Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ClickHouse is a Database Management System (DBMS) for online analytical processing. This is a web analytics tool used for seeing what is going on with a database.

When sending a request to the server, compression can be used. On the server side, it will decompress the file according to the header that was sent. The struct used for this has a few fields: hash type, compress method, compressed size (without checksum), decompressed size and the actual compressed bytes. The client supplies the entire struct to the server and thus controls all of its contents.

The size of the allocation made for this is from the decompressed_size field. When the copy actually happened, this size value is not used though! Instead, the data within the buffer is used instead. This creates a fairly standard buffer overflow.

As a proof of concept, they set the size to be 1 and sent over a large payload that was much bigger than this. There is some magic that goes into the size of the actual data being proper, but they do not explain it. Eventually, this segfaults with control over an indirect call (function pointer). Sick! There is the same bug in a similar location that is not covered in the post.

When doing the decompression, a 16-bit user supplied offset is read in from the compressed_data field. This is then subtracted from the current pointer location. There is NO validation that the offset is smaller than the real pointer being used. Down the road, a copy is done, leading to an out of bounds read. A similar variant of this bug exists but is going forward on the offset instead of backwards.

I assume that the offset specified above is for pagination or something similar. Additionally, they found a divide by zero bug which simply crashes the application.