwumgomo ofiselekayo.
  3. Ukuba sengozini kohlangothi lweklayenti. I-XSS/CSRF/CRLF/etc. Kungenzeka yini ukuhlasela abanye abasebenzisi ngezixhumanisi ezinonya?
  4. Ukuba sengozini okuseceleni kweseva: I-RCE nazo zonke izinhlobo zemijovo (SQL/XXE/SSRF njalonjalo). Ukuba sengozini kweseva ngokuvamile kunzima kakhulu ukukuthola, kodwa kuholela ekonakaleni kwabasebenzisi abaningi ngesikhathi esisodwa.
  5. Ukuhlaziywa kokuhlukaniswa kwengxenye yomsebenzisi ezingeni lenethiwekhi. Kumhlaseli, ukushoda kokuzihlukanisa kukhulisa kakhulu indawo yokuhlasela ngokumelene nabanye abasebenzisi.
  6. Ukuhlaziywa kwe-logic yebhizinisi. Kungenzeka yini ukukhohlisa amabhizinisi futhi udale imishini ebonakalayo mahhala?

Kule phrojekthi, umsebenzi wenziwa ngokuya ngemodeli ye-"Grey-box": abacwaningi bamabhuku basebenzisana nesevisi ngamalungelo abasebenzisi abajwayelekile, kodwa babenayo ingxenye yekhodi yomthombo ye-API futhi baba nethuba lokucacisa imininingwane nabathuthukisi. Lokhu ngokuvamile kulula kakhulu, futhi ngesikhathi esifanayo imodeli engokoqobo yomsebenzi: ulwazi lwangaphakathi lusengaqoqwa umhlaseli, kuyindaba yesikhathi kuphela.

Kutholwe ubungozi

Ngaphambi kokuba umcwaningi mabhuku aqale ukuthumela imithwalo ehlukahlukene ekhokhelwayo (umthwalo osetshenziswayo ukuhlasela) ezindaweni ezingahleliwe, kuyadingeka ukuqonda ukuthi izinto zisebenza kanjani nokuthi yikuphi ukusebenza okunikezwayo. Kungase kubonakale sengathi lokhu kuwumsebenzi ongenamsebenzi, ngoba ezindaweni eziningi ezifundwayo ngeke kube khona ukukhubazeka. Kodwa ukuqonda kuphela isakhiwo sohlelo lokusebenza kanye nengqondo yokusebenza kwalo kuzokwenza kube nokwenzeka ukuthola ama-vectors okuhlasela ayinkimbinkimbi kakhulu.

Kubalulekile ukuthola izindawo ezibonakala zisolisa noma ezihluke kakhulu kwezinye ngandlela thize. Futhi ukuba sengozini kokuqala okuyingozi kwatholakala ngale ndlela.

I-IDOR

Ubungozi be-IDOR (I-Insecure Direct Object Reference) bungobunye ubungozi obuvame kakhulu kungqondongqondo yebhizinisi, okuvumela oyedwa noma omunye ukuthi athole ukufinyelela ezintweni lapho ukufinyelela kuzo okungavunyelwe ngempela. Ukuba sengozini kwe-IDOR kudala ithuba lokuthola ulwazi mayelana nomsebenzisi wamazinga ahlukahlukene okubucayi.

Enye yezinketho ze-IDOR ukwenza izenzo ngezinto zesistimu (abasebenzisi, ama-akhawunti asebhange, izinto ezisekalishini lokuthenga) ngokukhohlisa izihlonzi zokufinyelela kulezi zinto. Lokhu kuholela emiphumeleni engalindelekile kakhulu. Isibonelo, ithuba lokushintsha i-akhawunti yomthumeli wezimali, ongawantshontsha kwabanye abasebenzisi.

Esimeni se-MCS, abacwaningi bamabhuku basanda kuthola ukuba sengozini kwe-IDOR okuhlobene nezihlonzi ezingavikelekile. Ku-akhawunti yomuntu siqu yomsebenzisi, izihlonzi ze-UUID zazisetshenziselwa ukufinyelela noma yiziphi izinto, okwakubonakala, njengoba ochwepheshe bezokuphepha besho, bengavikeleki ngendlela emangalisayo (okungukuthi, kuvikelwe ekuhlaselweni ngenkani). Kodwa ezinkampanini ezithile, kutholwe ukuthi izinombolo ezibikezelwa njalo zisetshenziswa ukuze kutholwe ulwazi mayelana nabasebenzisi bohlelo lokusebenza. Ngicabanga ukuthi ungaqagela ukuthi bekungenzeka ukushintsha i-ID yomsebenzisi ngayinye, uthumele isicelo futhi futhi ngaleyo ndlela uthole ulwazi ngokudlula i-ACL (uhlu lokulawula ukufinyelela, imithetho yokufinyelela idatha yezinqubo nabasebenzisi).

I-Server Side Request Forgery (SSRF)

Okuhle ngemikhiqizo ye-OpenSource ukuthi inenombolo enkulu yezinkundla ezinezincazelo eziningiliziwe zobuchwepheshe zezinkinga eziphakamayo futhi, uma unenhlanhla, incazelo yesixazululo. Kodwa lolu hlamvu lwemali lune-flip side: ubungozi obaziwayo bubuye buchazwe ngokuningiliziwe. Isibonelo, kunezincazelo ezimangalisayo zobungozi kuforamu ye-OpenStack [XSS] и [SSRF], okuthi ngesizathu esithile akekho ojahile ukuyilungisa.

Umsebenzi ojwayelekile wezinhlelo zokusebenza yikhono lomsebenzisi lokuthumela isixhumanisi kuseva, iseva esichofoza kuso (isibonelo, ukulanda isithombe emthonjeni othile). Uma amathuluzi okuvikela engazihlungi izixhumanisi ngokwazo noma izimpendulo ezibuyiswe kusuka kuseva kuya kubasebenzisi, ukusebenza okunjalo kungasetshenziswa kalula abahlaseli.

Ukuba sengozini kwe-SSRF kungathuthukisa kakhulu ukuthuthukiswa kokuhlasela. Umhlaseli angathola:

  • ukufinyelela okulinganiselwe kunethiwekhi yendawo ehlaselwe, isibonelo, kuphela ngezigaba ezithile zenethiwekhi nokusebenzisa umthetho olandelwayo othile;
  • ukufinyelela okugcwele kunethiwekhi yendawo, uma ukwehliswa kusuka ezingeni lesicelo kuya ezingeni lokuthutha kungenzeka futhi, ngenxa yalokho, ukuphathwa okugcwele komthwalo ezingeni lesicelo;
  • ukufinyelela ekufundeni amafayela endawo kuseva (uma ifayela:/// uhlelo lusekelwa);
  • nokuningi okuningi.

Ukuba sengozini kwe-SSRF kudala kwaziwa ku-OpenStack, “eyimpumputhe” ngokwemvelo: uma uxhumana neseva, awutholi mpendulo kuyo, kodwa uthola izinhlobo ezahlukene zamaphutha/ukubambezeleka, kuye ngomphumela wesicelo. . Ngokusekelwe kulokhu, ungenza ukuskena kwembobo kubasingathi kunethiwekhi yangaphakathi, ngayo yonke imiphumela elandelayo okungafanele ithathwe kancane. Isibonelo, umkhiqizo ungase ube ne-back-office API efinyeleleka kuphela kunethiwekhi yebhizinisi. Ngamadokhumenti (ungakhohlwa ngabangaphakathi), umhlaseli angasebenzisa i-SSRF ukuze afinyelele izindlela zangaphakathi. Isibonelo, uma ukwazi ngandlela thize ukuthola uhlu olulinganiselwe lwama-URL awusizo, bese usebenzisa i-SSRF ungadlula kuwo futhi wenze isicelo - uma kuqhathaniswa, udlulise imali isuka ku-akhawunti iye ku-akhawunti noma ushintshe imikhawulo.

Akukhona okokuqala ukuthi kube sengozini ye-SSRF kutholwa ku-OpenStack. Esikhathini esidlule, bekungenzeka ukulanda izithombe ze-VM ISO kusuka kusixhumanisi esiqondile, okubuye kwaholela emiphumeleni efanayo. Lesi sici manje sesisusiwe ku-OpenStack. Ngokusobala, umphakathi wawubheka lokhu njengekhambi elilula nelinokwethenjelwa kakhulu kule nkinga.

Futhi ku lokhu umbiko otholakala esidlangalaleni ovela kusevisi ye-HackerOne (h1), ukuxhashazwa kwe-SSRF engasaboni enekhono lokufunda imethadatha yesibonelo kuholela ekufinyeleleni kwe-Root kuyo yonke ingqalasizinda yakwaShopify.

Ku-MCS, ubungozi be-SSRF butholwe ezindaweni ezimbili ezinokusebenza okufanayo, kodwa cishe akunakwenzeka ukuzisebenzisa ngenxa yezicishamlilo nokunye ukuvikela. Ngandlela thize, ithimba le-MCS layilungisa le nkinga noma kunjalo, ngaphandle kokulinda umphakathi.

I-XSS esikhundleni sokulayisha amagobolondo

Ngaphandle kwamakhulu ezifundo ezibhaliwe, unyaka nonyaka ukuhlasela kwe-XSS (cross-site scripting) kuseyikhona kakhulu okuhlangana njalo ubungozi bewebhu (noma ukuhlasela?).

Ukulayisha amafayela kuyindawo eyintandokazi yanoma yimuphi umcwaningi wezokuphepha. Ngokuvamile kuvela ukuthi ungakwazi ukulayisha iskripthi esingenasizathu (i-asp/jsp/php) futhi wenze imiyalo ye-OS, kugama elithi pentesters - “igobolondo lokulayisha”. Kodwa ukuthandwa kobuthakathaka obunjalo busebenza kuzo zombili izinkomba: kuyakhunjulwa futhi kuthuthukiswe amakhambi ngokumelene nabo, kangangokuthi maduzane amathuba "okulayisha igobolondo" avame ukuba zero.

Iqembu elihlaselayo (elimelwe yiDigital Security) libe nenhlanhla. KULUNGILE, ku-MCS ohlangothini lweseva okuqukethwe kwamafayela alandiwe kuye kwahlolwa, izithombe kuphela ezivunyelwe. Kodwa i-SVG nayo iyisithombe. Izithombe ze-SVG zingaba yingozi kanjani? Ngoba ungakwazi ukushumeka amazwibela e-JavaScript kuwo!

Kuvele ukuthi amafayela alandiwe ayatholakala kubo bonke abasebenzisi besevisi ye-MCS, okusho ukuthi kungenzeka ukuhlasela abanye abasebenzisi bamafu, okungukuthi abaphathi.

Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS
Isibonelo sokuhlaselwa kwe-XSS kufomu lokungena ngemvume lobugebengu bokweba imininingwane ebucayi

Izibonelo zokuxhashazwa kokuhlasela kwe-XSS:

  • Kungani uzama ukuntshontsha iseshini (ikakhulukazi njengoba manje amakhukhi e-HTTP-Kuphela akhona yonke indawo, avikelekile ekwebiweni usebenzisa imibhalo ye-js), uma umbhalo olayishiwe ungafinyelela ngokushesha i-API yensiza? Kulokhu, umthwalo okhokhelwayo ungasebenzisa izicelo ze-XHR ukuze uguqule ukucushwa kweseva, isibonelo, engeza ukhiye we-SSH osesidlangalaleni womhlaseli futhi uthole ukufinyelela kwe-SSH kuseva.
  • Uma inqubomgomo ye-CSP (inqubomgomo yokuvikela okuqukethwe) ivimbela i-JavaScript ukuthi ingajovwa, umhlaseli angakwazi ukuphila ngaphandle kwayo. Usebenzisa i-HTML emsulwa, dala ifomu lokungena elingelona iqiniso lesayithi futhi untshontshe iphasiwedi yomlawuli ngalobu bugebengu bokweba imininingwane ebucayi obuthuthukisiwe: ikhasi lobugebengu bokweba imininingwane ebucayi lomsebenzisi ligcina lifinyelele ku-URL efanayo, futhi kuba nzima kakhulu kumsebenzisi ukukubona.
  • Ekugcineni, umhlaseli angahlela iklayenti DoS — setha Amakhukhi amakhulu kuno-4 KB. Umsebenzisi udinga ukuvula isixhumanisi kanye kuphela, futhi isayithi lonke liba lingafinyeleleki kuze kube yilapho umsebenzisi ecabanga ukuhlanza isiphequluli ngokuqondile: ezimweni eziningi, iseva yewebhu izokwenqaba ukwamukela iklayenti elinjalo.

Ake sibheke isibonelo senye i-XSS etholiwe, kulokhu ngokuxhashazwa okuhlakaniphe kakhulu. Isevisi ye-MCS ikuvumela ukuthi uhlanganise izilungiselelo zohlelo lokuvikela ube ngamaqembu. Igama leqembu yilapho i-XSS itholwe khona. Okukhethekile kwakuwukuthi i-vector ayizange iqalwe ngokushesha, hhayi lapho ibuka uhlu lwemithetho, kodwa lapho isusa iqembu:

Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS

Okusho ukuthi, isimo siphenduke lokhu okulandelayo: umhlaseli udala umthetho we-firewall "nomthwalo" egameni, umlawuli uyakubona ngemva kwesikhashana bese eqala inqubo yokususa. Futhi kulapho kusebenza khona i-JS enonya.

Konjiniyela be-MCS, ukuvikela ngokumelene ne-XSS ezithombeni ze-SVG ezilandiwe (uma zingenakushiywa), ithimba Lokuphepha Kwedijithali lincome:

  • Beka amafayela alayishwe abasebenzisi esizindeni esihlukile esingahlanganise lutho “namakhukhi”. Iskripthi sizosetshenziswa kumongo wesizinda esihlukile futhi ngeke sibe usongo ku-MCS.
  • Empendulweni ye-HTTP yeseva, thumela isihloko esithi “Isimo sokuqukethwe: okunamathiselwe”. Bese amafayela azolandwa yisiphequluli futhi angasayinwa.

Ngaphezu kwalokho, manje sekunezindlela eziningi ezitholakalayo konjiniyela zokunciphisa ubungozi bokuxhashazwa kwe-XSS:

  • usebenzisa ifulegi elithi "HTTP Kuphela", ungenza izihloko zeseshini "Amakhukhi" zingafinyeleleki ku-JavaScript enonya;
  • inqubomgomo ye-CSP esetshenziswe ngendlela efanele kuzokwenza kube nzima kakhulu kumhlaseli ukuthi axhaphaze i-XSS;
  • izinjini zezifanekiso zesimanje ezifana ne-Angular noma i-React zihlanza ngokuzenzakalelayo idatha yomsebenzisi ngaphambi kokuyikhiphela esipheqululini somsebenzisi.

Ubungozi bokufakazela ubuqiniso bezinto ezimbili

Ukuze kuthuthukiswe ukuphepha kwe-akhawunti, abasebenzisi bahlale belulekwa ukuthi banike amandla i-2FA (ukuqinisekiswa kwezinto ezimbili). Ngempela, lena indlela esebenzayo yokuvimbela umhlaseli ekutholeni ukufinyelela kusevisi uma izifakazelo zomsebenzisi zonakalisiwe.

Kodwa ingabe ukusebenzisa isici sesibili sokuqinisekisa kuhlala kuqinisekisa ukuphepha kwe-akhawunti? Kunezinkinga zokuphepha ezilandelayo ekusetshenzisweni kwe-2FA:

  • Usesho lwe-Brute-force lwekhodi ye-OTP (amakhodi esikhathi esisodwa). Naphezu kokulula kokusebenza, amaphutha afana nokuntuleka kokuvikelwa ku-OTP brute force aphinde ahlangabezane nezinkampani ezinkulu: Icala elixegayo, Icala le-Facebook.
  • I-algorithm yokukhiqiza ebuthakathaka, isibonelo ikhono lokubikezela ikhodi elandelayo.
  • Amaphutha anengqondo, njengokukwazi ukucela i-OTP yomunye umuntu ocingweni lwakho, kanje kwaba kusuka kwaShopify.

Esimeni se-MCS, i-2FA isetshenziswa ngokususelwe ku-Google Authenticator kanye duo. Iphrothokholi ngokwayo isivele ihlolwe isikhathi, kodwa ukuqaliswa kokuqinisekiswa kwekhodi ohlangothini lwesicelo kufanele kubhekwe.

I-MCS 2FA isetshenziswa ezindaweni eziningana:

  • Lapho uqinisekisa umsebenzisi. Kukhona ukuvikeleka emandleni anonya: umsebenzisi unemizamo embalwa kuphela yokufaka iphasiwedi yesikhathi esisodwa, bese okokufaka kuvalwa isikhashana. Lokhu kuvimbela ukuba nokwenzeka kokukhethwa kwe-OTP ngenkani.
  • Lapho ukhiqiza amakhodi ayisipele angaxhunyiwe ku-inthanethi ukwenza i-2FA, kanye nokuyikhubaza. Lapha, asikho isivikelo se-brute force esisetshenzisiwe, okwenze ukuthi, uma unephasiwedi ye-akhawunti kanye neseshini esebenzayo, ukukhiqiza kabusha amakhodi okulondoloza noma ukukhubaza i-2FA ngokuphelele.

Uma kucatshangelwa ukuthi amakhodi ekhophi yasenqolobaneni abekwe kuhlu olufanayo lwamanani eyunithi yezinhlamvu njengalawo akhiqizwe uhlelo lokusebenza lwe-OTP, ithuba lokuthola ikhodi ngesikhathi esifushane laliphezulu kakhulu.

Ukuhlolwa kokuphepha kwenkundla yefu ye-MCS
Inqubo yokukhetha i-OTP ukuze ukhubaze i-2FA usebenzisa ithuluzi elithi “Burp: Intruder”

Umphumela

Sekukonke, i-MCS ibonakala iphephile njengomkhiqizo. Ngesikhathi socwaningo, ithimba eliphenyayo alikwazanga ukufinyelela kuma-VM eklayenti kanye nedatha yawo, futhi ubungozi obutholakele bulungiswe ngokushesha ithimba le-MCS.

Kodwa lapha kubalulekile ukuqaphela ukuthi ukuphepha kuwumsebenzi oqhubekayo. Izinsizakalo azimi, zishintsha njalo. Futhi akunakwenzeka ukuthuthukisa umkhiqizo ngokuphelele ngaphandle kokuba sengozini. Kodwa ungazithola ngesikhathi futhi unciphise ithuba lokuphindeka kwazo.

Manje bonke ubuthakathaka obaluliwe ku-MCS sebevele bulungisiwe. Futhi ukuze kugcinwe inani labasha libe lincane futhi kuncishiswe ukuphila kwabo, ithimba lenkundla liyaqhubeka nokwenza lokhu:

  • njalo ukwenza ucwaningomabhuku yizinkampani zangaphandle;
  • sekela futhi uthuthukise ukubamba iqhaza ohlelweni lwe-Mail.ru Bug Bounty;
  • zibandakanye ezokuphepha. 🙂

Source: www.habr.com

Engeza amazwana