Доклад Ивана Новикова на HighLoad++ 2014.

1. Memcached-
инъекции: они
существуют и
работают
Иван Новиков (ONsec)

2. Memcached BIO
• Key-value in-memory database
• Very popular for session storagea and caching data/objects
• Supports by all popular platforms and frameworks

3. Shodan stats

4. Commands types

5. How applications uses
memcached
What data stored?
• Session storage: serialized data
• Caching data: strings, serialized data
• Commonly to store code (templates, others)

6. How applications uses
memcached
How data stored?
• Keys typically contains prefixes (namespaces) “ObjectCacheTemplates”
• Key after prefix commonly depends on user’s data “…login”
• Arbitrary key writing gain auth bypass by design

7. Memcached wrappers
• Format protocol packet (input validation, length calculation, etc)
• Send/retrieve results (socket operations)
• Process data (cast to type, unserialize and others)

8. Scope of research

11. Injection types

12. Memcached wrappers
• Missed validation of commands delimiters (0x0a, 0x0d) at keys
• Inject your command after application’s command
• No other restrictions (no role model on commands)

13. Memcached wrappers
?key=1%0d%0a1%0d%0aset+injected+0+3
600+10%0d%0a1234567890%0d%0a

14. #1 Command injection

15. #1 Who is vulnerable

16. #2 State breaking
• Missed validation of command format (key name, attributes count)
• Send whole packet, doesn’t read first response to first line
• Data will be interpreted as new command

17. #2 State breaking
?k=aaa…{251}&v=set+injected+0+3600+10
%0a%0d1234567890

18. #2 State breaking

19. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
• This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d

20. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)

21. #2 State breaking

22. #2 Who is vulnerable

23. #3 Argument injection
• Missed validation of argument delimiters (only 0x20)
• Inject your argument to break length (argument shifting)
• Part of value field will be interpreted as new command

24. #3 Argument injection
?k=1
0&v=1…{30}%0d%0aset+injected+0+3600+
3%0a%0dINJ

25. #3 Argument injection

26. #3 Who is vulnerable

27. Post exploitation
Right, we can execute arbitrary memcached commands!
For what?
• Write/rewrite/delete arbitrary keys
• Send retrieve commands, but it never been reader by driver

28. Application level
Right, we can execute arbitrary memcached commands!
• To read data you need application-level driver
• Values deserialize + injection = CWE-502
(http://cwe.mitre.org/data/definitions/502.html)

29. Deserialization

31. Stats

32. Stats
I’m a champion!

33. Thx!
@d0znpp
http://wallarm.com