Hi there,
My name is Daniel and i am a security researcher @Twistlock
As part of my job i am looking in to various open source projects that have
container images and this is how i stumbled upon memcached.
In memcached I've found a few weak points by reviewing the code,in
particular there are a few signed-unsigned comparisons...
The heap overflow accrues in try_read_command in memcached.c
this is a READ overflow and it is not leading to code executing, nor it
leads to memory disclosure, but it does crashes the handling thread and
potentially may crash the whole application
MITRE assigned CVE-2017-9951
AddressSensitizer output:
#########
=30088==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d00000dc68 at pc 0x000000440dbc bp 0x7ffff2ffdb30 sp 0x7ffff2ffdb20
READ of size 24 at 0x61d00000dc68 thread T2
#0 0x440dbb in try_read_command /home/da5h/Downloads/
memcached-1.4.37/memcached.c:4312
#1 0x440dbb in drive_machine /home/da5h/Downloads/
memcached-1.4.37/memcached.c:4820
#2 0x7ffff6c36841 in event_persist_closure
/home/da5h/Desktop/libevent-2.1.8-stable/event.c:1580
#3 0x7ffff6c36841 in event_process_active_single_queue
/home/da5h/Desktop/libevent-2.1.8-stable/event.c:1639
#4 0x7ffff6c373ae in event_process_active /home/da5h/Desktop/libevent-2.
1.8-stable/event.c:1738
#5 0x7ffff6c373ae in event_base_loop /home/da5h/Desktop/libevent-2.
1.8-stable/event.c:1961
#6 0x4814eb in worker_libevent /home/da5h/Downloads/
memcached-1.4.37/thread.c:356
#7 0x7ffff69fe6b9 in start_thread (/lib/x86_64-linux-gnu/
libpthread.so.0+0x76b9)
#8 0x7ffff67343dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc)
0x61d00000dc68 is located 24 bytes to the left of 2048-byte region
[0x61d00000dc80,0x61d00000e480)
allocated by thread T2 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/
libasan.so.2+0x98602)
#1 0x442ec1 in conn_new /home/da5h/Downloads/
memcached-1.4.37/memcached.c:504
Thread T2 created by T0 here:
#0 0x7ffff6ea0253 in pthread_create (/usr/lib/x86_64-linux-gnu/
libasan.so.2+0x36253)
#1 0x487057 in create_worker /home/da5h/Downloads/
memcached-1.4.37/thread.c:282
#2 0x487057 in memcached_thread_init /home/da5h/Downloads/
memcached-1.4.37/thread.c:772
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/da5h/Downloads/
memcached-1.4.37/memcached.c:4312 try_read_command
Shadow bytes around the buggy address:
0x0c3a7fff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x0c3a7fff9b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
--
---
You received this message because you are subscribed to the Google Groups
"memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
