代理错误：/var/run/rpc/xmlrpc.sock（localhost）失败

Question

我发现安全扫描程序（我发现的 Zanshin.TenchiSecurity.com 扫描程序）可能会触发此错误，该扫描程序可能正在测试 CVE-2021-40438，并且实际上也会由此引发问题。我发现 zanshin 测试了类似“POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://EQKk/wsrpc HTTP/1.1”的请求。从跟踪日志中，您可以看到这样的请求会导致代理工作程序重写以使用 unix 域套接字：

[Tue Apr 09 10:05:45.818935 2024] [proxy:trace2] [pid 13231] proxy_util.c(2098): [client 127.0.0.1:44300] *: rewrite of url due to UDS(/var/run/rpc/xmlrpc.sock): http://EQKk/wsrpc (proxy:http://EQKk/wsrpc)
[Tue Apr 09 10:05:45.818937 2024] [proxy:debug] [pid 13231] mod_proxy.c(1264): [client 127.0.0.1:44300] AH01143: Running scheme http handler (attempt 0)
[Tue Apr 09 10:05:45.818941 2024] [proxy_fcgi:debug] [pid 13231] mod_proxy_fcgi.c(1021): [client 127.0.0.1:44300] AH01076: url: http://EQKk/wsrpc proxyname: (null) proxyport: 0
[Tue Apr 09 10:05:45.818944 2024] [proxy_fcgi:debug] [pid 13231] mod_proxy_fcgi.c(1024): [client 127.0.0.1:44300] AH01077: declining URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818947 2024] [proxy_wstunnel:debug] [pid 13231] mod_proxy_wstunnel.c(322): [client 127.0.0.1:44300] AH02450: declining URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818952 2024] [proxy_http:trace1] [pid 13231] mod_proxy_http.c(1971): [client 127.0.0.1:44300] HTTP: serving URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818963 2024] [proxy:debug] [pid 13231] proxy_util.c(2313): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Apr 09 10:05:45.818968 2024] [proxy:debug] [pid 13231] proxy_util.c(2366): [client 127.0.0.1:44300] AH00944: connecting http://EQKk/wsrpc to EQKk:80
[Tue Apr 09 10:05:45.818973 2024] [proxy:debug] [pid 13231] proxy_util.c(2403): [client 127.0.0.1:44300] AH02545: http: has determined UDS as /var/run/rpc/xmlrpc.sock
[Tue Apr 09 10:05:45.819029 2024] [proxy:debug] [pid 13231] proxy_util.c(2575): [client 127.0.0.1:44300] AH00947: connected /wsrpc to httpd-UDS:0
[Tue Apr 09 10:05:45.819088 2024] [proxy:error] [pid 13231] (2)No such file or directory: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/rpc/xmlrpc.sock (127.0.0.1) failed

此子进程上的代理工作程序处于问题状态，因此使用此子进程的其他请求将无法继续尝试该 unix 域套接字：

[Tue Apr 09 10:07:22.634729 2024] [proxy_wstunnel:debug] [pid 13231] mod_proxy_wstunnel.c(322): [client 127.0.0.1:50022] AH02450: declining URL http://127.0.0.1:8080/favicon.ico, referer: http://localhost/test/
[Tue Apr 09 10:07:22.634733 2024] [proxy_http:trace1] [pid 13231] mod_proxy_http.c(1971): [client 127.0.0.1:50022] HTTP: serving URL http://127.0.0.1:8080/favicon.ico, referer: http://localhost/test/
[Tue Apr 09 10:07:22.634736 2024] [proxy:debug] [pid 13231] proxy_util.c(2313): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Apr 09 10:07:22.634740 2024] [proxy:debug] [pid 13231] proxy_util.c(2366): [client 127.0.0.1:50022] AH00944: connecting http://127.0.0.1:8080/favicon.ico to 127.0.0.1:8080, referer: http://localhost/test/
[Tue Apr 09 10:07:22.745178 2024] [proxy:error] [pid 13231] [client 127.0.0.1:50022] AH00898: DNS lookup failure for: httpd-UDS returned by /favicon.ico, referer: http://localhost/test/

因此，我推测您可能拥有一些较旧的 httpd 版本 2.4.48 及更早版本，其中的 mod_proxy 配置易受 CVE-2021-40438 攻击。更新 httpd 很重要，但在易受攻击的版本上，您可能会使用如下所示的重写规则来拒绝可能尝试通过其 uri 或查询字符串注入 unix 域套接字使用的请求：

RewriteEngine On
RewriteRule ^.*unix:.* - [F,L]
RewriteCond %{QUERY_STRING} ^.*unix:.*
RewriteRule .* - [F,L]

Answer 1

我发现安全扫描程序（我发现的 Zanshin.TenchiSecurity.com 扫描程序）可能会触发此错误，该扫描程序可能正在测试 CVE-2021-40438，并且实际上也会由此引发问题。我发现 zanshin 测试了类似“POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://EQKk/wsrpc HTTP/1.1”的请求。从跟踪日志中，您可以看到这样的请求会导致代理工作程序重写以使用 unix 域套接字：

[Tue Apr 09 10:05:45.818935 2024] [proxy:trace2] [pid 13231] proxy_util.c(2098): [client 127.0.0.1:44300] *: rewrite of url due to UDS(/var/run/rpc/xmlrpc.sock): http://EQKk/wsrpc (proxy:http://EQKk/wsrpc)
[Tue Apr 09 10:05:45.818937 2024] [proxy:debug] [pid 13231] mod_proxy.c(1264): [client 127.0.0.1:44300] AH01143: Running scheme http handler (attempt 0)
[Tue Apr 09 10:05:45.818941 2024] [proxy_fcgi:debug] [pid 13231] mod_proxy_fcgi.c(1021): [client 127.0.0.1:44300] AH01076: url: http://EQKk/wsrpc proxyname: (null) proxyport: 0
[Tue Apr 09 10:05:45.818944 2024] [proxy_fcgi:debug] [pid 13231] mod_proxy_fcgi.c(1024): [client 127.0.0.1:44300] AH01077: declining URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818947 2024] [proxy_wstunnel:debug] [pid 13231] mod_proxy_wstunnel.c(322): [client 127.0.0.1:44300] AH02450: declining URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818952 2024] [proxy_http:trace1] [pid 13231] mod_proxy_http.c(1971): [client 127.0.0.1:44300] HTTP: serving URL http://EQKk/wsrpc
[Tue Apr 09 10:05:45.818963 2024] [proxy:debug] [pid 13231] proxy_util.c(2313): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Apr 09 10:05:45.818968 2024] [proxy:debug] [pid 13231] proxy_util.c(2366): [client 127.0.0.1:44300] AH00944: connecting http://EQKk/wsrpc to EQKk:80
[Tue Apr 09 10:05:45.818973 2024] [proxy:debug] [pid 13231] proxy_util.c(2403): [client 127.0.0.1:44300] AH02545: http: has determined UDS as /var/run/rpc/xmlrpc.sock
[Tue Apr 09 10:05:45.819029 2024] [proxy:debug] [pid 13231] proxy_util.c(2575): [client 127.0.0.1:44300] AH00947: connected /wsrpc to httpd-UDS:0
[Tue Apr 09 10:05:45.819088 2024] [proxy:error] [pid 13231] (2)No such file or directory: AH02454: HTTP: attempt to connect to Unix domain socket /var/run/rpc/xmlrpc.sock (127.0.0.1) failed

此子进程上的代理工作程序处于问题状态，因此使用此子进程的其他请求将无法继续尝试该 unix 域套接字：

[Tue Apr 09 10:07:22.634729 2024] [proxy_wstunnel:debug] [pid 13231] mod_proxy_wstunnel.c(322): [client 127.0.0.1:50022] AH02450: declining URL http://127.0.0.1:8080/favicon.ico, referer: http://localhost/test/
[Tue Apr 09 10:07:22.634733 2024] [proxy_http:trace1] [pid 13231] mod_proxy_http.c(1971): [client 127.0.0.1:50022] HTTP: serving URL http://127.0.0.1:8080/favicon.ico, referer: http://localhost/test/
[Tue Apr 09 10:07:22.634736 2024] [proxy:debug] [pid 13231] proxy_util.c(2313): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Apr 09 10:07:22.634740 2024] [proxy:debug] [pid 13231] proxy_util.c(2366): [client 127.0.0.1:50022] AH00944: connecting http://127.0.0.1:8080/favicon.ico to 127.0.0.1:8080, referer: http://localhost/test/
[Tue Apr 09 10:07:22.745178 2024] [proxy:error] [pid 13231] [client 127.0.0.1:50022] AH00898: DNS lookup failure for: httpd-UDS returned by /favicon.ico, referer: http://localhost/test/

因此，我推测您可能拥有一些较旧的 httpd 版本 2.4.48 及更早版本，其中的 mod_proxy 配置易受 CVE-2021-40438 攻击。更新 httpd 很重要，但在易受攻击的版本上，您可能会使用如下所示的重写规则来拒绝可能尝试通过其 uri 或查询字符串注入 unix 域套接字使用的请求：

RewriteEngine On
RewriteRule ^.*unix:.* - [F,L]
RewriteCond %{QUERY_STRING} ^.*unix:.*
RewriteRule .* - [F,L]

代理错误：/var/run/rpc/xmlrpc.sock（localhost）失败

答案1

相关内容