Friday, September 30, 2016

Vulnerability Spotlight: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Talos

Overview

Talos is disclosing TALOS-2016-0206/CVE-2016-8339, an out-of-bounds write vulnerability in Redis. Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. This particular vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write, potentially resulting in code execution.


Details

An out of bounds write vulnerability exists during the modification of the `client-output-buffer-limit` option using the `CONFIG SET` command. The required syntax for setting the `client-output-buffer-limit` option is shown below.
This option sets the limits for disconnecting clients of a certain class. In the parsing of `client-output-buffer-limit` a call to `getClientTypeByName` is used to retrieve the corresponding class's type. In this case, `getClientTypeByName` returns a value in the set of [-1, 3]. Looking at the declaration of the `client_obuf_limits` array, we see that the size of the array is `3`. Although `client-output-buffer-limit` is only expecting clients of types `normal`, `slave`, and `pubsub`, `master` is also a valid client. By providing a client type of `master`, the `client_obufs_limit` array is overflown and subsequent structure variables are overwritten. This vulnerability can result in remote code execution and should be addressed accordingly. Full details of the vulnerability can be found in the advisoryonourwebsite.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 40301

No comments:

Post a Comment