go-derper - memcached漏洞利用工具
AtBlackHat USA last year we spoke about attacking cloud systems, whilethe thinking was broadly applicable, we focused on specific providers (overview).This year, we continued in the same vein except we focused on aparticular piece of software used in numerous large-scale applicationincluding many cloud services. In the realm of "software that enablescloud services", there appears to be a handful of "go to" applicationsthat are consistently re-used, and it's curious that a securitypractitioner's perspective has not as yet been applied to them(disclaimer: I'm not aware of parallel work). We choose to look at memcached, a "Free & open source, high-performance, distributed memory object caching system" 1.It's not outwardly sexy from a security standpoint and it doesn't have alarge and exposed codebase (total LOC is a smidge over 11k). However,what's of interest is the type of applications in which memcached isdeployed. Memcached is most often used in web application to speed uppage loads. Sites are almost2 always dynamic and either havemany clients (i.e. require horizontal scaling) or process piles of data(look to reduce processing time), or oftentimes both. This implies thatthe sites that use memcached contain more interesting info than simplestatic sites, and are an indicator of a potentially interesting site.Prominent users of memcached include LiveJournal (memcached wasoriginally written by Brad Fitzpatrick for LJ), Wikipedia, Flickr,YouTube and Twitter.I won't go into how memcached works, suffice it to say that sincedata tends to be read more often than written in common use cases the >go-derper
We>Fingerprinting memcacheds to determine interesting servers
Extracting a (user-limited) copy of the cache
Writing data into the cache
The tool has minor requirements: a recent Ruby and the memcache-client gem. What follows are basic use cases.Fingerprinting
Let's assume you've scanned a hosting provider and found 239 potentialtargets using a basic .nse that hunts down open memcached instances3.You need to separate the wheat from the chaff and figure out whichservers are potentially interesting; one way to do that is by extractinga bunch of metrics from each cache. Start small against one cache:insurrection:demo
marco$ ruby go-derper.rb -f x.x.x.x Scanning x.x.x.x x.x.x.x:11211
============================== memcached 1.4.5 (1064) up 54:10:01:27,
sys time Wed Aug 04 10:34:36 +0200 2010, utime=369388.17,
stime=520925.98 Mem: Max 1024.00 MB, max item> curr conn 18, bytes read 44.69 TB, bytes written 695.93 GB Cache: get
514, set 93.41b, bytes stored 825.73 MB, curr item count 1.54m, total
items 1.54m, total slabs 3 Stats capabilities: (stat) slabs settings
items (set) (get)
44 terabytes read from the cache in 54 days with 1.5 million itemsstored? This cache is used quite frequently. There's an anomaly here inthat the cache reports only 514 reads with 93 billion writes; howeverit's still worth exploring if only for the> We can run the same fingerprint scan against multiple hosts using
ruby go-derper.rb -f host1,host2,host3,...,hostn
or, if the hosts are in a file (one per line):
ruby go-derper.rb -F file_with_target_hosts
Output is either human-readable multiline (the default), or CSV. Thelatter helps for quickly rearranging and sorting the output to determinepotential targets, and is enabled with the "-c" switch:
ruby go-derper.rb -c csv -f host1,host2,host3,...,hostn
Lastly, the monitor mode (-m) will loop forever while retrievingcertain statistics and keep track of differences between iterations, inorder to determine whether the cache appears to be in active use.
Mining
Once you've>
insurrection:demo
marco$ ruby go-derper.rb -l -s x.x.x.x No output directory
specified, defaulting to ./output No prefix supplied, using "run1"
This will extract data from the cache in the form of a key and itsvalue, and save the value in a file under the "./output" directory bydefault (if this directory doesn't exist then the tool will exit so makesure it's present.) This means a separate file is created for everyretrieved value. Output directories and file prefixes are adjustablewith "-o" and "-r" respectively, however it's usually safe to leavethese alone.
By default, go-derper fetches 10 keys per slab (see the memcacheddocs for a discussion on slabs; basically similar-sized entries aregrouped together.) This default is intentionally low; on an actualassessment this could run into six figures. Use the "-K" switch toadjust:
ruby go-derper.rb -l -K 100 -s x.x.x.x
As mentioned, retrieved data is stored in the "./ouput" directory (orelsewhere if "-o" is used). Within this directory, each new run of thetool produces a set of files prefixed with "runN" in order to keepmultiple runs separate. The files produced are:
[*]runN-index, an index file containing metadata about each entry retrieved
[*]runN-, a file containing the bytestream from a retrieved value
The mapping between key and file in which the value is stored occurs inthe index file, which is useful in that potentially malicious data(keynames) aren't used when interacting with your local filesystem APIs. At this point, there will (hopefully) be a large number of files inyour output directory, which may contain useful info. Start grepping.
What we found with a bit of field experience was that mining largecaches can take some time, and repeating grep gets quite boring. Thetool permits you to supply your own set of regular expressions whichwill be applied to each retrieved value; matches are printed to thescreen and this provides a scroll-by view of bits of data that may piqueyour interest (things like URLs, email addresses, session> ruby go-derper.rb -l -K 100 -R regexs.txt -s x.x.x.x
Over-writing
In this blog entry I don't cover the kinds of data we discovered (it'llbe subject to a separate entry), however it may come to pass that youdiscover an interesting cache entry that you'd like to overwrite. Recallentries were stored in "./output" by default, with a prefix of "runN".If the interesting entry was stored in"output/run1-e94aae85bd3469d929727bee5009dddd", edit the file inwhatever manner you see fit and save it to your local disk. Then, tellgo-derper to write the entry back into the cache with: ruby go-derper.rb -w output/run1-e94aae85bd3469d929727bee5009dddd
This syntax is simple since go-derper will figure out the target server and key from the run's index file.
And so?
Go-derper permits basic manipulations of a memcached instance. Wehaven't covered finding open instances or the kinds of data one may comeacross; these will be the subject of followup posts. Below are theslides from the talk, click through to SlideShare for the downloadablePDF.1 http://www.memcached.org 2 We're hedging here, but we've not come across a static memcached site.
3 If so, you may be as surprised as we were in finding this many open instances.
页:
[1]