oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[ oss-security ] CVE-2016-10517: CSRF in redis < 3.2.7

From: Thomas Calderon <calderon.thomas () gmail com>
Date: Wed, 25 Oct 2017 09:29:09 +0100
Hi all,

I have requested a CVE from MITRE for an issue that was present in Redis <
3.2.7.

They have assigned CVE-2016-10517 for the following:

[Suggested description]
Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a
check for POST and Host: strings, which are not valid in the Redis protocol
(but commonly occur when an attack triggers an HTTP request to the Redis
TCP port).

------------------------------------------

[Additional Information]
Before Redis 3.2.7 the Host: and POST could be used to process the
remaining pipeline if there are pending commands. Therefore it is possible
to perform a "Cross Scripting" attack, that usually involves trying to feed
Redis with HTTP in order to execute commands. Example: a developer is
running a local copy of Redis for development purposes.  She also runs a
web browser in the same computer. The web browser could send an HTTP
request to http://127.0.0.1:6379 in order to access the Redis instance,
since a specially crafted HTTP request may also be partially valid Redis
protocol. However if POST and Host: break the connection, this problem
should be avoided. IMPORTANT: It is important to realise that it is not
impossible that another way will be found to talk with a localhost Redis
using a Cross Protocol attack not involving sending POST or Host: so this
is only a layer of protection but not a definitive fix for this class of
issues.

------------------------------------------

[Vulnerability Type]
Cross Site Request Forgery (CSRF)

------------------------------------------

[Vendor of Product]
Pivotal Software

------------------------------------------

[Affected Product Code Base]
Redis - <3.2.7

------------------------------------------

[Affected Component]
redis_server

[Attack Vectors]
Have a user that has a local redis instance running browse an attacker
controlled website and perform a DNS rebinding attack in order to POST data
to http://127.0.0.1:6379.


------------------------------------------

[Reference]
https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
https://blog.bugreplay.com/2017/05/for-users-of-redis-running-locally-can-be-dangerous.html
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/

------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: