Showing posts from May, 2017

For Users of Redis, Running Locally Can Be a Major Security Risk

If you are running Redis locally and, like most people as of this writing, you're using a version older than 3.2.7 (released January 31, 2017), I can most likely copy your entire database, drop an ssh key in your authorized_keys file, overwrite arbitrary files on your computer, and lay a trap that will run arbitrary code next time you open your terminal.

All this can be executed from visiting a malicious web site; or a non-malicious site that's had malicious JavaScript loaded onto it.
Background I read "How to steal any developer's local database" a while back on Hacker News, and thought it might be a fun project to try out with BugReplay. In the process I’ve learned how powerful DNS rebinding can be as a method of attack and the kind of damage that can be done. This article is an attempt to build on previous works and demonstrate the techniques involved.

When you look at typical authorization mechanisms,

the most basic is restricting the ability to access the r…