Vulners
Lucene search
Memcached Stats Amplification Scanner
🗓️ 31 Aug 2024 00:00:00Reported by Jon Hart, xistence, Marek Majkowski, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 170 Views
| Reporter | Title | Published | Views | Family All 108 |
|---|---|---|---|---|
 | Security fix for the ALT Linux 8 package memcached version 1.5.6-alt1.M80P.1 | 6 Mar 201800:00 | – | altlinux |
 | Amazon Linux 2 : memcached (ALAS-2018-964) | 18 Apr 201800:00 | – | nessus |
| Amazon Linux AMI : memcached (ALAS-2018-964) | 9 Mar 201800:00 | – | nessus |
| Debian DSA-4218-1 : memcached - security update | 7 Jun 201800:00 | – | nessus |
| EulerOS 2.0 SP5 : memcached (EulerOS-SA-2019-2213) | 8 Nov 201900:00 | – | nessus |
| EulerOS 2.0 SP2 : memcached (EulerOS-SA-2019-2391) | 10 Dec 201900:00 | – | nessus |
| EulerOS 2.0 SP3 : memcached (EulerOS-SA-2019-2631) | 18 Dec 201900:00 | – | nessus |
| EulerOS Virtualization 3.0.6.0 : memcached (EulerOS-SA-2020-1784) | 1 Jul 202000:00 | – | nessus |
| EulerOS Virtualization 3.0.2.2 : memcached (EulerOS-SA-2020-2208) | 21 Oct 202000:00 | – | nessus |
| openSUSE Security Update : memcached (openSUSE-2018-373) | 18 Apr 201800:00 | – | nessus |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Capture
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::DRDoS
def initialize
super(
'Name' => 'Memcached Stats Amplification Scanner',
'Description' => %q(
This module can be used to discover Memcached servers which expose the
unrestricted UDP port 11211. A basic "stats" request is executed to check
if an amplification attack is possible against a third party.
),
'Author' =>
[
'Marek Majkowski', # Cloudflare blog and base payload
'xistence <xistence[at]0x90.nl>', # Metasploit scanner module
'Jon Hart <[email protected]>', # Metasploit scanner module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Feb 27 2018',
'References' =>
[
['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],
['CVE', '2018-1000115']
]
)
register_options([
Opt::RPORT(11211)
])
end
def build_probe
# Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt
@memcached_probe ||= [
rand(2**16), # random request ID
0, # sequence number
1, # number of datagrams in this sequence
0, # reserved; must be 0
"stats\r\n"
].pack("nnnna*")
end
def scanner_process(data, shost, sport)
# Check the response data for a "STAT" response
if data =~ /\x0d\x0aSTAT\x20/
@results[shost] ||= []
@results[shost] << data
end
end
# Called after the scan block
def scanner_postscan(batch)
@results.keys.each do |host|
response_map = { @memcached_probe => @results[host] }
report_service(
host: host,
proto: 'udp',
port: rport,
name: 'memcached'
)
peer = "#{host}:#{rport}"
vulnerable, proof = prove_amplification(response_map)
what = 'memcached stats amplification'
if vulnerable
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
report_vuln(
host: host,
port: rport,
proto: 'udp',
name: what,
refs: references
)
else
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
end
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
CVSS 37.5
EPSS0.86753