Memcached is a set of distributed caching systems. It stores data in memory in the form of a key-value (key-value pair), which is often used frequently for reading. Because in-memory data is read far more than the hard disk, it can be used to speed up access to applications.
Vulnerability causes:
Due to the memcached security design flaw, the client can read and modify the server cache content without authentication after connecting to the memcached server. Vulnerability Impact:
In addition to memcached data can be read directly from the leak and malicious modification, because the data in the memcached like the normal site users access to the submission variable will be processed by the back-end code, when the processing code defects will again lead to different types of security issues.
The difference is that when dealing with data that is directly entered by a front-end user, more security checks are generally accepted, while data read from memcached is more likely to be trusted by the developer or has been safely validated, making it more likely to cause security problems.
Thus, the two vulnerabilities that are caused are generally different from the location used by memcached data (XSS is commonly referred to as sink), such as:
(1) The cache data without filtering direct output can lead to XSS;
(2) cached data is not filtered into the concatenation of SQL injection query statements can lead to SQL injection;
(3) The cache data store sensitive information (such as username, password), can be directly leaked by reading operation;
(4) The cache data is not filtered directly through the system (), eval () and other functions can lead to command execution;
(5) Cached data is output directly in the header () function without filtering, which can result in CRLF vulnerabilities (HTTP response splitting).
... ...
Vulnerability Exploits:
The exploit can be used to construct the corresponding payload in the cache variable, depending on the two vulnerabilities created.
The Go-derper tool can be used for crawling cached data for memcached unauthorized access vulnerabilities.
Note: The memcached server basic operation and the Go-derper tool use method See link.
Vulnerability Attack Demo:
http://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Vulnerability Detection:
1, Login machine Implementation Netstat-an | More command to view port monitoring. Echo 0.0.0.0:11211 indicates that there is a memcached unauthorized access vulnerability in all network adapters.
2, Telnet <target> 11211, or NC-VV <target> 11211, indicating a successful connection indicates a vulnerability exists.
Telnet:
------------------------------------------------------------
local% telnet x.x.x.x 11211
Trying x.x.x.x ...
Connectedto x.x.x.x.
Escapecharacteris ' ^] '.
NC:
------------------------------------------------------------
local% NC-VV x.x.x.x 11211
Found 0 associations
Found 1 connections:
1:flags=82<connected,preferred>
Outifen7
SRC x.x.x.x Port 55001
DST x.x.x.x Port 11211
Rankinfonot available
Tcpauxinfoavailable
Connectionto x.x.x.x Port 11211 [tcp/*] succeeded!
Statsitems
memcachedagentv0.4
Matrix 1-> x.x.x.x:12000, poolsize 1
Matrix 2-> x.x.x.x:12001, poolsize 1
End
3, using the port scanning Tool nmap for remote scanning: nmap-sv-p 11211–script memcached-info <target>.
11211/tcpopen memcached
| Memcached-info:
| ProcessID 18568
| Uptime 6950 seconds
| Servertime Satdec 31 14:16:10 2011
| Architecture bit
| USEDCPU (user) 0.172010
| USEDCPU (System) 0.200012
| Currentconnections 10
| Totalconnections 78
| Maximumconnections 1024
| TCPPort 11211
| Udpport 11211
|_ Authentication No
Vulnerability Fixes:
1, configure memcached to monitor the local loopback address 127.0.0.1.
[Root@local ~]# vim/etc/sysconfig/memcached
Options= "-l 127.0.0.1" #设置本地为监听
[root@local ~]#/etc/init.d/memcached Restart #重启服务
2, when the memcached configured to monitor intranet IP or public network IP, the use of host firewall (Iptalbes, FIREWALLD, etc.) and network firewall to memcached service port filtering.