原文链接: http://bouk.co/blog/hacking-developers/

If you’re reading this and you’re a software developer, you’re probably running some services locally. Redis, Memcached, and Elasticsearch are software products that many rely on. What you might not know, is that these locally running services are accessible by any website you visit, making it possible for bad guys to steal the data you have locally!

How it works

While I am not presenting anything new in this post, I have never see anyone put together this attack as complete as I’ll be showing here. I combined two different attack approaches, namely ‘cross protocol scripting’ and ‘DNS rebinding’.

Talking to Redis, Memcached, and Elasticsearch

The first technique is an old one sometimes called ‘cross protocol scripting’. A paperwas published in 2001 detailing this attack, but the gist is that both Redis and Memcached have a simple line-based protocol that ignores any invalid commands. This means that if a browser sends the following HTTP request to localhost:6379(where Redis usually runs), Redis will happily execute the SET command.

POST / HTTP/1.1

Host: localhost:6379

SET abc 123

QUIT

We can send a request like this by submitting the following form:

<form enctype="text/plain" method="POST" action="http://localhost:6379">

<textarea name="abc">

SET abc 123

QUIT

</textarea>

<input type="submit" value="Submit" />

</form>

Elasticsearch’s protocol is fully HTTP-based so there are no tricks needed to communicate with it.

While we can execute any command, we can’t actually retrieve the result. This is because of the browser’s same-origin policy, which ensures that reading data from a request to another domain is not possible. That’s where the second technique comes in!

DNS Rebinding

To get around the origin protection we can use a technique called DNS rebinding. DNS rebinding involves having a server accessible through a public domain with a very low TTL. Once a browser connects to the site, the site will immediately change the DNS record to point to a different IP address (like 127.0.0.1). This leads to a situation where the site runs the attackers’ code, in the context of a private IP address. This site can then go ahead and steal any data that is available on a service, that was set up with the assumption of only being available through authorized clients.

PoC

I have created a proof of concept of this attack on extractdata.club. The site will attempt to connect to Redis, Memcached and Elasticsearch running on their default ports on localhost.

After about a minute that link should display something similar to the following:

While my PoC only retrieves the version information of each service, it can’t be hard to imagine building a sort of scraper that goes through the whole database and extracts all of the data. The code is available here.

Mitigation

Unfortunately, there is no easy way for the databases to structurally fix the issues shown here. You could set up your services with passwords, but as long as the default state is vulnerable, lots of people will keep being susceptible. The only thing that I can come up with is for Redis and Memcached to add Host: as an alias to QUIT, so the connection is immediately aborted as soon as it is identified as being a HTTP request.

The other place this could be fixed is in the browser. Browser vendors could implement a ‘DNS pinning’ of sorts, which makes it ignore DNS changes that are made after the site is done loading.

Alternatively browser vendors could add the Redis and Memcached ports to their list of blocked ports, which already contains common protocols like SMTP and IRC. This would be not a structural fix however, and new services could pop up that are vulnerable.

Edit – The Chromium developers are working on removing HTTP/0.9 support, which will make the browser unable to read the response from Redis and Memcached. This is great progress, but still leaves the possibility for any page to execute commands.

Building on this attack

For some people it might not be a big deal to have data stolen from their development database, but read and write access could potentially lead to remote code execution. As an example, an attacker could overwrite anything that looks like Ruby marshalled or Python pickled data with their own payload, leading to a compromise of the developer’s computer.

Conclusion

This proof of concept shows why computer security is incredibly hard to get right. The attack depends on multiple software products all making very reasonable decisions about how they should work, but the way they interact with each other leads to a vulnerability.

References

How to steal any developer's local database的更多相关文章

  1. Local Database Sample Model

    [Table] public class AddTableNameHere : INotifyPropertyChanged, INotifyPropertyChanging { // // TODO ...

  2. SQL Network Interfaces, error: 50 - 发生了 Local Database Runtime 错误。无法创建自动实例。

    今天在用VS2013自带的LocalDB调整数据库时出错,在网上也搜到许多方案,如卸载SQLServer LocalDB的程序.重新创建实例等都没有解决我的问题,也重新修改以及修复Vs,问题依旧存在, ...

  3. 与众不同 windows phone (7) - Local Database(本地数据库)

    原文:与众不同 windows phone (7) - Local Database(本地数据库) [索引页][源码下载] 与众不同 windows phone (7) - Local Databas ...

  4. 无法定位 Local Database Runtime 安装。请验证 SQL Server Express 是否正确安装以及本地数据库运行时功能是否已启用。

    错误描述: 在与 SQL Server 建立连接时出现与网络相关的或特定于实例的错误.未找到或无法访问服务器.请验证实例名称是否正确并且 SQL Server 已配置为允许远程连接. (provide ...

  5. 使用PLSQL Developer连接Oracle Database 11g Express Edition

    要使用oracle数据库,需要准备三部分: 1.oracle服务端 2.oracle客户端 3.连接工具 你装的Oracle Database 11g Express Edition就是服务端,pls ...

  6. Local database deployment problems and fixtures

    /*By Jiangong SUN*/ After encountering some problems in deploying databases to local server, here ar ...

  7. [daily][archlinux][pacman] local database 损坏

    下午,开心的看着dpdk的文档,做做各种小实验. 后台正常yaourt -Syu,三个多G的下载,我总是过很久才update一次. 然后KDE窗口各种异常,我知道又在开始更x相关的东西了.可是因为X异 ...

  8. Log Sessions to Local Database

    Add Rules to Fiddler to create a new menu item as follows: // Log the currently selected sessions in ...

  9. IIS中使用LocalDB遇到错误:error 50,Local Database Runtime error occurred.的解决办法

    参见: [1] http://www.cnblogs.com/yjmyzz/archive/2009/10/26/1590033.html [2] http://blogs.msdn.com/b/sq ...

随机推荐

  1. [原]Eclipse 安装SVN、Maven插件(补充)

    参考雨之殇的文章:Eclipse 安装SVN.Maven插件 1.SVN可以按文章介绍的正常安装 2.Maven的Eclipse插件地址有变化 文章中的安装链接已经失效:m2e - http://m2 ...

  2. Android的几种alert对话框

    @Override public void onClick(View v) { switch (v.getId()) { case R.id.d1: AlertDialog.Builder build ...

  3. 【JavaScript权威指南(第五版)】笔记之第一部分 核心javascript (第1章~第12章)

    第一章 javascript概述 ①.javascript是一种松散类型语言;也是一种解释型语言;         第二章 词法结构 ①.大小写敏感         第三章 数据类型和值 ①.isFi ...

  4. Linux系统各发行版镜像下载(2)

    Fedora ISO镜像下载: Fedora 是一个开放的.创新的.前瞻性的操作系统和平台,基于 Linux.它允许任何人自由地使用.修改和重发布,无论现在还是将来.它由一个强大的社群开发,这个社群的 ...

  5. java取随机数

    一, 指定的特定几个数据集合里按“随机顺序”全部取出 一碰到随机, 可能第一个想到的是用Math.Random() 来处理, 其实java本身提供了现成的类 通过 “打乱顺序”来处理“随机”问题 方法 ...

  6. ReactiveCocoa 谈谈concat

    今天的一个业务流程,业务流程大概就是这样的 1.从CoreData中获取之前的数据 2.更新界面 3.从网络获取数据 4.判断获取结果 5.处理错误判断 6.更新界面 7.判断结果numberOfNe ...

  7. IO流01_File类

    [分类] Java的IO通过java.io包下的类和接口来支持. 1.按照流向: 输入流     输出流 2.按照操作数据的大小: 字节流( 8位字节 )     字符流( 16位字节 ) 3.按照角 ...

  8. Java 与 Python 的对比

    最近在学习Python, 现在写一个Python程序和Java程序进行对一下比,以此展示各自不同的特点.这个程序的功能是计算([n, m) )之间的闰年.     Python程序如下: def fu ...

  9. ExecutorService 接口

    先看一个Executor接口,该接口只有一个方法:void execute(Runnable command),用于在未来某个时刻提交一个command,这个command可以被提交到一个新的线程,或 ...

  10. 最近用到的Linux常用命令总结

    最近用到的Linux常用命令总结 - ls :显示当前目录文件信息 `ls -a -l` - cd :目录跳转 cd .. 上级目录 cd ~ home目录 cd - 最近目录 - cat :在屏幕上 ...