Talos Vulnerability Report

TALOS-2016-0206

Redis CONFIG SET client-output-buffer-limit command Code Execution Vulnerability

September 30, 2016
CVE Number

CVE-2016-8339

Summary

An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution.

Tested Versions

Redis - 3.2.3

Product URLs

http://redis.io/

CVSSv3 Score

6.6 - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at.

An out of bounds write vulnerability exists during the modification of the client-output-buffer-limit option using the CONFIG SET command. The required syntax for setting the client-output-buffer-limit option is shown below.

CONFIG SET client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds>

This option sets the limits for disconnecting clients of a certain class. This option is set using the following code:

src/config.c
849    /* Finally set the new config */
850    for (j = 0; j < vlen; j += 4) {
851        int class;
852        unsigned long long hard, soft;
853        int soft_seconds;
854
855        class = getClientTypeByName(v[j]);
856        hard = strtoll(v[j+1],NULL,10);
857        soft = strtoll(v[j+2],NULL,10);
858        soft_seconds = strtoll(v[j+3],NULL,10);
859
860        server.client_obuf_limits[class].hard_limit_bytes = hard;
861        server.client_obuf_limits[class].soft_limit_bytes = soft;
862        server.client_obuf_limits[class].soft_limit_seconds = soft_seconds;
863    }

src/networking.c
1747    int getClientTypeByName(char *name) {
1748        if (!strcasecmp(name,"normal")) return CLIENT_TYPE_NORMAL;      // 0
1749        else if (!strcasecmp(name,"slave")) return CLIENT_TYPE_SLAVE;   // 1
1750        else if (!strcasecmp(name,"pubsub")) return CLIENT_TYPE_PUBSUB; // 2
1751        else if (!strcasecmp(name,"master")) return CLIENT_TYPE_MASTER; // 3
1752        else return -1;
1753    }

In the parsing of client-output-buffer-limit a call to getClientTypeByName is used to retrieve the corresponding class's type. In this case, getClientTypeByName returns a value in the set of [-1, 3]. Looking at the declaration of the client_obuf_limits array, we see that the size of the array is 3.

src/server.h

704    struct redisServer {
...
796    clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT];
...
980    }

src/server.h
292    #define CLIENT_TYPE_OBUF_COUNT 3 /* Number of clients to expose to output

Although client-output-buffer-limit is only expecting clients of types normal, slave, and pubsub, master is also a valid client. By providing a client type of master, the client_obuf_limit array is overflown and subsequent structure variables are overwritten.

A sample command exercising this vulnerability is below:

CONFIG SET client-output-buffer-limit "master 3735928559 3405691582 373529054"

Timeline

2016-09-22 - Vendor Disclosure
2016—09-26 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.