Monday, July 14, 2014

Dumping Data from Memcached Servers

Just a quick update from a recent test. Will probably have some more interesting stuff coming soon but none is ready to go public quite yet.

Memcached servers provide a dynamic, distributed memory object caching system to improve application performance. The security model for Memcache is basically "trust your network", and unfortunately most networks can't be trusted.

You'll find the service listening on port 11211 by default. On a recent test we discovered a memcached server and after some research into extracting the data from it, came up empty. In response, I've developed a python script to dump data from memcached servers:

https://github.com/breenmachine/memcachedumper

This service is interesting because you not only get to read the potentially sensitive data in the cache, but it is also trivial to modify values already in the cache. This can be done simply by accessing the "memcached" server over telnet and using the "set" command as documented here:

https://code.google.com/p/memcached/wiki/NewCommands

One interesting attack vector here would be stored XSS in a web application, or potentially SQL injection if the application is caching SQL queries (which some appear to do).

2 comments:

  1. http://www.sensepost.com/blog/4873.html

    ReplyDelete
    Replies
    1. Nice, much more functional than my ad-hoc script - and from 2010. I bet this gets missed fairly often because it's a weird service on a weird port.

      Delete