Memcached-инъекции: они существуют и работаютИван Новиков (ONsec)

Memcached BIO• Key-value in-memory database

• Very popular for session storagea and caching data/objects

• Supports by all popular platforms and frameworks

Shodan stats

Commands types

How applications uses memcachedWhat data stored?

• Session storage: serialized data

• Caching data: strings, serialized data

• Commonly to store code (templates, others)

How applications uses memcachedHow data stored?

• Keys typically contains prefixes (namespaces) “Object\Cache\Templates\”

• Key after prefix commonly depends on user’s data “…\login”

• Arbitrary key writing gain auth bypass by design

Memcached wrappers

• Format protocol packet (input validation, length calculation, etc)

• Send/retrieve results (socket operations)

• Process data (cast to type, unserialize and others)

Scope of research

Injection types

Memcached wrappers

• Missed validation of commands delimiters (0x0a, 0x0d) at keys

• Inject your command after application’s command

• No other restrictions (no role model on commands)

Memcached wrappers

?key=1%0d%0a1%0d%0aset+injected+0+3600+10%0d%0a1234567890%0d%0a

#1 Command injection

#1 Who is vulnerable

#2 State breaking

• Missed validation of command format (key name, attributes count)

• Send whole packet, doesn’t read first response to first line

• Data will be interpreted as new command

#2 State breaking

?k=aaa…{251}&v=set+injected+0+3600+10%0a%0d1234567890

#2 State breaking

#2 State breaking

• Ruby example

• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)

• This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d

#2 State breaking

• Ruby example

• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)

#2 State breaking

#2 Who is vulnerable

#3 Argument injection

• Missed validation of argument delimiters (only 0x20)

• Inject your argument to break length (argument shifting)

• Part of value field will be interpreted as new command

#3 Argument injection

?k=1 0&v=1…{30}%0d%0aset+injected+0+3600+3%0a%0dINJ

#3 Argument injection

#3 Who is vulnerable

Post exploitation

Right, we can execute arbitrary memcached commands!

For what?

• Write/rewrite/delete arbitrary keys

• Send retrieve commands, but it never been reader by driver

Application level

Right, we can execute arbitrary memcached commands!

• To read data you need application-level driver

• Values deserialize + injection = CWE-502 (http://cwe.mitre.org/data/definitions/502.html)

Deserialization

Stats

StatsI’m a champion!

Thx!

@d0znpp

http://wallarm.com