id: clickhouse-unauth

info:
  name: ClickHouse - Unauthorized Access
  author: lu4nx
  severity: high
  description: ClickHouse was able to be accessed with no required authentication in place.
  tags: network,clickhouse,unauth
  metadata:
    max-request: 2

tcp:
  - inputs:
      # 0011436c69636b486f75736520636c69656e741508b1a9030007 is header
      # 64656661756c74 = default
      - data: 0011436c69636b486f75736520636c69656e741508b1a903000764656661756c7400
        type: hex

    host:
      - "{{Hostname}}"
      - "{{Host}}:9000"

    read-size: 100
    matchers:
      - type: word
        words:
          - "ClickHouse"
          - "UTC"
        condition: and

# Enhanced by mp on 2022/07/20