PHPMemcachedAdmin RCE — CVE-2014-8731

Mon, 05 Dec 2022 00:00:00 +0000

CVE-2014-8731 is an unauthenticated RCE in PHPMemcachedAdmin ≤ 1.2.2. The CVE is from 2014. I wrote a PoC in 2022 - git.sbani.net.

Root cause

stats.php derives a file path from two user-controlled inputs and writes to it:

$hash = md5($_REQUEST['cluster']);

if (!isset($_COOKIE['live_stats_id' . $hash])) {
 // generate new id
} else {
 $live_stats_id = $_COOKIE['live_stats_id' . $hash];
}

$file_path = rtrim($_ini->get('file_path'), '/')
 . DIRECTORY_SEPARATOR
 . 'live_stats.' . $live_stats_id;

$live_stats_id is read from a cookie. No validation, no normalisation.
file_path defaults to a directory inside the web root.
The cluster name later gets serialised into the dump file as part of the stats payload.

Result: arbitrary file write, attacker-controlled name and content, inside the document root.

netw0rk | Cybersecurity & Software Engineering on netw0rk.io

PHPMemcachedAdmin RCE — CVE-2014-8731

Root cause