• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cache on Delivery
 

Cache on Delivery

on

  • 53,489 views

Presentation by Marco Slaviero at BlackHat USA in 2010. ...

Presentation by Marco Slaviero at BlackHat USA in 2010.

This presentation is about mining information from memchached. The presentation begins with a brief introduction to memcached. go-derper.rb, a tool developed by the presenter for hacking memchaced servers is introduced and a few memchached mining examples are given. The presentation ends with a brief discussion on serialized objects exposed in the chache.

Statistics

Views

Total Views
53,489
Views on SlideShare
46,706
Embed Views
6,783

Actions

Likes
51
Downloads
463
Comments
3

46 Embeds 6,783

http://www.sensepost.com 3868
http://www.lostinsecurity.com 2064
http://blog.nomadscafe.jp 381
http://axonflux.com 132
http://www.slideshare.net 67
http://research.sensepost.com 49
http://key0.cn 41
http://tedkulp.com 39
http://sensepost.com 31
http://www.lovemikeg.com 28
http://therichwebexperience.com 8
http://www.nosec.org 7
http://webcache.googleusercontent.com 7
http://www.hackrack.com 5
https://introonet.sensepost.com 5
http://translate.googleusercontent.com 4
https://www.sensepost.com 3
http://a0.twimg.com 3
http://paper.li 3
http://localhost:5000 3
https://twitter.com 3
http://www.sensepost.co.za 3
http://127.0.0.1 2
http://springone2gx.com 2
http://cncc.bingj.com 2
http://localhost 2
http://tedkulp.posterous.com 2
http://www.diffbot.com&_=1358287479205 HTTP 1
http://www.diffbot.com&_=1358287476999 HTTP 1
http://www.diffbot.com&_=1358334099108 HTTP 1
http://www.diffbot.com&_=1358334099637 HTTP 1
https://sensepost.com 1
http://test.tedkulp.com 1
http://www.tedkulp.com 1
https://twimg0-a.akamaihd.net 1
https://si0.twimg.com 1
http://www.diffbot.com&_=1357762280485 HTTP 1
http://web.archive.org 1
http://introonet.sensepost.com 1
http://www.ianlewis.org 1
http://www.diffbot.com&_=1357655535419 HTTP 1
http://www.diffbot.com&_=1357655534679 HTTP 1
http://www.diffbot.com&_=1357723427101 HTTP 1
http://www.diffbot.com&_=1357723416838 HTTP 1
http://www.diffbot.com&_=1357762280483 HTTP 1
http://lostinsecurity.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • hi
    Are you sure you want to
    Your message goes here
    Processing…
  • Congratulations !!! This is an excellent work.Thank you for sharing. We have selected your presentation for the reference in our group Slideshare 'BANK OF KNOWLEDGE'. We would be honored by your support through your membership. You are invited to join us ! I wish you a nice day. Greetings from France. Good weekend. Lauren

    http://www.slideshare.net/group/bank-of-knowledge
    Are you sure you want to
    Your message goes here
    Processing…
  • Our blog entry about the talk is available at http://www.sensepost.com/blog/4873.html

    Note: Gowalla and Bit.Ly were contacted before the presentation and fixed their stuff.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cache on Delivery Cache on Delivery Presentation Transcript

    • Cache on delivery mining memcached marco@sensepost.com
    • The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
    • The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
    • Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
    • Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
    • Basic KV • Slabs are fixed size • Users don’t care about slabs • Dstvalue size by slab determined • Miners care about slabs
    • Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
    • Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
    • Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
    • Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
    • Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
    • 1998 • Blank ‘sa’ • Anonymous ftp • system/manager
    • Goals • Connect to memcached • Find all slabs • Retrieve keynames from each slab • Retrieve each key
    • Lies, damn lies, and stats stats slabs STAT 1:chunk_size 80 • <...> stats cmd has subcmds STAT 2:chunk_size 104 <...> STAT 3:chunk_size 136 • items <...> STAT 4:chunk_size <...> 176 • slabs STAT 6:chunk_size <...> STAT 8:chunk_size 280 440 • <...> ... STAT 9:chunk_size 552 <...> STAT 9:cas_badval 0 STAT active_slabs 7 This gets us the slabs_ids
    • Retrieving key names Rely on two {poorly|un} documented features
    • Retrieving key names Feature #1: Remote enabling of debug mode
    • Retrieving key names Feature #2: “stats cachedump”
    • Retrieving key names Feature #2: “stats cachedump”
    • Retrieving key names Feature #2: “stats cachedump” Slabs ID
    • Retrieving key names Feature #2: “stats cachedump” Key limit
    • Retrieving key names Feature #2: “stats cachedump” Key list
    • Retrieving key names Feature #2: “stats cachedump” This gets us key names
    • And this gets us? • No need for complex hacks. Memcached serves up all its data for us. • What to do in an exposed cache? • Mine • SQLi is too hard for me • Overwrite • Client-side • Server-side
    • Mining the cache • go-derper.rb – memcached miner • Retrieves up to k keys from each slab and their contents, store on disk • Applies regexes and filters matches in a hits file • Supports easy overwriting of cache entries • [demo]
    • Two issues
    • Two issues • Finding caches • Again with the simple approach • Pick a cloud network, scan for memcacheds on port 11211 with a mod’ed .nse
    • Two issues • Linking apps to caches • Who’s %$!#ing cache is this? • Cached high scores suck. Where’s the good stuff? • Is it live? http://www.rhythm.com/~keith/autoStereoGrams/vortexas.gif
    • Results #1 IPs scanned 2^16 # of caches found 229 Retrieved Items 7.3GB Average uptime ~50days Total bandwidth used 9PB Total entry count 288 million Total Bytes stored 136TB Highest bandwidth 247TB Highest entry count 133 million Highest Bytes Stored 19.3GB
    • Results #2 • HTML • Objects found • JavaScript • Serialized Java • Data • Pickled Python • Email • Ruby ActiveRecord • Passwords • .Net Object (clear-text, crypt’ed, MD5) • JSON
    • Globworld
    • Globworld
    • Globworld
    • Globworld
    • Gowalla
    • Gowalla
    • Gowalla
    • Gowalla
    • Gowalla
    • Gowalla
    • Bit.ly Pro
    • Bit.ly Pro
    • Bit.ly Pro
    • PBS
    • PBS
    • PBS
    • PBS
    • Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
    • Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
    • Fixes? • FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. (VPC) • Hack code to disable stats facility (but doesn’t prevent key brute-force) • Hack code to disable remote enabling of debug features • Switch to SASL • Requires binary protocol • Not supported by a number of memcached libs • Salt your passwords with a proper scheme (PHK’s MD5 or Bcrypt) • Also, FW.
    • Random thoughts • This can’t be new • Inject tracker images / strings • Trace Refers / hit Google • Key guessing or prediction • Your data ends up in places you never expected.
    • Places to keep looking • Improve data detection/sifting/filtering • Spread the search past a single provider • Caching providers (?!?!) • Other cache software • Other infrastructure software
    • Questions? www.sensepost.com/labs/tools/poc/go-derper