Unauthorized Access via Redis Memory Space
Gain a foothold to unprotected Redis instances
Redis is a type of database that runs in memory. It is structured similarly to the NoSQL database in terms of key-value pairs in the form of JSON objects.
It is generally used for caching data that is frequently used or takes a long time to compute.
📄$_Key_Contents:
- Redis Overview
- Highlighting the Security Issues
- Demonstration Steps
- Resources
By default, Redis does not require any authentication as it is designed initially to run inside trusted environments and not exposed to the internet- according to the Redis documentation.
A user can anonymously access the instance and execute queries unless the Protected mode is ON. In which case, Redis would only reply to queries from the loopback interfaces while the other untrusted clients would receive errors. This feature was introduced in Redis 3.2.0 and above to decrease the security issues caused by unprotected instances.
However, if the Protected mode is disabled, an attacker can write arbitrary files with the Config Get queries that compromise the server.
In this post, we will learn how to exploit an external Redis service that doesn’t have the protected mode enabled and gain a foothold on the server with SSH public keys.
The steps will be demonstrated on the Postman machine from Hack the box.
$_Demonstration_Steps
The first thing to check for when you see a Redis exposed service is whether it allows for anonymous access and if so, check the permissions of the guest user.
In this machine, we have Redis running on port 6379. We will connect to the service with the redis-cli tool. This tool allows to send commands to Redis and read the replies sent by the server directly from the terminal.
As we can see below, we have access to Redis without authentication.
Next, we use some of the Redis commands to enumerate the instance. Starting with the “Config get *” command that will list all of the supported configuration parameters.
In this step, we are looking for the Redis user directory path to use later when writing the authorized_keys file for the SSH authentication.
📌 Usually, the SSH default paths for Redis are located in the below paths:
/var/lib/redis /home/redis/.ssh
Then, we test the writing permissions in the selected user directory- “/var/lib/redis” with the command config set dbfilename to see if we can create files.
config set dbfilename fileNameAs we see in the below screenshot, we got the OK message which means we have the writing permissions needed to create new files.
Now that we verified our privileges to write files into the redis/.ssh directory, it is time to add our public key.
Adding SSH Public Keys to Redis
Let’s start with generating SSH public-private key pair on our attacking machine.
Write the public key to a file; we will name it postman.
📌You will need to pad the key value with new lines to help ensure that the public key is on its own line in the file when it gets read by the sshd process — 0xdf.gitlab.io
Then, read the content of the postman file and place it in the server’s memory by using the “-x set” option with the key name
We will name the key postman-ssh.
Connect to the Redis server and verify if the key was correctly set.
Next, we will dump the memory content that recently added into the Redis SSH directory and set the database dump file name to authorized_keys.
To that, we will use the Config set command to switch directories to /var/lib/redis/.ssh
config set dir /var/lib/redis/.ssh
And then Config set dbfilename to set the dump file name to authorized_keys.
config set dbfilename "autrhorized_keys"
Naming the original dump file “dump.rdb” to authorized_keys allows the SSH process (sshd) to recognize the file in the .ssh directory and use it for the authentications.
The next time there are new incoming connections to the server through SSH, the sshd will read the authorize_keys file and look for the public key matching the private key being sent to it, and based on that, it allows or denies access.
Lastly, save the configuration with the command “save”, and test the connection.
Awesome, as we see we are able to connect to the server with our SSH private key and the username redis 😈
$_Mitigation
- Restrict access from the outside with Firewall rules
- Allow only local trusted clients to connect to the Redis instance
- Bind Redis to a single interface
bind 127.0.0.1- Require authentication for all clients connecting to the Redis instances
- Enable Protection mode
That’s all for today. Thanks for reading!!
🛎️ All used commands can be found at R3d-Buck3T — Notion (Scanning &Enumerating services — Redis)
📚 $_Resouces
