redis attacks?

1,104 views
Skip to first unread message

Kyle Bragger

unread,
Dec 22, 2009, 9:59:55 AM12/22/09
to Redis DB
Hi all,

My apologies if this is a ridiculous question. I was thinking today
about if/how it would be possible to attempt some kind of injection
attack on redis, e.g. if you study the protocol and know how to
construct calls, would it be possible to somehow send a "this is the
end of the current command" string, then send over your own command
(s). I suppose the closest thing would be a simple SQL injection, e.g.
"foo' OR 1=1"

-Kyle

Sergey Shepelev

unread,
Dec 22, 2009, 11:08:07 AM12/22/09
to redi...@googlegroups.com

Same as with SQL injection, this has nothing to do with database
server, it's application server who's sending malformed requests
(because it doesn't sanitize user requests).

For example, space in key breaks the command.

> -Kyle
>
> --
>
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To post to this group, send email to redi...@googlegroups.com.
> To unsubscribe from this group, send email to redis-db+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/redis-db?hl=en.
>
>
>

Kyle Bragger

unread,
Dec 22, 2009, 11:23:11 AM12/22/09
to Redis DB
Understood; I guess I am asking whether it would be possible for
someone who is familiar with the redis protocol to send a CRLF within
a POST/GET var and then append additional, malicious commands to it.

On Dec 22, 11:08 am, Sergey Shepelev <temo...@gmail.com> wrote:

Salvatore Sanfilippo

unread,
Dec 22, 2009, 11:29:14 AM12/22/09
to redi...@googlegroups.com
On Tue, Dec 22, 2009 at 5:23 PM, Kyle Bragger <kyle.b...@gmail.com> wrote:
> Understood; I guess I am asking whether it would be possible for
> someone who is familiar with the redis protocol to send a CRLF within
> a POST/GET var and then append additional, malicious commands to it.

Hello,

If the client controls *the key* and is not using the new multi bulk
request protocol, yes, there is an attack.
If it's just a matter of values, no, injection is not possible.
In the future I could like to switch everything to the new protocol
that is better from more or less all the point of view, the first step
will be to implement a ping benchmark with the new protocol in
redis-benchmark to check if the performances are more or less the
same. If not try to optimize it as much as possible, and if the result
is good, switch to the new one.

Cheers,
Salvatore

--
Salvatore 'antirez' Sanfilippo
http://invece.org

"Once you have something that grows faster than education grows,
you’re always going to get a pop culture.", Alan Kay

Jon Watte

unread,
Dec 22, 2009, 12:26:55 PM12/22/09
to redi...@googlegroups.com
For someone to be able to "inject" a command that way, they'd have to be able to submit a command in the first place. That means you already gave them authentication to the server. That means you're screwed, no matter what :-)

Remember: always put an application server in front of any data store. Always enforce security on the application server, and use a consistent, procedural way of building queries on the application server, to avoid injection attacks.

Sincerely,

jw


--
Americans might object: there is no way we would sacrifice our living standards for the benefit of people in the rest of the world. Nevertheless, whether we get there willingly or not, we shall soon have lower consumption rates, because our present rates are unsustainable.



Reply all
Reply to author
Forward
0 new messages