Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Memcached- 
инъекции: они 
существуют и 
работают 
Иван Новиков (ONsec)
Memcached BIO 
• Key-value in-memory database 
• Very popular for session storagea and caching data/objects 
• Supports by...
Shodan stats
Commands types
How applications uses 
memcached 
What data stored? 
• Session storage: serialized data 
• Caching data: strings, serializ...
How applications uses 
memcached 
How data stored? 
• Keys typically contains prefixes (namespaces) “ObjectCacheTemplates”...
Memcached wrappers 
• Format protocol packet (input validation, length calculation, etc) 
• Send/retrieve results (socket ...
Scope of research
Injection types
Memcached wrappers 
• Missed validation of commands delimiters (0x0a, 0x0d) at keys 
• Inject your command after applicati...
Memcached wrappers 
?key=1%0d%0a1%0d%0aset+injected+0+3 
600+10%0d%0a1234567890%0d%0a
#1 Command injection
#1 Who is vulnerable
#2 State breaking 
• Missed validation of command format (key name, attributes count) 
• Send whole packet, doesn’t read f...
#2 State breaking 
?k=aaa…{251}&v=set+injected+0+3600+10 
%0a%0d1234567890
#2 State breaking
#2 State breaking 
• Ruby example 
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache) 
• This wrapper filtered 0x0a...
#2 State breaking 
• Ruby example 
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
#2 State breaking
#2 Who is vulnerable
#3 Argument injection 
• Missed validation of argument delimiters (only 0x20) 
• Inject your argument to break length (arg...
#3 Argument injection 
?k=1 
0&v=1…{30}%0d%0aset+injected+0+3600+ 
3%0a%0dINJ
#3 Argument injection
#3 Who is vulnerable
Post exploitation 
Right, we can execute arbitrary memcached commands! 
For what? 
• Write/rewrite/delete arbitrary keys 
...
Application level 
Right, we can execute arbitrary memcached commands! 
• To read data you need application-level driver 
...
Deserialization
Stats
Stats 
I’m a champion!
Thx! 
@d0znpp 
http://wallarm.com
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)
Upcoming SlideShare
Loading in …5
×

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)

1,072 views

Published on

Доклад Ивана Новикова на HighLoad++ 2014.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Memcached-инъекции - они существуют и работают, Иван Новиков (ONsec)

  1. 1. Memcached- инъекции: они существуют и работают Иван Новиков (ONsec)
  2. 2. Memcached BIO • Key-value in-memory database • Very popular for session storagea and caching data/objects • Supports by all popular platforms and frameworks
  3. 3. Shodan stats
  4. 4. Commands types
  5. 5. How applications uses memcached What data stored? • Session storage: serialized data • Caching data: strings, serialized data • Commonly to store code (templates, others)
  6. 6. How applications uses memcached How data stored? • Keys typically contains prefixes (namespaces) “ObjectCacheTemplates” • Key after prefix commonly depends on user’s data “…login” • Arbitrary key writing gain auth bypass by design
  7. 7. Memcached wrappers • Format protocol packet (input validation, length calculation, etc) • Send/retrieve results (socket operations) • Process data (cast to type, unserialize and others)
  8. 8. Scope of research
  9. 9. Injection types
  10. 10. Memcached wrappers • Missed validation of commands delimiters (0x0a, 0x0d) at keys • Inject your command after application’s command • No other restrictions (no role model on commands)
  11. 11. Memcached wrappers ?key=1%0d%0a1%0d%0aset+injected+0+3 600+10%0d%0a1234567890%0d%0a
  12. 12. #1 Command injection
  13. 13. #1 Who is vulnerable
  14. 14. #2 State breaking • Missed validation of command format (key name, attributes count) • Send whole packet, doesn’t read first response to first line • Data will be interpreted as new command
  15. 15. #2 State breaking ?k=aaa…{251}&v=set+injected+0+3600+10 %0a%0d1234567890
  16. 16. #2 State breaking
  17. 17. #2 State breaking • Ruby example • memcache gem 1.5.1 (https://rubygems.org/gems/memcache) • This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d
  18. 18. #2 State breaking • Ruby example • memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
  19. 19. #2 State breaking
  20. 20. #2 Who is vulnerable
  21. 21. #3 Argument injection • Missed validation of argument delimiters (only 0x20) • Inject your argument to break length (argument shifting) • Part of value field will be interpreted as new command
  22. 22. #3 Argument injection ?k=1 0&v=1…{30}%0d%0aset+injected+0+3600+ 3%0a%0dINJ
  23. 23. #3 Argument injection
  24. 24. #3 Who is vulnerable
  25. 25. Post exploitation Right, we can execute arbitrary memcached commands! For what? • Write/rewrite/delete arbitrary keys • Send retrieve commands, but it never been reader by driver
  26. 26. Application level Right, we can execute arbitrary memcached commands! • To read data you need application-level driver • Values deserialize + injection = CWE-502 (http://cwe.mitre.org/data/definitions/502.html)
  27. 27. Deserialization
  28. 28. Stats
  29. 29. Stats I’m a champion!
  30. 30. Thx! @d0znpp http://wallarm.com

×