Memcache Unauthorized Access Vulnerability

First, Memcache

Vulnerability Description: Memcached is a set of distributed cache systems. It stores data in memory in the form of key-value (key-value pairs), which are often read frequently by the application. Because the in-memory data is read far more than the hard disk, it can be used to speed up the application's access. Due to memcached security design flaws, clients can read and modify server cache content without authentication after connecting to the memcached server.

Second, manual verification

1. Operation instruction
2. View the Memcache service status
3. Status items / / view all items
4. Stats CacheDump 32 0 / / obtain the cache key 

General Port 11211

 
 
1 Xshell:\> telnet 219.94.193.*** 11211
 2 
 3 
 4 Connecting to 219.94.193.***:11211...
 5 Connection established.
 6 Escape character is ‘^@]‘.
 7 stats
 8 STAT pid 2259
 9 STAT uptime 20493827
10 STAT time 1513170227
11 STAT version 1.2.6
12 STAT pointer_size 32
13 STAT rusage_user 501.860705
14 STAT rusage_system 482.892589
15 STAT curr_items 3
16 STAT total_items 4
17 STAT bytes 1503803
18 STAT curr_connections 5
19 STAT total_connections 362
20 STAT connection_structures 7
21 STAT cmd_get 1569
22 STAT cmd_set 4
23 STAT get_hits 1569
24 STAT get_misses 0
25 STAT evictions 0
26 STAT bytes_read 1515293
27 STAT bytes_written 1185375980
28 STAT limit_maxbytes 67108864
29 STAT threads 4
30 END

Exploit exploits

In addition to memcached data can be directly read leaks and malicious modification, because the data in the memcached as normal site users access to commit variables will be processed by the backend code, when the processing code is defective, will again lead to different types of security issues.

The difference is that when dealing with data entered directly by the front-end user, more security checks are generally accepted, and the data read from the memcached is more likely to be trusted by the developer, or has passed security checks, making it more likely to lead to security issues.

This shows that the two security vulnerability types that are caused are generally different from the locations used by memcached data (XSS is commonly referred to as sink), such as:

(1) The non-filtered direct output of cached data can lead to XSS;

(2) The SQL injection query can result in SQL injection if the cached data is not filtered.

(3) Cache data store sensitive information (such as: User name, password), can be directly leaked through the read operation;

(4) The cache data is not filtered directly through the system (), eval () functions such as processing can lead to command execution;

(5) The cache data is not filtered directly in the header () function output, can cause CRLF Vulnerability (HTTP response split).

Repair:

1. Configure memcached to listen for local loopback address 127.0.0.1.

1 [[email protected] ~]# vim /etc/sysconfig/memcached
2 options = - L 127.0.0.1 "ා set local to listen
3 [[email protected] ~] (etc / init.d/memcached restart) restart the service 

2, when the memcached is configured to monitor the intranet IP or public network IP, use the host firewall (Iptalbes, FIREWALLD, etc.) and the network firewall to filter the memcached service port.

3. Minimize permissions to run

Run with normal rights account, the following specified memcached user run

Memcached-d-M 1024-u memcached-l 127.0.0.1-p 11211-c 1024-p/tmp/memcached.pid

4, configure the account, password

Memcache Unauthorized Access Vulnerability