To whom it may concern, I really appreciate your cooperation for your dedicated time to my report. The PoC is attached to this email.
# ./memcached --auth-file=input/a.txt -u root -m 1024 -p 11211 ================================================================= ==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778 WRITE of size 15 at 0x60200000009e thread T0 #0 0x7fae5a305f9c (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c) #1 0x55bca5ccaf23 in fgets /usr/include/x86_64-linux-gnu/bits/stdio2.h:265 #2 0x55bca5ccaf23 in authfile_load /home/constantine/test/memcached/authfile.c:50 #3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639 #4 0x7fae597010b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #5 0x55bca5c45d9d in _start (/home/constantine/test/memcached/memcached+0x26d9d) 0x60200000009e is located 0 bytes to the right of 14-byte region [0x602000000090,0x60200000009e) allocated by thread T0 here: #0 0x7fae5a3bfdc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) #1 0x55bca5ccaedd in authfile_load /home/constantine/test/memcached/authfile.c:44 SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c) Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00 =>0x0c047fff8010: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1061115==ABORTING I am looking forward to hearing from you in the earliest convenience. Sincerely, Mohammad Hosein Askari -- --- You received this message because you are subscribed to the Google Groups "memcached" group. To unsubscribe from this group and stop receiving emails from it, send an email to memcached+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/memcached/3af99054-6bd5-4ec7-adb9-e963cdb37c79n%40googlegroups.com.
\0\0\0:````\n