Cache on Delivery

59,793 views
59,020 views

Published on

Presentation by Marco Slaviero at BlackHat USA in 2010.

This presentation is about mining information from memchached. The presentation begins with a brief introduction to memcached. go-derper.rb, a tool developed by the presenter for hacking memchaced servers is introduced and a few memchached mining examples are given. The presentation ends with a brief discussion on serialized objects exposed in the chache.

Published in: Technology
3 Comments
53 Likes
Statistics
Notes
  • hi
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Congratulations !!! This is an excellent work.Thank you for sharing. We have selected your presentation for the reference in our group Slideshare 'BANK OF KNOWLEDGE'. We would be honored by your support through your membership. You are invited to join us ! I wish you a nice day. Greetings from France. Good weekend. Lauren

    http://www.slideshare.net/group/bank-of-knowledge
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Our blog entry about the talk is available at http://www.sensepost.com/blog/4873.html

    Note: Gowalla and Bit.Ly were contacted before the presentation and fixed their stuff.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
59,793
On SlideShare
0
From Embeds
0
Number of Embeds
7,477
Actions
Shares
0
Downloads
470
Comments
3
Likes
53
Embeds 0
No embeds

No notes for slide

Cache on Delivery

  1. Cache on delivery mining memcached marco@sensepost.com
  2. The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
  3. The need for caching • Large percentage of data remains relatively constant • Wikipedia page contents • Youtube video links • FB Profile data • Poorly designed solutions regenerate data on each request • Don’t regenerate, rather regurgitate
  4. Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
  5. Memcached • memcached.org • Written for LJ (2003) by Brad Fitzpatrick • Non-persistent network-based KV store • Why do we care? Mom&pop don’t need the cache.
  6. Basic KV • Slabs are fixed size • Users don’t care about slabs • Dstvalue size by slab determined • Miners care about slabs
  7. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  8. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  9. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  10. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  11. Trivial protocol • ASCII-based • Long-lived • Tiny command set • set • get • stats • ... • ???? Binary and UDP protocols also exist, these were not touched.
  12. 1998 • Blank ‘sa’ • Anonymous ftp • system/manager
  13. Goals • Connect to memcached • Find all slabs • Retrieve keynames from each slab • Retrieve each key
  14. Lies, damn lies, and stats stats slabs STAT 1:chunk_size 80 • <...> stats cmd has subcmds STAT 2:chunk_size 104 <...> STAT 3:chunk_size 136 • items <...> STAT 4:chunk_size <...> 176 • slabs STAT 6:chunk_size <...> STAT 8:chunk_size 280 440 • <...> ... STAT 9:chunk_size 552 <...> STAT 9:cas_badval 0 STAT active_slabs 7 This gets us the slabs_ids
  15. Retrieving key names Rely on two {poorly|un} documented features
  16. Retrieving key names Feature #1: Remote enabling of debug mode
  17. Retrieving key names Feature #2: “stats cachedump”
  18. Retrieving key names Feature #2: “stats cachedump”
  19. Retrieving key names Feature #2: “stats cachedump” Slabs ID
  20. Retrieving key names Feature #2: “stats cachedump” Key limit
  21. Retrieving key names Feature #2: “stats cachedump” Key list
  22. Retrieving key names Feature #2: “stats cachedump” This gets us key names
  23. And this gets us? • No need for complex hacks. Memcached serves up all its data for us. • What to do in an exposed cache? • Mine • SQLi is too hard for me • Overwrite • Client-side • Server-side
  24. Mining the cache • go-derper.rb – memcached miner • Retrieves up to k keys from each slab and their contents, store on disk • Applies regexes and filters matches in a hits file • Supports easy overwriting of cache entries • [demo]
  25. Two issues
  26. Two issues • Finding caches • Again with the simple approach • Pick a cloud network, scan for memcacheds on port 11211 with a mod’ed .nse
  27. Two issues • Linking apps to caches • Who’s %$!#ing cache is this? • Cached high scores suck. Where’s the good stuff? • Is it live? http://www.rhythm.com/~keith/autoStereoGrams/vortexas.gif
  28. Results #1 IPs scanned 2^16 # of caches found 229 Retrieved Items 7.3GB Average uptime ~50days Total bandwidth used 9PB Total entry count 288 million Total Bytes stored 136TB Highest bandwidth 247TB Highest entry count 133 million Highest Bytes Stored 19.3GB
  29. Results #2 • HTML • Objects found • JavaScript • Serialized Java • Data • Pickled Python • Email • Ruby ActiveRecord • Passwords • .Net Object (clear-text, crypt’ed, MD5) • JSON
  30. Globworld
  31. Globworld
  32. Globworld
  33. Globworld
  34. Gowalla
  35. Gowalla
  36. Gowalla
  37. Gowalla
  38. Gowalla
  39. Gowalla
  40. Bit.ly Pro
  41. Bit.ly Pro
  42. Bit.ly Pro
  43. PBS
  44. PBS
  45. PBS
  46. PBS
  47. Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
  48. Sidebar: serialized objs • Python’s pickle intentionally insecure • But they’re exposed! • Pickle shellcode cos system (S'echo hostname' tR. • [demo]
  49. Fixes? • FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. (VPC) • Hack code to disable stats facility (but doesn’t prevent key brute-force) • Hack code to disable remote enabling of debug features • Switch to SASL • Requires binary protocol • Not supported by a number of memcached libs • Salt your passwords with a proper scheme (PHK’s MD5 or Bcrypt) • Also, FW.
  50. Random thoughts • This can’t be new • Inject tracker images / strings • Trace Refers / hit Google • Key guessing or prediction • Your data ends up in places you never expected.
  51. Places to keep looking • Improve data detection/sifting/filtering • Spread the search past a single provider • Caching providers (?!?!) • Other cache software • Other infrastructure software
  52. Questions? www.sensepost.com/labs/tools/poc/go-derper

×