Remote buffer overflow DOS 0-day in Memcached 1.6.0 and 1.6.1 (latest)
source link: https://github.com/memcached/memcached/issues/629
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Hi, Memcached team,
Recently, I revealed a buffer overflow vulnerability which may cause DOS attack. The exploit details can be found as following.
Affect Version
memcached-1.6.0
memcached-1.6.1
Root cause
file location: memcached.c:6156-6187
Code Audit
6178 char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN]; 6179 memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), **extlen**);
in line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of " extlen " when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable.
POC
0x80 0x01 [0x00 0x00] keylen [0x30] extlen 0x00 0x00 x00
for the POC snippet, first, if I assign a large value to the variable extlen , on the other hand, in order to bypass the validation of data packet which sent in following code snippet,
6156 if (c->rbytes < keylen + extlen + sizeof(c->binary_header))
we can construct a very large data packet and send it to the server running memcached 1.6.0 or 1.6.1 anonymously. After that, the program will crash because of the issue mentioned above.
Note: Please confirm this issue ASAP. Besides, just letting you know, I am gonna submit this issue to CVE mitre.
Please let me if you have any questions.
Sincerely,
Icejl
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK