Your SlideShare is downloading. ×
0
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Cache on Delivery
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cache on Delivery

53,163

Published on

Presentation by Marco Slaviero at BlackHat USA in 2010. …

Presentation by Marco Slaviero at BlackHat USA in 2010.

This presentation is about mining information from memchached. The presentation begins with a brief introduction to memcached. go-derper.rb, a tool developed by the presenter for hacking memchaced servers is introduced and a few memchached mining examples are given. The presentation ends with a brief discussion on serialized objects exposed in the chache.

Published in: Technology
3 Comments
52 Likes
Statistics
Notes
  • hi
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Congratulations !!! This is an excellent work.Thank you for sharing. We have selected your presentation for the reference in our group Slideshare 'BANK OF KNOWLEDGE'. We would be honored by your support through your membership. You are invited to join us ! I wish you a nice day. Greetings from France. Good weekend. Lauren

    http://www.slideshare.net/group/bank-of-knowledge
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Our blog entry about the talk is available at http://www.sensepost.com/blog/4873.html

    Note: Gowalla and Bit.Ly were contacted before the presentation and fixed their stuff.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
53,163
On Slideshare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
467
Comments
3
Likes
52
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cache on delivery mining memcached marco@sensepost.com
  • 2. The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
  • 3. The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
  • 4. Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
  • 5. Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
  • 6. Basic KV • Slabs are fixed size • Users don’t care about slabs • Dstvalue size by slab determined • Miners care about slabs
  • 7. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  • 8. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  • 9. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  • 10. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  • 11. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  • 12. 1998 • Blank ‘sa’ • Anonymous ftp • system/manager
  • 13. Goals • Connect to memcached • Find all slabs • Retrieve keynames from each slab • Retrieve each key
  • 14. Lies, damn lies, and stats stats slabs STAT 1:chunk_size 80 • <...> stats cmd has subcmds STAT 2:chunk_size 104 <...> STAT 3:chunk_size 136 • items <...> STAT 4:chunk_size <...> 176 • slabs STAT 6:chunk_size <...> STAT 8:chunk_size 280 440 • <...> ... STAT 9:chunk_size 552 <...> STAT 9:cas_badval 0 STAT active_slabs 7 This gets us the slabs_ids
  • 15. Retrieving key names Rely on two {poorly|un} documented features
  • 16. Retrieving key names Feature #1: Remote enabling of debug mode
  • 17. Retrieving key names Feature #2: “stats cachedump”
  • 18. Retrieving key names Feature #2: “stats cachedump”
  • 19. Retrieving key names Feature #2: “stats cachedump” Slabs ID
  • 20. Retrieving key names Feature #2: “stats cachedump” Key limit
  • 21. Retrieving key names Feature #2: “stats cachedump” Key list
  • 22. Retrieving key names Feature #2: “stats cachedump” This gets us key names
  • 23. And this gets us? • No need for complex hacks. Memcached serves up all its data for us. • What to do in an exposed cache? • Mine • SQLi is too hard for me • Overwrite • Client-side • Server-side
  • 24. Mining the cache • go-derper.rb – memcached miner • Retrieves up to k keys from each slab and their contents, store on disk • Applies regexes and filters matches in a hits file • Supports easy overwriting of cache entries • [demo]
  • 25. Two issues
  • 26. Two issues • Finding caches • Again with the simple approach • Pick a cloud network, scan for memcacheds on port 11211 with a mod’ed .nse
  • 27. Two issues • Linking apps to caches • Who’s %$!#ing cache is this? • Cached high scores suck. Where’s the good stuff? • Is it live? http://www.rhythm.com/~keith/autoStereoGrams/vortexas.gif
  • 28. Results #1 IPs scanned 2^16 # of caches found 229 Retrieved Items 7.3GB Average uptime ~50days Total bandwidth used 9PB Total entry count 288 million Total Bytes stored 136TB Highest bandwidth 247TB Highest entry count 133 million Highest Bytes Stored 19.3GB
  • 29. Results #2 • HTML • Objects found • JavaScript • Serialized Java • Data • Pickled Python • Email • Ruby ActiveRecord • Passwords • .Net Object (clear-text, crypt’ed, MD5) • JSON
  • 30. Globworld
  • 31. Globworld
  • 32. Globworld
  • 33. Globworld
  • 34. Gowalla
  • 35. Gowalla
  • 36. Gowalla
  • 37. Gowalla
  • 38. Gowalla
  • 39. Gowalla
  • 40. Bit.ly Pro
  • 41. Bit.ly Pro
  • 42. Bit.ly Pro
  • 43. PBS
  • 44. PBS
  • 45. PBS
  • 46. PBS
  • 47. Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
  • 48. Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
  • 49. Fixes? • FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. (VPC) • Hack code to disable stats facility (but doesn’t prevent key brute-force) • Hack code to disable remote enabling of debug features • Switch to SASL • Requires binary protocol • Not supported by a number of memcached libs • Salt your passwords with a proper scheme (PHK’s MD5 or Bcrypt) • Also, FW.
  • 50. Random thoughts • This can’t be new • Inject tracker images / strings • Trace Refers / hit Google • Key guessing or prediction • Your data ends up in places you never expected.
  • 51. Places to keep looking • Improve data detection/sifting/filtering • Spread the search past a single provider • Caching providers (?!?!) • Other cache software • Other infrastructure software
  • 52. Questions? www.sensepost.com/labs/tools/poc/go-derper

×