Redis service unauthenticated write access to OS file system

Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others.

By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap with -p- or -p1-65535 and -sV should identify redis service.

In my example 172.17.0.2 is a server running redis service on port 6379

Nmap scan result looks like this

Nmap scan report for 172.17.0.2
Host is up (0.000045s latency).
PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store

Redis is sometimes configured without authentication listening on all interfaces. So the redis service can be found over the network without authentication.

You can run the following redis-info script from nmap to verify if redis is running without authentication. The script runs ‘info’ command after connecting to the redis server.
https://nmap.org/nsedoc/scripts/redis-info.html

Redis also allows writing to any file on the target server based on the account that runs the redis service.

I’ve written a script that automates the task of exploiting unauthenticated write access to the OS file system.

Usage:

1) Write to any path on the file system

python redis.py <RHOST> <PORT> -write <path>

for e.g.: python redis.py 172.17.0.2 6379 -write /tmp/GIStest.txt

2) Generate ssh key pairs and write to the authorized_keys files and get ssh access to the server.

python redis.py <RHOST> <PORT> -ssh <user>

for e.g.: python redis.py 172.17.0.2 6379 -ssh root

The script can be found at the following link:
https://github.com/buffered4ever/Exploits/tree/master/redis

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: