CVE-2018-6340

Step 1: Target Identification: The attacker identifies HHVM instances running and determines the memcached server configurations used by the HHVM application.

Step 2: Memcached Server Control: The attacker gains control over a memcached server or configures a malicious memcached server with specific hostnames and/or ports that will be used by the HHVM application.

Step 3: Payload Delivery: The attacker crafts a request to the HHVM application that calls the Memcache::getextendedstats function, passing the attacker-controlled memcached server details as arguments.

Step 4: Vulnerability Trigger: The Memcache::getextendedstats function attempts to retrieve extended statistics from the attacker-controlled memcached server.

Step 5: Out-of-Bounds Read: Due to the lack of proper input validation, the function reads beyond the allocated memory buffer when processing the response from the malicious memcached server.

Step 6: Information Disclosure/DoS: The out-of-bounds read either leaks sensitive information from memory or causes the HHVM process to crash, resulting in a denial-of-service.

The vulnerability lies within the Memcache::getextendedstats function in HHVM. This function, when provided with crafted input related to memcached server hostnames and ports, can trigger an out-of-bounds read. The root cause is likely a lack of proper input validation or bounds checking when processing the responses from the memcached servers. Specifically, the function fails to correctly handle the size or format of the data returned by the memcached servers, leading to reading beyond the allocated memory buffer. This could be due to an integer overflow or an incorrect calculation of the memory offset when accessing the data. The attacker leverages this flaw by providing malicious memcached server details, causing the function to read from an invalid memory location, potentially revealing sensitive data or crashing the HHVM process.