Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vu

Submitted on Mon Jul 22 2024 09:20:08 GMT-0400 (Atlantic Standard Time) by @Xanzz for Boost | Shardeum: Ancillaries

Report ID: #33522

Report type: Websites and Applications

Report severity: Insight

Target: api.shardeum.org:6380

Impacts:

• Taking down the application/website

• Retrieve sensitive data/files from a running server, such as: /etc/shadow, database passwords, blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames)

• Execute arbitrary system commands

• Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as: Changing registration information, Commenting, Voting, Making trades, Withdrawals, etc.

Description

Brief/Intro

An exposed Redis service has been discovered on api.shardeum.org:6380, running without proper authentication or protection. If exploited, this vulnerability could allow attackers to execute arbitrary commands, retrieve sensitive data, and potentially disrupt services.

Vulnerability Details

The Redis service at api.shardeum.org:6380 is accessible without authentication, as evidenced by the ability to connect and execute commands without any password prompt. The configuration shows "protected-mode" set to "no", indicating that the Redis instance is not in protected mode and is accessible from external sources. This exposes the server to various potential attacks, such as data extraction, arbitrary command execution, and configuration changes.

Example of connecting to the Redis server:

Checking the server's INFO:

Checking the server's configuration:

Impact Details

The exposed Redis service can lead to several severe consequences:

• Execute arbitrary system commands: An attacker can use the Redis service to execute arbitrary commands, leading to full system compromise.

• Retrieve sensitive data/files: Critical data such as database passwords, sensitive configuration files, and other confidential information can be retrieved.

• Service disruption: Malicious actors can manipulate the Redis configuration or data, potentially causing downtime and service disruption.

• Data manipulation: Attackers can modify or delete stored data, impacting the integrity and availability of the services relying on Redis.

These impacts align with the program’s in-scope impacts, highlighting the significant risk posed by this vulnerability.

References

• Redis Security Documentation

• Common Redis Exploits and Security Practices

Proof of concept

Proof of Concept (PoC)

This Proof of Concept demonstrates the vulnerability of the exposed Redis service on api.shardeum.org:6380, showing how an attacker can connect to the Redis server and execute commands without authentication.

Step 1: Identify the IP Address of the Target

Use the dig command to find the IP address associated with api.shardeum.org:

Output:

Step 2: Connect to the Redis Server

Use the redis-cli to connect to the exposed Redis server at the identified IP address:

Step 3: Check Redis Server Information

Once connected, check the server information to confirm the connection and gather details about the server:

Step 4: Verify Protected Mode

Check the Redis configuration to verify that the server is not in protected mode:

Step 5: Execute a Command

For demonstration purposes, try setting a key in the Redis database:

Verify that the key has been set:

Step 6: Retrieve Sensitive Information

Attempt to retrieve sensitive configuration details or other data stored in Redis:

This command retrieves the directory path where Redis stores its data.

Step 7: Exploit the Vulnerability

An attacker can potentially use the exposed Redis instance to execute arbitrary system commands. For example, by writing to the Redis configuration file and restarting the server, the attacker could achieve remote code execution:

In this example, a cron job is created to demonstrate the execution of arbitrary commands. The job writes the text "vulnerable" to a file in the /tmp directory every minute. Note that this is a potentially destructive action and should be conducted only in a controlled environment.

Conclusion

This PoC illustrates the potential risks associated with the exposed Redis service. An attacker can connect to the Redis server without authentication, retrieve sensitive information, and execute arbitrary commands, leading to severe security implications. Proper security measures, such as enabling protected mode and requiring authentication, should be implemented to mitigate these risks.