memcached remote exploits are easy
"The memcached threat model is pretty simple since the software has a tiny interface. Zero authentication by default helps, and once connected you can read and write all parts of the cache due to the lack of authorisation."
Excellent article. Amazing to see that many large sites allow overwriting memcached data so that malware can be inserted. If this were done there would, of course, be no way to remove the malware from the site code since it does not reside there.
James
5 Replies
(p.s. 192.168.128.0/17 is public, from a security standpoint)
@hoopycat:
…no one here would have their memcached listening to the world, right?
I think that is unlikely if a single web server and single memcached instance are running on the same server. If separate multiple memcached servers are being used, there might be a temptation to do this for the lazier and the less experienced.
If you would like to find out if any linodes are vulnerable to this problem, the article discusses how to obtain and use a scanning tool made for just such a purpose. My interest in this subject is theoretical, not practical.
James
@zunzun:
there might be a temptation to do this for the lazier and the less experienced.
Wouldn't one also have to be a complete moron?
@Xan:
@zunzun:there might be a temptation to do this for the lazier and the less experienced.
Wouldn't one also have to be a complete moron?
Or just have no clue about security and server admin…I recently audited a server which had mysql open to the public with remote logins enabled and a root password of something like 'password123'…yeah that's just about as bad as an open memcached.