This is an easy and trivial issue to fix. The patch was committed and pushed to the mainline. Probably no one will ever notice this issue again. Well, that is, until it is discovered that the same commit introduced a new type confusion vulnerability in the same code path. The patch was then modified to fix the type confusion vulnerability, but the memory leak was left unpatched. Eventually the patch was pushed to the mainline, and now this unpatched memory leak is being actively exploited. As demonstrated by the Trend Micro security researchers, it is possible to trigger the unpatched memory leak repeatedly in order to continuously leak memory. This can be done by repeatedly parsing the /etc/passwd file with the memcached daemon. This can be done by repeatedly parsing the /etc/passwd file with the memcached daemon.
The Trend Micro memcached attack
The Trend Micro security researchers were able to make the unpatched memory leak repeatedly triggered in order to continuously leak memory. This was done by repeatedly parsing the /etc/passwd file with the memcached daemon. For example, they could run this command:
$ echo "test" | nc localhost 11211
This will send a string of characters through to the memcached server where they can be parsed as follows:
# curl -X POST --data-binary '{"name":"test","hosts":["localhost"]}' http://localhost:11211/json.htm
Now when the 120th byte is sent to the memcached server, the /bin/sh command will be invoked and it will attempt to execute it's arguments. The attack could also be made more effective by using a web shell that executes commands upon request such as wget or telnet. With these tools, you can completely bypass all authentication and exploit any system without a single exploit being required.
Memory corruption vulnerability found in memcached
A memory corruption vulnerability was found in memcached, a popular open source distributed memory object caching system. The vulnerability is caused by a memory leak that can be triggered repeatedly to continually leak memory. Trend Micro security researchers were able to trigger this unpatched memory leak by repeatedly parsing the /etc/passwd file with the memcached daemon.
The Unpatched Memory Leak
A memory leak is a resource that is not used by your code, but as time goes on, it can consume more and more computing resources. For example, if you are programming a web server and you do not close a file handle after reading from it, the system will keep trying to read from the file handle until it is closed. If the system cannot allocate more memory because there is none available, the program will crash. This type of issue is often triggered by shared libraries that use memory leaks in order to implement their functionality.
A lot of time has already been spent on this issue by others who have investigated and fixed this problem in other Linux distributions. There are many different possible solutions for this type of problem:
1) Re-implementing functions that no longer exist
2) Patching shared libraries
3) Using dynamic memory allocation
4) Use transactional memory
5) Disabling or disabling unused features
Timeline
Published on: 09/21/2022 00:15:00 UTC
Last modified on: 09/22/2022 13:12:00 UTC