Redis (Remote Dictionary Server) is a BSD license-based open-source project developed by Salvatore Sanfilippo in 2009 that queries data with Key through a Key-Value Store database. Since Redis is a memory-based DBMS, it operates at a faster speed than regular disk storage databases. It is a preferable option to alternatives because it can support various data types such as Hashes, List, and Set. Typically, it is used to store Result Cache and data in systems that have to process large amounts of messages in real time, such as Facebook, Instagram and Tumblr. In addition, it is used as a repository in systems for small services and fast response processing.

Data Breach Possibility From Exposed Redis Commander

Redis Commander is a Node.js web application used to manage databases stored on Redis servers. As a GUI tool that enhances usage through auto completion and document input/output functions, all Redis data types can be edited on a web-based basis. However, this means that Redis Commander can become a remote data grab tool for malicious means, especially when exposed to the wide web without authentication means.

This is due to the nature of Redis database and its commander, which means that in case of a breach, all control of its databases can be granted to unauthorized users. This can lead to serious data breaches.

How to Find Redis Commander Servers Through the Favicon Filter

Criminal IP’s favicon filter allows users to search for a Favicon hash on a website while querying the IP address. Using this feature to search for a Favicon hash of Redis Commander yielded 211 IP addresses in total.

favicon: -32e1326

Criminal IP의 Asset Search에서 favicon: -32e1326을 검색한 결과

Results shown for favicon: -32e1326 on Criminal IP Asset Search

Accessing one of these Redis Commander server results will connect users to the actual server page for this service. Some servers here reveal sensitive data such as token value of certain users, login cookies etc. that can be queried without the need for authentication processes.

외부에 그대로 노출되어 있는 Redis 데이터베이스 내  Key 데이터

Key data in the Redis database exposed to the unprotected internet

How to Find Redis Commander Servers Through the Title Filter

It’s also possible to find Redis Commander server IPs using the title filter. Criminal IP’s title filter shows IP addresses with Metatag that matches with the keywords inputted.

Searching for “title: Redis Commander” in the Criminal IP Asset Search determines the IP addresses using a total of 384 Redis Commander servers.

titleRedis Commander

Criminal IP의 Asset Search에서 title: Redis Commander를 검색한 결과

Search results for title: Redis Commander on Asset Search

This website also includes a page where users can view data updates stored as hash values — all of them without authentication.

별도의 인증 수단 없이 외부에 공개되어 있는 데이터 저장 서버

Data storage servers exposed on the unprotected internet without means of authentication

When Redis Commander servers are left unattended and vulnerable, this indicates that these databases can be controlled by unauthorized users. Among the various types of Redis data, page cookies and user login credentials are most often leaked as seen in the case above. If a malicious hacker intercepts admin cookie information, they can use this maliciously and access administrator permissions of that Redis commander page.

Neglected Redis Commander servers, therefore, can be the root cause of serious data leaks and hacking incidents. For more information about this issue, see API Key, a Key to Credential Leakage & Manipulation.

Open-source services are popular because they are easily accessible due to low cost and low skill barriers. However, the disadvantage in that primarily comes from its benefits—due to the relatively open nature of the program, it is vulnerable to malicious hacker attacks, especially if proper management and inspections are not carried out. Redis Commander servers, therefore, require special attentions from server administrators as well as periodic security checks on corporate attack surfaces.

Read more about a related, in-depth coverage on Vulnerable Jenkins Servers.


Source : Criminal IP (https://www.criminalip.io)

Related Article(s) : https://blog.criminalip.io/2022/07/20/api-key-leak/