Hey, Thanks for the notice! I see you also sent one to me privately (I wasn't online much yesterday). Would've been nice to get a couple days heads up before a wide notice :)
Looks like it's yet another binary protocol problem. I'm almost to the point where I'll be rewriting a lot of the frontend code. can't get through the TODO fast enough :( Will put out a patch as soon as I can. thanks, -Dormando On Tue, 27 Jun 2017, [email protected] wrote: > Hi there, > > My name is Daniel and i am a security researcher @Twistlock > > As part of my job i am looking in to various open source projects that have > container images and this is how i stumbled upon memcached. > > In memcached I've found a few weak points by reviewing the code,in particular > there are a few signed-unsigned comparisons... > > The heap overflow accrues in try_read_command in memcached.c > this is a READ overflow and it is not leading to code executing, nor it leads > to memory disclosure, but it does crashes the handling thread and > potentially may crash the whole application > MITRE assigned CVE-2017-9951 > > AddressSensitizer output: > > ######### > > =30088==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61d00000dc68 at pc 0x000000440dbc bp 0x7ffff2ffdb30 sp 0x7ffff2ffdb20 > READ of size 24 at 0x61d00000dc68 thread T2 > #0 0x440dbb in try_read_command > /home/da5h/Downloads/memcached-1.4.37/memcached.c:4312 > #1 0x440dbb in drive_machine > /home/da5h/Downloads/memcached-1.4.37/memcached.c:4820 > #2 0x7ffff6c36841 in event_persist_closure > /home/da5h/Desktop/libevent-2.1.8-stable/event.c:1580 > #3 0x7ffff6c36841 in event_process_active_single_queue > /home/da5h/Desktop/libevent-2.1.8-stable/event.c:1639 > #4 0x7ffff6c373ae in event_process_active > /home/da5h/Desktop/libevent-2.1.8-stable/event.c:1738 > #5 0x7ffff6c373ae in event_base_loop > /home/da5h/Desktop/libevent-2.1.8-stable/event.c:1961 > #6 0x4814eb in worker_libevent > /home/da5h/Downloads/memcached-1.4.37/thread.c:356 > #7 0x7ffff69fe6b9 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) > #8 0x7ffff67343dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc) > > 0x61d00000dc68 is located 24 bytes to the left of 2048-byte region > [0x61d00000dc80,0x61d00000e480) > allocated by thread T2 here: > #0 0x7ffff6f02602 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x442ec1 in conn_new > /home/da5h/Downloads/memcached-1.4.37/memcached.c:504 > > Thread T2 created by T0 here: > #0 0x7ffff6ea0253 in pthread_create > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253) > #1 0x487057 in create_worker > /home/da5h/Downloads/memcached-1.4.37/thread.c:282 > #2 0x487057 in memcached_thread_init > /home/da5h/Downloads/memcached-1.4.37/thread.c:772 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/da5h/Downloads/memcached-1.4.37/memcached.c:4312 try_read_command > Shadow bytes around the buggy address: > 0x0c3a7fff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3a7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c3a7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c3a7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa > 0x0c3a7fff9b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c3a7fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > > -- > > --- > You received this message because you are subscribed to the Google Groups > "memcached" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "memcached" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
