New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Buffer Overflow from user-controllable Array Index value #4278
Comments
Was this confirmed as a bug that needs to be fixed? |
This issue has been assigned CVE-2017-15047 |
cc @antirez |
FWIW, I don't think this is actually exploitable with a normal configuration of Redis, where IOW, an administrator would have to have changed the default settings, such that this file Anyway, I've opened PR4365 to add some bounds checking with improved diagnostics, |
It's true that this is not really exploitable without otherwise access. Still a good idea to fix it. |
@kirit1193 How did you find this out of interest? |
Added in natoscott@0ba2932 All versions since |
@lamby , I was grepping for some strings and functions in the src folder, looking for these kinds of issues in general. |
@antirez I'd love to get an upstream blessing on the patch so distributions can roll-out updates, even if there is no new latest released version yet. |
@antirez Ping? :) |
Hello, I agree it's worth to fix indeed. I'm fixing it and patching all versions. However this bug will not trigger a new release of Redis because anyway we are going to have new releases soon and the bug is not critical enough, so expect Redis versions with such a fix to actually be deployed in a few weeks. Thanks for reporting, following up soon with the fix. |
Note that there is another similar bug here as well:
|
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix #4278.
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix #4278.
Bug fixed in all the branches. I think the bug is exploitable, because you can basically write the address of a Cluster node structure everywhere in the process memory. So the attacker may:
The problem with this approach is that there is the |
This is what I had in mind when I was reporting this as well. Just didn't have a malicious nodes.conf file which would be able to achieve this. |
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix redis#4278.
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix redis#4278.
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix redis#4278.
Where can I download the revised redis Windows version |
Only version 3.2 of redis can be downloaded under Windows |
How to compile redis source code |
Does redis 3.2 Windows version also have this vulnerability? |
There was not enough sanity checking in the code loading the slots of Redis Cluster from the nodes.conf file, this resulted into the attacker's ability to write data at random addresses in the process memory, by manipulating the index of the array. The bug seems exploitable using the following techique: the config file may be altered so that one of the nodes gets, as node ID (which is the first field inside the structure) some data that is actually executable: then by writing this address in selected places, this node ID part can be executed after a jump. So it is mostly just a matter of effort in order to exploit the bug. In practice however the issue is not very critical because the bug requires an unprivileged user to be able to modify the Redis cluster nodes configuration, and at the same time this should result in some gain. However Redis normally is unprivileged as well. Yet much better to have this fixed indeed. Fix redis#4278.
The clusterLoadConfig function within /redis/src/cluster.c seems to allow for a Buffer Overflow vulnerability leading from an array index being set from user-controllable input. The vulnerable code is:
As we can see, the slot variable is receiving the output of atoi being run here:
slot = atoi(argv[j]+1);
Now, argv[j] is basically the arguments of each line (stored in line[]) being put into the array using sdssplitargs for further processing.
The slot value, after being extracted is then used in the if-else block which controls the slot migration, i.e.
server.cluster->migrating_slots_to[slot] = cn;
andserver.cluster->importing_slots_from[slot] = cn;
.It is safe to assume that a user won't try to put in invalid slot numbers in the cluster configuration file. However, an attacker with limited access to the machine would be able to trigger memory corruption issues or even potentially execute code by forcing an Array Index out of Bounds exception from happening due to invalid values of slot. There should be some validation on the value of slot and the maximum length of the migrating_slots_to and migrating_slots_from arrays.
The text was updated successfully, but these errors were encountered: