2. Memcached BIO
• Key-value in-memory database
• Very popular for session storagea and caching data/objects
• Supports by all popular platforms and frameworks
5. How applications uses
memcached
What data stored?
• Session storage: serialized data
• Caching data: strings, serialized data
• Commonly to store code (templates, others)
6. How applications uses
memcached
How data stored?
• Keys typically contains prefixes (namespaces) “ObjectCacheTemplates”
• Key after prefix commonly depends on user’s data “…login”
• Arbitrary key writing gain auth bypass by design
7. Memcached wrappers
• Format protocol packet (input validation, length calculation, etc)
• Send/retrieve results (socket operations)
• Process data (cast to type, unserialize and others)
12. Memcached wrappers
• Missed validation of commands delimiters (0x0a, 0x0d) at keys
• Inject your command after application’s command
• No other restrictions (no role model on commands)
16. #2 State breaking
• Missed validation of command format (key name, attributes count)
• Send whole packet, doesn’t read first response to first line
• Data will be interpreted as new command
17. #2 State breaking
?k=aaa…{251}&v=set+injected+0+3600+10
%0a%0d1234567890
19. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
• This wrapper filtered 0x0a, 0x20, but not 0x00 and 0x0d
20. #2 State breaking
• Ruby example
• memcache gem 1.5.1 (https://rubygems.org/gems/memcache)
23. #3 Argument injection
• Missed validation of argument delimiters (only 0x20)
• Inject your argument to break length (argument shifting)
• Part of value field will be interpreted as new command
27. Post exploitation
Right, we can execute arbitrary memcached commands!
For what?
• Write/rewrite/delete arbitrary keys
• Send retrieve commands, but it never been reader by driver
28. Application level
Right, we can execute arbitrary memcached commands!
• To read data you need application-level driver
• Values deserialize + injection = CWE-502
(http://cwe.mitre.org/data/definitions/502.html)