Pentesting Redis (6379): Vulnerabilities, Exploits, and Defense

Redis is a widely-used, open-source, in-memory key-value store, celebrated for its high performance and scalability. It serves various purposes like caching, database operations, and message brokering. However, misconfigurations or unsecured Redis deployments can expose vulnerabilities, making Redis an attractive target for attackers. This guide delves into Redis pentesting techniques, exploring common vulnerabilities, automated and manual exploitation methods, and defense strategies.

1. Redis Basics and Attack Surface

Redis communicates over a plain-text protocol by default and listens on port 6379. Without authentication, misconfigured Redis instances are prone to unauthorized access. Attackers can leverage this simplicity to gain full system control, enabling malicious activities.

Redis's minimal security settings and straightforward configuration make it easy for developers to set up but also expose significant risks if not properly secured.

2. Automated Redis Enumeration

Pentesters often start by automating the enumeration process to identify potential misconfigurations quickly.

Nmap Redis Enumeration

The Nmap redis-info script can gather essential information about the Redis server, including its version, role, connected clients, and more. This is the most straightforward way to identify a Redis instance's configuration:

Metasploit Redis Enumeration

Metasploit includes a Redis scanner that can enumerate configurations and active databases:

This module helps determine the attack surface by revealing databases, user accounts, and other configuration details.

3. Manual Redis Enumeration

Once an instance has been identified, more manual enumeration techniques can uncover vulnerabilities.

Connecting Using nc or redis-cli

You can connect to a Redis instance using either netcat (nc) or the redis-cli client:

Once connected, the INFO command returns detailed information about the Redis server:

If you encounter the following response:

it indicates that the Redis instance is secured with authentication. Otherwise, an open instance can be further exploited.

Authentication Bypass

If authentication is required, brute-forcing the password is a viable attack vector:

Weak or default credentials could allow attackers to gain unauthorized access.

4. Extracting Information with Redis Commands

Once connected, attackers can execute a variety of commands to gather information about the system:

• INFO: Displays server statistics, configuration details, and database metrics.

• CONFIG GET *: Lists the complete configuration settings of the Redis server.

• MONITOR: Captures all client activities in real-time, allowing the attacker to observe user commands.

• CLIENT LIST: Reveals information about currently connected clients, including IP addresses and connection states.

  
  

5. Exploiting Redis Vulnerabilities

Misconfigured Redis instances offer numerous exploitation opportunities for attackers, ranging from remote code execution (RCE) to SSH access.

5.1 Redis Rogue Server for Remote Code Execution

Redis versions ≤ 5.0.5 are vulnerable to a rogue server attack, which can result in an interactive or reverse shell:

This script uploads a payload to the Redis server and achieves code execution on the target.

5.2 PHP Webshell Injection

If the Redis instance has write permissions to a web directory, it’s possible to upload a PHP webshell:

The webshell can be accessed via ‘http://<TARGET_IP>/redis.php.’

5.3 SSH Key Injection

Redis can also be used to inject SSH keys into the authorized_keys file of the target system:

After writing the key to the .ssh directory:

The attacker can then gain SSH access:

Automation scripts, like Avinash-acid's Redis-Server-Exploit, make this attack easier.

5.4 Crontab Exploitation

Attackers can inject a reverse shell into the crontab, gaining persistent access:

Then save the job in the cron directory:

This ensures that the reverse shell executes periodically.

5.5 Redis Modules for Arbitrary Code Execution

Redis supports custom modules, which can be exploited by compiling and loading malicious code:

Once uploaded, the attacker can run system commands through Redis:

Learn more about module-based attacks from this repository.

6. Advanced Techniques: Exploiting SSRF to Attack Redis

Server-Side Request Forgery (SSRF) vulnerabilities in applications like GitLab can be abused to target Redis. Attackers can craft SSRF payloads to issue Redis commands indirectly:

By chaining SSRF with CRLF injection, an attacker can manipulate Redis queues to gain code execution.

7. Defending Redis: Best Practices

Securing Redis against exploitation requires careful configuration and continuous monitoring. Key defensive measures include:

1. Enable Authentication: Always use strong authentication by configuring passwords:

2. Restrict Redis to Localhost: Prevent unauthorized access by binding Redis to the local interface:

3. Enable TLS: Encrypt communication using TLS to prevent data interception.

4. Firewall Rules: Limit Redis access to specific IP ranges by configuring firewall rules.

5. Disable Dangerous Commands: Disable commands that could cause significant damage:

6. Regular Auditing: Perform routine checks on Redis logs and access permissions to ensure security compliance.

   
   

For a deeper dive into Redis security best practices, check out the official Redis security documentation.

Conclusion

While Redis offers high performance and flexibility, its misconfigurations can lead to severe security risks, from unauthorized access to remote code execution. By employing pentesting techniques and adopting robust security measures, organizations can secure their Redis instances against potential threats.

References

1. HackTricks: 6379 Pentesting Redis

2. Nmap Redis Info Script

3. Metasploit Redis Scanner

4. Redis Security Best Practices