Memcached injections are possible by exploiting vulnerabilities in the way memcached wrappers handle command delimiters and arguments. This allows injecting additional commands when setting or getting data, potentially leading to arbitrary command execution and deserialization attacks. Popular programming languages and frameworks like Ruby and Rails have been affected. The presentation outlines different injection techniques and provides examples to demonstrate how attackers could break state, inject commands, or shift arguments to exploit vulnerable memcached implementations.

1. Memcached-
инъекции: они
существуют и
работают
Иван Новиков (ONsec)

2. Memcached BIO
• Key-value in-memory database
• Very popular for session storagea and caching data/objects
• Supports by all popular platforms and frameworks

3. Shodan stats

4. Commands types

5. How applications uses
memcached
What data stored?
• Session storage: serialized data
• Caching data: strings, serialized data
• Commonly to store code (templates, others)

6. How applications uses
memcached
How data stored?
• Keys typically contains prefixes (namespaces) “ObjectCacheTemplates”
• Key after prefix commonly depends on user’s data “…login”
• Arbitrary key writing gain auth bypass by design

7. Memcached wrappers
• Format protocol packet (input validation, length calculation, etc)
• Send/retrieve results (socket operations)
• Process data (cast to type, unserialize and others)

8. Scope of research

11. Injection types

12. Memcached wrappers
• Missed validation of commands delimiters (0x0a, 0x0d) at keys
• Inject your command after application’s command
• No other restrictions (no role model on commands)

13. Memcached wrappers
?key=1%0d%0a1%0d%0aset+injected+0+3
600+10%0d%0a1234567890%0d%0a

14. #1 Command injection

15. #1 Who is vulnerable

16. #2 State breaking
• Missed validation of command format (key name, attributes count)
• Send whole packet, doesn’t read first response to first line
• Data will be interpreted as new command

17. #2 State breaking
?k=aaa…{251}&v=set+injected+0+3600+10
%0a%0d1234567890

18. #2 State breaking

19. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
• This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d

20. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)

21. #2 State breaking

22. #2 Who is vulnerable

23. #3 Argument injection
• Missed validation of argument delimiters (only 0x20)
• Inject your argument to break length (argument shifting)
• Part of value field will be interpreted as new command

24. #3 Argument injection
?k=1
0&v=1…{30}%0d%0aset+injected+0+3600+
3%0a%0dINJ

25. #3 Argument injection

26. #3 Who is vulnerable

27. Post exploitation
Right, we can execute arbitrary memcached commands!
For what?
• Write/rewrite/delete arbitrary keys
• Send retrieve commands, but it never been reader by driver

28. Application level
Right, we can execute arbitrary memcached commands!
• To read data you need application-level driver
• Values deserialize + injection = CWE-502
(http://cwe.mitre.org/data/definitions/502.html)

29. Deserialization

31. Stats

32. Stats
I’m a champion!

33. Thx!
@d0znpp
http://wallarm.com