设为首页 收藏本站
查看: 869|回复: 0

[经验分享] go-derper - memcached漏洞利用工具

[复制链接]

尚未签到

发表于 2018-12-25 06:18:32 | 显示全部楼层 |阅读模式
  At  BlackHat USA last year we spoke about attacking cloud systems, while  the thinking was broadly applicable, we focused on specific providers (overview).  This year, we continued in the same vein except we focused on a  particular piece of software used in numerous large-scale application  including many cloud services. In the realm of "software that enables  cloud services", there appears to be a handful of "go to" applications  that are consistently re-used, and it's curious that a security  practitioner's perspective has not as yet been applied to them  (disclaimer: I'm not aware of parallel work).  We choose to look at memcached, a "Free & open source, high-performance, distributed memory object caching system" 1.  It's not outwardly sexy from a security standpoint and it doesn't have a  large and exposed codebase (total LOC is a smidge over 11k). However,  what's of interest is the type of applications in which memcached is  deployed. Memcached is most often used in web application to speed up  page loads. Sites are almost2 always dynamic and either have  many clients (i.e. require horizontal scaling) or process piles of data  (look to reduce processing time), or oftentimes both. This implies that  the sites that use memcached contain more interesting info than simple  static sites, and are an indicator of a potentially interesting site.  Prominent users of memcached include LiveJournal (memcached was  originally written by Brad Fitzpatrick for LJ), Wikipedia, Flickr,  YouTube and Twitter.
  I won't go into how memcached works, suffice it to say that since  data tends to be read more often than written in common use cases the >go-derper
We>Fingerprinting memcacheds to determine interesting servers
Extracting a (user-limited) copy of the cache
Writing data into the cache
The tool has minor requirements: a recent Ruby and the memcache-client gem. What follows are basic use cases.Fingerprinting
Let's assume you've scanned a hosting provider and found 239 potential  targets using a basic .nse that hunts down open memcached instances3.  You need to separate the wheat from the chaff and figure out which  servers are potentially interesting; one way to do that is by extracting  a bunch of metrics from each cache. Start small against one cache:insurrection:demo
  marco$ ruby go-derper.rb -f x.x.x.x Scanning x.x.x.x x.x.x.x:11211
  ============================== memcached 1.4.5 (1064) up 54:10:01:27,
  sys time Wed Aug 04 10:34:36 +0200 2010, utime=369388.17,

  stime=520925.98 Mem: Max 1024.00 MB, max item>  curr conn 18, bytes read 44.69 TB, bytes written 695.93 GB Cache: get
  514, set 93.41b, bytes stored 825.73 MB, curr item count 1.54m, total
  items 1.54m, total slabs 3 Stats capabilities: (stat) slabs settings
  items (set) (get)
  44 terabytes read from the cache in 54 days with 1.5 million items  stored? This cache is used quite frequently. There's an anomaly here in  that the cache reports only 514 reads with 93 billion writes; however  it's still worth exploring if only for the>  We can run the same fingerprint scan against multiple hosts using
  ruby go-derper.rb -f host1,host2,host3,...,hostn
  or, if the hosts are in a file (one per line):
  ruby go-derper.rb -F file_with_target_hosts
  Output is either human-readable multiline (the default), or CSV. The  latter helps for quickly rearranging and sorting the output to determine  potential targets, and is enabled with the "-c" switch:
  ruby go-derper.rb -c csv -f host1,host2,host3,...,hostn
  Lastly, the monitor mode (-m) will loop forever while retrieving  certain statistics and keep track of differences between iterations, in  order to determine whether the cache appears to be in active use.
Mining
Once you've>
  insurrection:demo
  marco$ ruby go-derper.rb -l -s x.x.x.x [w] No output directory
  specified, defaulting to ./output [w] No prefix supplied, using "run1"
  This will extract data from the cache in the form of a key and its  value, and save the value in a file under the "./output" directory by  default (if this directory doesn't exist then the tool will exit so make  sure it's present.) This means a separate file is created for every  retrieved value. Output directories and file prefixes are adjustable  with "-o" and "-r" respectively, however it's usually safe to leave  these alone.
  By default, go-derper fetches 10 keys per slab (see the memcached  docs for a discussion on slabs; basically similar-sized entries are  grouped together.) This default is intentionally low; on an actual  assessment this could run into six figures. Use the "-K" switch to  adjust:
  ruby go-derper.rb -l -K 100 -s x.x.x.x
  As mentioned, retrieved data is stored in the "./ouput" directory (or  elsewhere if "-o" is used). Within this directory, each new run of the  tool produces a set of files prefixed with "runN" in order to keep  multiple runs separate. The files produced are:

  • runN-index, an index file containing metadata about each entry retrieved
  • runN-, a file containing the bytestream from a retrieved value
The mapping between key and file in which the value is stored occurs in  the index file, which is useful in that potentially malicious data  (keynames) aren't used when interacting with your local filesystem APIs.  At this point, there will (hopefully) be a large number of files in  your output directory, which may contain useful info. Start grepping.

  What we found with a bit of field experience was that mining large  caches can take some time, and repeating grep gets quite boring. The  tool permits you to supply your own set of regular expressions which  will be applied to each retrieved value; matches are printed to the  screen and this provides a scroll-by view of bits of data that may pique  your interest (things like URLs, email addresses, session>  ruby go-derper.rb -l -K 100 -R regexs.txt -s x.x.x.x
Over-writing
In this blog entry I don't cover the kinds of data we discovered (it'll  be subject to a separate entry), however it may come to pass that you  discover an interesting cache entry that you'd like to overwrite. Recall  entries were stored in "./output" by default, with a prefix of "runN".  If the interesting entry was stored in  "output/run1-e94aae85bd3469d929727bee5009dddd", edit the file in  whatever manner you see fit and save it to your local disk. Then, tell  go-derper to write the entry back into the cache with:  ruby go-derper.rb -w output/run1-e94aae85bd3469d929727bee5009dddd
  This syntax is simple since go-derper will figure out the target server and key from the run's index file.
And so?
Go-derper permits basic manipulations of a memcached instance. We  haven't covered finding open instances or the kinds of data one may come  across; these will be the subject of followup posts. Below are the  slides from the talk, click through to SlideShare for the downloadable  PDF.  1 http://www.memcached.org  2 We're hedging here, but we've not come across a static memcached site.
  3 If so, you may be as surprised as we were in finding this many open instances.


运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-655403-1-1.html 上篇帖子: 网站运维架构设计及安装过程(linux+nginx+php 下篇帖子: linux下memcached的启动/结束的方式
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表