Presentation by Marco Slaviero at BlackHat USA in 2010.
...
Presentation by Marco Slaviero at BlackHat USA in 2010.
This presentation is about mining information from memchached. The presentation begins with a brief introduction to memcached. go-derper.rb, a tool developed by the presenter for hacking memchaced servers is introduced and a few memchached mining examples are given. The presentation ends with a brief discussion on serialized objects exposed in the chache.
Lauren ETNAS, Digital Project Manager in Paris at Digital Project SA, Paris (Europe)Congratulations !!! This is an excellent work.Thank you for sharing. We have selected your presentation for the reference in our group Slideshare 'BANK OF KNOWLEDGE'. We would be honored by your support through your membership. You are invited to join us ! I wish you a nice day. Greetings from France. Good weekend. Lauren
http://www.slideshare.net/group/bank-of-knowledge2 years ago
Are you sure you want to
SensePost at SensePostOur blog entry about the talk is available at http://www.sensepost.com/blog/4873.html
Note: Gowalla and Bit.Ly were contacted before the presentation and fixed their stuff.2 years ago
Cache on delivery
mining memcached
marco@sensepost.com
The need for caching
• Large percentage of data remains relatively
constant
• Wikipedia page contents
• Youtube video links
• FB Profile data
• Poorly designed solutions regenerate data
on each request
• Don’t regenerate, rather regurgitate
The need for caching
• Large percentage of data remains relatively
constant
• Wikipedia page contents
• Youtube video links
• FB Profile data
• Poorly designed solutions regenerate data
on each request
• Don’t regenerate, rather regurgitate
Memcached
• memcached.org
• Written for LJ (2003) by Brad
Fitzpatrick
• Non-persistent network-based KV
store
• Why do we care? Mom&pop don’t
need the cache.
Memcached
• memcached.org
• Written for LJ (2003) by Brad
Fitzpatrick
• Non-persistent network-based KV
store
• Why do we care? Mom&pop don’t
need the cache.
Basic KV
• Slabs are fixed size • Users don’t care about slabs
• Dstvalue size
by
slab determined • Miners care about slabs
Trivial protocol
• ASCII-based
• Long-lived
• Tiny command set
• set
• get
• stats
• ...
• ????
Binary and UDP protocols also
exist, these were not touched.
Trivial protocol
• ASCII-based
• Long-lived
• Tiny command set
• set
• get
• stats
• ...
• ????
Binary and UDP protocols also
exist, these were not touched.
Trivial protocol
• ASCII-based
• Long-lived
• Tiny command set
• set
• get
• stats
• ...
• ????
Binary and UDP protocols also
exist, these were not touched.
Trivial protocol
• ASCII-based
• Long-lived
• Tiny command set
• set
• get
• stats
• ...
• ????
Binary and UDP protocols also
exist, these were not touched.
Trivial protocol
• ASCII-based
• Long-lived
• Tiny command set
• set
• get
• stats
• ...
• ????
Binary and UDP protocols also
exist, these were not touched.
Goals
• Connect to memcached
• Find all slabs
• Retrieve keynames from each slab
• Retrieve each key
Lies, damn lies, and
stats
stats slabs
STAT 1:chunk_size 80
•
<...>
stats cmd has subcmds STAT 2:chunk_size 104
<...>
STAT 3:chunk_size 136
• items <...>
STAT 4:chunk_size
<...>
176
• slabs
STAT 6:chunk_size
<...>
STAT 8:chunk_size
280
440
•
<...>
... STAT 9:chunk_size 552
<...>
STAT 9:cas_badval 0
STAT active_slabs 7
This gets us the slabs_ids
Retrieving key names
Rely on two
{poorly|un}
documented
features
Retrieving key names
Feature #1:
Remote enabling of
debug mode
Retrieving key names
Feature #2:
“stats cachedump”
Key list
Retrieving key names
Feature #2:
“stats cachedump”
This gets us key names
And this gets us?
• No need for complex hacks. Memcached serves up
all its data for us.
• What to do in an exposed cache?
• Mine
• SQLi is too hard for me
• Overwrite
• Client-side
• Server-side
Mining the cache
• go-derper.rb – memcached miner
• Retrieves up to k keys from each slab and
their contents, store on disk
• Applies regexes and filters matches in a
hits file
• Supports easy overwriting of cache
entries
• [demo]
Two issues
Two issues
• Finding caches
• Again with the
simple approach
• Pick a cloud
network, scan for
memcacheds on
port 11211 with
a mod’ed .nse
Two issues
• Linking apps to
caches
• Who’s %$!#ing
cache is this?
• Cached high scores
suck. Where’s the
good stuff?
• Is it live?
http://www.rhythm.com/~keith/autoStereoGrams/vortexas.gif
Results #1
IPs scanned 2^16
# of caches found 229
Retrieved Items 7.3GB
Average uptime ~50days
Total bandwidth used 9PB
Total entry count 288 million
Total Bytes stored 136TB
Highest bandwidth 247TB
Highest entry count 133 million
Highest Bytes Stored 19.3GB
Sidebar: serialized objs
• Python’s pickle intentionally insecure
• But they’re exposed!
• Pickle shellcode
cos
system
(S'echo hostname'
tR.
• [demo]
Sidebar: serialized objs
• Python’s pickle intentionally insecure
• But they’re exposed!
• Pickle shellcode
cos
system
(S'echo hostname'
tR.
• [demo]
Fixes?
• FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW.
FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW.
FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW.
(VPC)
• Hack code to disable stats facility (but doesn’t prevent
key brute-force)
• Hack code to disable remote enabling of debug features
• Switch to SASL
• Requires binary protocol
• Not supported by a number of memcached libs
• Salt your passwords with a proper scheme (PHK’s MD5
or Bcrypt)
• Also, FW.
Random thoughts
• This can’t be new
• Inject tracker images / strings
• Trace Refers / hit Google
• Key guessing or prediction
• Your data ends up in places you never
expected.
Places to keep looking
• Improve data detection/sifting/filtering
• Spread the search past a single provider
• Caching providers (?!?!)
• Other cache software
• Other infrastructure software
Nastia Shaternik
http://www.slideshare.net/group/bank-of-knowledge 2 years ago
Note: Gowalla and Bit.Ly were contacted before the presentation and fixed their stuff. 2 years ago