Memcached unauthorized access vulnerability and hardening

Memcached is a set of distributed cache systems. It stores data in memory in the form of key-value (key-value pairs), which are often read frequently by the application. Because the in-memory data is read far more than the hard disk, it can be used to speed up the application's access.

Causes of vulnerability:

Due to memcached security design flaws, clients can read and modify server cache content without authentication after connecting to the memcached server. Vulnerability Impact:

In addition to memcached data can be directly read leaks and malicious modification, because the data in the memcached as normal site users access to commit variables will be processed by the backend code, when the processing code is defective, will again lead to different types of security issues.

The difference is that when dealing with data entered directly by the front-end user, more security checks are generally accepted, and the data read from the memcached is more likely to be trusted by the developer, or has passed security checks, making it more likely to lead to security issues.

This shows that the two security vulnerability types that are caused are generally different from the locations used by memcached data (XSS is commonly referred to as sink), such as:

(1) The non-filtered direct output of cached data can lead to XSS;

(2) The SQL injection query can result in SQL injection if the cached data is not filtered.

(3) Cache data store sensitive information (such as: User name, password), can be directly leaked through the read operation;

(4) The cache data is not filtered directly through the system (), eval () functions such as processing can lead to command execution;

(5) The cache data is not filtered directly in the header () function output, can cause CRLF Vulnerability (HTTP response split).

... ...

Exploit:

Exploit is based on the two vulnerabilities that are caused, the corresponding payload can be constructed in the cache variable.

The Go-derper tool can be used for fetching the memcached unauthorized access vulnerability cache data.

Note: memcached server basic operations and how to use go-derper tools see links.

Vulnerability Attack Demo:

http://niiconsulting.com/checkmate/2013/05/memcache-exploit/

Vulnerability Detection:

1, Login machine Execution Netstat-an | The more command to view the port monitoring situation. Echo 0.0.0.0:11211 indicates that there is a memcached unauthorized access vulnerability in all network card listening.

2, Telnet <target> 11211, or NC-VV <target> 11211, indicating the success of the connection indicates that the vulnerability exists.

Telnet:

------------------------------------------------------------

local% telnet x.x.x.x 11211

Trying x.x.x.x ...

Connectedto x.x.x.x.

Escapecharacteris ' ^] '.



NC:

------------------------------------------------------------

local% NC-VV x.x.x.x 11211

Found 0 associations

Found 1 connections:

1:flags=82<connected,preferred>

Outifen7

SRC x.x.x.x Port 55001

DST x.x.x.x Port 11211

Rankinfonot available

Tcpauxinfoavailable



Connectionto x.x.x.x Port 11211 [tcp/*] succeeded!

Statsitems

memcachedagentv0.4

Matrix 1, x.x.x.x:12000, poolsize 1

Matrix 2, x.x.x.x:12001, poolsize 1

END
3, using the port scanning Tool nmap Remote scanning: nmap-sv-p 11211–script memcached-info <target>.

11211/tcpopen memcached

| Memcached-info:

| ProcessID 18568

| Uptime 6950 seconds

| Servertime Satdec 31 14:16:10 2011

| Architecture bit

| USEDCPU (user) 0.172010

| USEDCPU (System) 0.200012

| Currentconnections 10

| Totalconnections 78

| Maximumconnections 1024

| TCPPort 11211

| Udpport 11211

|_ Authentication No
Bug fixes:

1. Configure memcached to listen for local loopback address 127.0.0.1.

[Email protected] ~]# vim/etc/sysconfig/memcached
Options= "-l 127.0.0.1" #设置本地为监听

[[email protected] ~]#/etc/init.d/memcached Restart #重启服务 (May prompt 11211 port to be occupied, this time need kill corresponding 11211 occupied PID)
2, when the memcached is configured to monitor the intranet IP or public network IP, use the host firewall (Iptalbes, FIREWALLD, etc.) and the network firewall to filter the memcached service port.

Memcached unauthorized access vulnerability and hardening