Lucene search
This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.MEMCACHED_ASLR_BYPASS.NASLHistoryApr 29, 2009 - 12:00 a.m.
Memcached / MemcacheDB ASLR Bypass Weakness
2009-04-2900:00:00
This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
www.tenable.com
36
The version of memcached / MemcacheDB running on the remote host reveals information about the stack, heap, and shared library memory locations it uses. An unauthenticated remote attacker may be able to leverage this weakness to defeat any address space layout randomization (ASLR) protection on the remote host, thereby making buffer overflows easier to exploit.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(38207);
script_version("1.10");
script_cve_id("CVE-2009-1255");
script_bugtraq_id(34756);
script_xref(name:"Secunia", value:"34915");
script_xref(name:"Secunia", value:"34932");
script_name(english:"Memcached / MemcacheDB ASLR Bypass Weakness");
script_summary(english:"Sends a 'stats maps' command");
script_set_attribute( attribute:"synopsis", value:
"The remote object store suffers from a weakness that may make buffer
overflows easier to exploit." );
script_set_attribute( attribute:"description", value:
"The version of memcached / MemcacheDB running on the remote host
reveals information about the stack, heap, and shared library memory
locations it uses. An unauthenticated remote attacker may be able to
leverage this weakness to defeat any address space layout
randomization (ASLR) protection on the remote host, thereby making
buffer overflows easier to exploit." );
script_set_attribute(
attribute:"see_also",
value:"https://www.positronsecurity.com/advisories/2009-001.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://seclists.org/fulldisclosure/2009/Apr/281"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?97546674"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?24b11223"
);
script_set_attribute( attribute:"solution", value:
"If using memcached, upgrade to version 1.2.8.
If using MemcacheDB, upgrade to revision r98 or later from the code
repository." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(200);
script_set_attribute(attribute:"plugin_publication_date", value: "2009/04/29");
script_cvs_date("Date: 2018/11/15 20:50:23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
script_dependencies("memcached_detect.nasl");
script_require_ports("Services/memcached", 11211, 21201);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
ports = add_port_in_list(list:get_kb_list("Services/memcached"), port:11211);
ports = add_port_in_list(list:ports, port:21201);
foreach port (ports)
{
if (!get_port_state(port)) continue;
soc = open_sock_tcp(port);
if (soc)
{
req = "stats maps";
send(socket:soc, data:string(req, "\r\n"));
res = recv(socket:soc, length:8192);
# There's a problem if...
if (
# we get a response and...
!isnull(res) &&
(
# either there's an error or...
stridx(res, 'SERVER_ERROR ') == 0 ||
# we see a map
egrep(pattern:"^[0-9a-f]+-[0-9a-f]+[ ][-r][-w][-x]p[ ]", string:res)
)
)
{
if (report_verbosity > 0)
{
max_lines = 10;
n = 0;
output = "";
foreach line (split(res, keep:TRUE))
{
output += line;
if (n++ > max_lines) break;
}
report = string(
"\n",
"Here is the output of sending a '", req, "' command to the remote\n",
"service :\n",
"\n",
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
output,
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
);
if (n < max_index(split(res)))
{
report = string(
report,
"\n",
"Note that only the first ", max_lines, " lines of output are reported.\n"
);
}
if (stridx(res, 'SERVER_ERROR ') == 0)
{
report = string(
report,
"\n",
"Note that while the server responded with an error, the error itself\n",
"indicates the weakness in the code is still present.\n"
);
}
security_warning(port:port, extra:report);
}
else security_warning(port);
}
close(soc);
}
}
Related
securityvulns
securityvulns
Positron Security Advisory #2009-001: Memcached and MemcacheDB ASLR Bypass Weakness
2009-05-01 00:00:00
Memcached / MemcacheDB information leak
2009-05-01 00:00:00
openvas
openvas
Fedora Core 10 FEDORA-2009-4199 (memcached)
2009-05-25 00:00:00
Fedora Core 11 FEDORA-2009-4542 (memcached)
2009-06-05 00:00:00
FreeBSD Ports: memcached
2009-09-02 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: memcached-1.2.8-1.fc11
2009-05-26 07:55:38
[SECURITY] Fedora 10 Update: memcached-1.2.8-1.fc10
2009-05-20 00:51:28
[SECURITY] Fedora 11 Update: memcached-1.2.8-2.fc11
2009-12-11 18:27:21
nessus
nessus
FreeBSD : memcached -- memcached stats maps Information Disclosure Weakness (86ada694-8b30-11de-b9d0-000c6e274733)
2009-08-20 00:00:00
Fedora 10 : memcached-1.2.8-1.fc10 (2009-4199)
2009-05-20 00:00:00
Fedora 11 : memcached-1.2.8-1.fc11 (2009-4542)
2009-05-27 00:00:00
debiancve
debiancve
CVE-2009-1255
2009-04-30 20:30:00
cve
cve
CVE-2009-1255
2009-04-30 20:30:00
seebug
seebug
Memcached stats mapsๅฝไปคไฟกๆฏๆณ้ฒๆผๆด
2009-05-01 00:00:00
prion
prion
Command injection
2009-04-30 20:30:00
freebsd
freebsd
memcached -- memcached stats maps Information Disclosure Weakness
2009-04-29 00:00:00
ubuntucve
ubuntucve
CVE-2009-1255
2009-04-30 00:00:00
Related for MEMCACHED_ASLR_BYPASS.NASL