Wednesday, January 18, 2017

DevOoops: In-Memory Databases (Redis) Part 2


Doing part 2 first as the altcoin mining stuff is interesting with the mongoDB/elasticsearch ransomware stuff currently going on.

A redis developer dropped an interesting piece of info here

http://antirez.com/news/96

Namely:
“However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”

He goes on to show how someone could echo over SSH keys and use the config command to write them to the appropriate place if you have permissions.  He used a key name of "crackit" so I thought I'd see how prevalent it was....I checked a few and saw it a good chunk of them.

go go shodan




I did find something interesting while looking thru some open redis boxes.  I found:



A cron job? running a shell script. Can you do that from Redis???

What's in the shell script?!



alt coin mining! sweeeeeet.

I had no idea what an XMR is but I wanted to see how this person was doing with the money making. Thankfully you can just query the payouts for any XMR address. So I did:






They've made around $20,000 USD in BTC. I guess crime does pay :-)




To satisfy my curiosity started a miner up on a linode and was getting around 60 H/s. This person is cranking out 70 KH/s, so they have a few boxes working for them.


Extending the idea that a good hack yields plenty more I stumbled across this gem. https://phpinfo.me/2016/07/07/1275.html with several different ways to get code exec on redis.

I created some gists from the previous link in case the post disappears.



-CG-


CG

1 comment:

Anonymous said...

Important tip from the site also:

redis-cli set 1 'ringzero'

To avoid having to flushall, makes sure your data is always at the top...