Memcached Stats Amplification Scanner

2024-08-3100:00:00

Jon Hart, xistence, Marek Majkowski, metasploit.com

packetstormsecurity.com

memcached

udp port

amplification attack

discovery

vulnerability

proof

cloudflare

metasploit

scanner

cve-2018-1000115

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Capture  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::DRDoS  
  
def initialize  
super(  
'Name' => 'Memcached Stats Amplification Scanner',  
'Description' => %q(  
This module can be used to discover Memcached servers which expose the  
unrestricted UDP port 11211. A basic "stats" request is executed to check  
if an amplification attack is possible against a third party.  
),  
'Author' =>  
[  
'Marek Majkowski', # Cloudflare blog and base payload  
'xistence <xistence[at]0x90.nl>', # Metasploit scanner module  
'Jon Hart <[email protected]>', # Metasploit scanner module  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => 'Feb 27 2018',  
'References' =>  
[  
['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],  
['CVE', '2018-1000115']  
]  
)  
  
register_options([  
Opt::RPORT(11211)  
])  
end  
  
def build_probe  
# Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt  
@memcached_probe ||= [  
rand(2**16), # random request ID  
0, # sequence number  
1, # number of datagrams in this sequence  
0, # reserved; must be 0  
"stats\r\n"  
].pack("nnnna*")  
end  
  
def scanner_process(data, shost, sport)  
# Check the response data for a "STAT" response  
if data =~ /\x0d\x0aSTAT\x20/  
@results[shost] ||= []  
@results[shost] << data  
end  
end  
  
# Called after the scan block  
def scanner_postscan(batch)  
@results.keys.each do |host|  
response_map = { @memcached_probe => @results[host] }  
report_service(  
host: host,  
proto: 'udp',  
port: rport,  
name: 'memcached'  
)  
  
peer = "#{host}:#{rport}"  
vulnerable, proof = prove_amplification(response_map)  
what = 'memcached stats amplification'  
if vulnerable  
print_good("#{peer} - Vulnerable to #{what}: #{proof}")  
report_vuln(  
host: host,  
port: rport,  
proto: 'udp',  
name: what,  
refs: references  
)  
else  
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")  
end  
end  
end  
end  
`