Memcached-инъекции - они существуют и работают, Иван...
description
Transcript of Memcached-инъекции - они существуют и работают, Иван...
Memcached-инъекции: они существуют и работаютИван Новиков (ONsec)
Memcached BIO• Key-value in-memory database
• Very popular for session storagea and caching data/objects
• Supports by all popular platforms and frameworks
Shodan stats
Commands types
How applications uses memcachedWhat data stored?
• Session storage: serialized data
• Caching data: strings, serialized data
• Commonly to store code (templates, others)
How applications uses memcachedHow data stored?
• Keys typically contains prefixes (namespaces) “Object\Cache\Templates\”
• Key after prefix commonly depends on user’s data “…\login”
• Arbitrary key writing gain auth bypass by design
Memcached wrappers
• Format protocol packet (input validation, length calculation, etc)
• Send/retrieve results (socket operations)
• Process data (cast to type, unserialize and others)
Scope of research
Injection types
Memcached wrappers
• Missed validation of commands delimiters (0x0a, 0x0d) at keys
• Inject your command after application’s command
• No other restrictions (no role model on commands)
Memcached wrappers
?key=1%0d%0a1%0d%0aset+injected+0+3600+10%0d%0a1234567890%0d%0a
#1 Command injection
#1 Who is vulnerable
#2 State breaking
• Missed validation of command format (key name, attributes count)
• Send whole packet, doesn’t read first response to first line
• Data will be interpreted as new command
#2 State breaking
?k=aaa…{251}&v=set+injected+0+3600+10%0a%0d1234567890
#2 State breaking
#2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
• This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d
#2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
#2 State breaking
#2 Who is vulnerable
#3 Argument injection
• Missed validation of argument delimiters (only 0x20)
• Inject your argument to break length (argument shifting)
• Part of value field will be interpreted as new command
#3 Argument injection
?k=1 0&v=1…{30}%0d%0aset+injected+0+3600+3%0a%0dINJ
#3 Argument injection
#3 Who is vulnerable
Post exploitation
Right, we can execute arbitrary memcached commands!
For what?
• Write/rewrite/delete arbitrary keys
• Send retrieve commands, but it never been reader by driver
Application level
Right, we can execute arbitrary memcached commands!
• To read data you need application-level driver
• Values deserialize + injection = CWE-502 (http://cwe.mitre.org/data/definitions/502.html)
Deserialization
Stats
StatsI’m a champion!
Thx!
@d0znpp
http://wallarm.com