Memcache injection

Memcached is a free and open high-performance distributed system, which was introduced for caching objects in memory. This distributed system is storage of “key-value” type located in the operating memory and designed for small “portions” of arbitrary data. These data include string values, numerical values, and many more. Memcached is fully open development and is assembled and operated under UNIX, Windows, OS X and distributed under an open license.

Memcached is a general-purpose memory caching system. This is used to speed up dynamic-driven websites by caching data in RAM. Memcached is a free and open source software that runs on Unix based operating systems. There are many servers running Memcached. These websites are prone to multiple Buffer Overflow Vulnerabilities. A successful exploitation will let the attacker execute arbitrary code on the affected system via readily available network utilities.

The common Memcache commands as:-

  • Storage - set, add, replace
  • Read - get, gets
  • Delete - delete
  • Increment/Decrement - incr, decr

Example

The below code is an example of this vulnerability:-

        <?php
            $m = new Memcached();
            $m->addServer('example.beaglesecurity.com', 11211);
            $m->set("key1 0 0 1\r\n1\r\nset injected 0 3600 10\r\n1234567890\r\n","1234567890",30);
        ?>

    

The above code can be exploited as below.

        $m->set(“prefix_”.$_GET[‘key’],”data”

    

The following is the data exchanged between the server and the client.

        &gt; set key 0 0 1
        &gt; 1
        &gt; STORED
        &gt; set injected 0 3600 10
        &gt; 1234567890
        &gt; STORED
        &gt; 0 30 10
        &gt; ERROR
        &gt; 1234567890
        &gt; ERROR

    

Impact

The impact include:-

  • An attacker can run malicious code to this system

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use binary protocol for client-server interaction.
  • Try to bind the Memcache server to specific IPs only.
  • Don’t expose Memcache to DMZ env or on to the internet.
  • Protect Memcache using a powerful firewall.

Latest Articles