What is a Memcached server?
Memcached servers are used to store and retrieve data in the form of key-value pairs. When client requests for data from server, its checks for the data stored in the cache. If the data is available, it is loaded into the memory. If the data is not present, the server fetches it from the backend storage and stores it in its cache for future requests. So, it is used to speedup the web application by reducing the database load.
Today we will be discussing on my recent bounty i got for key dumping from an open memcached server.
I got an ip from censys search which is targets ip. So as an initial recon i used nmap for scanning the ip.
nmap IPADDRESS -Pn
from initial scan i was able to find a port 11211 which is Memcached!! So i started pentesting on the server to retrieve data if it has no authentication. For confirmation i tried to connect the Memcached server via Telnet.
telnet IPADDRESS 11211
Wow! I was able to connect to the server without authentication. Great!. Now i tried command to check the version.
Now i checked the server statistics with stats command,
the command “stats items” is used to display detailed statistics about each item that is currently stored in the cache. When the command is executed, the Memcached server responds with a list of all the slabs (memory pools) and the items that are currently stored in them. A slab is a pre-allocated block of memory that is divided into smaller chunks of fixed size.
The command provides information about the following:
- The slab ID: unique identifier for the memory pool in which the item is stored.
- The item key: This is the unique identifier for the cached item.
- The item’s size: size of the cached item in bytes.
- The item’s age: length of time (in seconds) since the item was last accessed.
- The item’s expiration time: time (in seconds) after which the item will expire and be automatically removed from the cache.
- The number of times the item has been accessed: number of times the item has been requested from the cache.
- The number of times the item has been evicted: number of times the item has been removed from the cache due to memory constraints.
After that I tried to list all the items in the Slab with ID 1 and 808 indicates items ,
stats cachedump 1 808
Here you can see the data listed!.
Now we are going to retrieve the data stored using keys,
Here KEY should be replaced with the Item Key. Now we get the data and dump the data with item keys!!
About the report
This issue was reported on march 1st 2023 and was fixed and rewarded by march 3rd 2023. The issue triaged as High 7.5 cause i was able to retrieve the item keys and data from the Memcached server.
Hope you enjoyed the write-up. Like and Subscribe! Thanks.
Suppott here :- https://bmc.link/r0074g3n7
NB: This writeup is already posted by me on https://aswinthambi.blogspot.com/2023/03/hunting-on-memcached-servers-dumping.html