This article is more than 1 year old

BIG RED BUTTON exploits Redis flaw to fix Redis flaw

File under 'To save the village, I had to destroy it'

Reckless sys admins rejoice: entrepreneurial security bod Ben Murphy has created a daring quick patch for the popular Redis data structure server.

Murphy (@benmmurphy) created an alluring red Hot Patcher™ button that when pushed will exploit a flaw in Redis in order to patch a Lua sandbox bypass vulnerability he disclosed this month.

The Hot Patcher™ will forgo the boring upgrade fix and instead use cross-site request forgery to disable the loading of bytecode.

Murphy notes side-effects could include crashing Redis servers, data loss, and silent data corruption. Here's his explanation for how his flaw-exploiting flaw-fighter works:

"The Hot Patcher looks for the instruction cmp r15, 0x1b and replaces it with ‘cmpq rsp,0x1b’. This comparison should never be true because the stack typically lives around 0x7fxxxxxxxxxxxxxx and will never reach such a low address. However, looking for this exact instruction makes the patcher quite brittle and it may not work on Redis versions compiled with different compilers."

The fix also needs to be applied each time the server is rebooted providing the Reckless Admin with additional adrenaline injections.

The Hot Patcher™ is best viewed when Redis is run from a terminal so its output is visible.

button screenshot

What could go wrong?

Admins with lower levels of caffeine in their bloodstreams may prefer to set strong passwords for Redis and upgrade to versions 2.8.21 and 3.0.2.

"The best option is to set a strong password on Redis. Systems that are reachable via HTTP without a password are a problem waiting to happen," Murphy says.

"It is also possible to rename the EVAL command. If you are not using EVAL this is a good option but you still might be at risk of someone modifying your Redis data via HTTP SSRF attacks.

"Upgrading to Redis 2.8.21 and 3.0.2 will also fix this issue but I still strongly recommend using password authentication on Redis systems."

Murphy's patch is not the first case of hacker, heal thyself. Anonymous security bods have sent forth worms that seek out public-facing vulnerabilities, exploit it, and apply patches in a process that can break many systems.

That concept known as an anti-worm uses the same mechanisms as malicious worms but with the intention of assisting rather than assaulting.

A famous anti-worm was unleashed in 2004 in response to the Santy worm that was defacing thousands of websites running vulnerable versions of phpBB. Actors unknown crafted the anti-worm to exploit and patch systems saving many and crashing others.

The 2012 Internet Census was conducted in a similar vein by an actor known to only a handful of security bods who wrote scripts to break into insecure routers in order to measure the size of the web.

The census was not malicious in intent and lead to what is known as the Carna Botnet then composed of 420,000 devices. ®

More about

TIP US OFF

Send us news


Other stories you might like