|
| Critical Samba Vulnerability Allows Remote Code Execution |
Introduction :
Recently, a critical out-of-bounds vulnerability, assigned to CVE-2021-44142, was disclosed in Samba versions prior to 4.13.17. The Samba vulnerability carries a critical CVSS of 9.9 and allows attackers to remotely execute code on machines running a Samba server with a vulnerable configuration. The vulnerability was disclosed as part of the Pwn2Own Austin competition where researchers are challenged to exploit widely-used software and devices with unknown vulnerabilities. This year researchers from STAR Labs won $45,000 for exploiting this bug on the Western Digital My Cloud Home Personal Cloud NAS.
Samba is an implementation of SMB protocol that provides file and printer interoperability for Windows platforms over the network. It does not ship with Ubuntu or Debian distributions by default but it is a widely installed software package and many Linux-based IoT and network devices include publicly open SMB services by default.
The disclosure consists of three vulnerabilities that reside in adouble.c – a heap out-of-bounds read, a heap out-of-bounds write, and a heap-based buffer overflow. These vulnerabilities can be triggered when the fruit VFS module is enabled in the Samba configuration.
The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with Netatalk. Netatalk is a free open-source implementation of Apple Filing Protocol (AFP) that allows a Unix-like OS to operate as a file server for macOS. The module enables communication between Samba and Netatalk file servers, as well as visibility of shared files for Apple clients.
CVE-2021-44142 technical summary
The vfs_fruit module enables the use of alternate data streams (ADS) for a share, and handles all access to the streams :AFP_AfpInfo and AFP_Resource, which are used by Apple’s AppleDouble file format. Accessing a file’s :AFP_AfpInfo stream allows an attacker to read and write its Netatalk’s metadata, which is stored in a adouble structure, and is initialized by the ad_get and ad_fget functions.
The disclosure points out 3 distinct vulnerabilities. In the pwn2own competition, unauthenticated remote code execution was achieved with a combination of two of them. The first vulnerability is a heap out-of-bounds read in the fruit_pread_meta_adouble function, which is called by the function fruit_pread_meta when reading a file’s metadata stored in the AFP_AfpInfo data stream of an adouble file. More specifically, it is caused due to lack of validation of the Finder information stored by the AppleDouble file format, stored in the ADEID_FINDERI metadata structure entry, which can be controlled by the attacker.
static ssize_t fruit_pread_meta_adouble(vfs_handle_struct *handle,
files_struct *fsp, void *data,
size_t n, off_t offset)
{
…
ad = ad_fget(talloc_tos(), handle, fsp, ADOUBLE_META);
if (ad == NULL) {
nread = -1;
goto fail;
}
p = ad_get_entry(ad, ADEID_FINDERI);
if (p == NULL) {
DBG_ERR("No ADEID_FINDERI for [%s]\n", fsp_str_dbg(fsp));
nread = -1;
goto fail;
}
memcpy(&ai->afpi_FinderInfo[0], p, ADEDLEN_FINDERI);
nread = afpinfo_pack(ai, afpinfo_buf);
if (nread != AFP_INFO_SIZE) {
nread = -1;
goto fail;
}
memcpy(data, afpinfo_buf, n);
nread = n;
fail:
TALLOC_FREE(ai);
return nread;
}
The second vulnerability that was used is a heap-based buffer overflow in the ad_setdate function, caused due to lack of validation of a file’s date information entry.
int ad_setdate(struct adouble *ad, unsigned int dateoff, uint32_t date)
{
bool xlate = (dateoff & AD_DATE_UNIX);
char *p = NULL;
p = ad_get_entry(ad, ADEID_FILEDATESI);
if (p == NULL) {
return -1;
}
dateoff &= AD_DATE_MASK;
if (xlate) {
date = AD_DATE_FROM_UNIX(date);
}
if (dateoff > AD_DATE_ACCESS) {
return -1;
}
memcpy(p + dateoff, &date, sizeof(date));
return 0;
}
The patch released for CVE-2021-44142 by Samba introduces the function ad_entry_check_size, which is used to validate the sizes of the entries in the AppleDouble file format. In addition to this function, an extended file attribute called AFPINFO_EA_NETATALK was introduced in order to prevent attackers from setting extended Netatalk file attributes, a required step for triggering the mechanism in which these vulnerabilities were found.
How exploitable is CVE-2021-44142?
To trigger this vulnerability, an attacker needs to upload a new file to the Samba share, which requires write permissions for that share. Depending on the configuration of the Samba server, this may be allowed for either unauthenticated or authenticated users (or even not at all). One way to allow unauthenticated exploitation of this issue is by specifying both the writable and guest ok settings in the Samba configuration on a specific directory.
The other requirement, perhaps the more substantial one, is the inclusion of the vfs_fruit module in the Samba configuration. Despite this module being disabled by default, there are NAS vendors that intend to support Apple clients and enable this module by default.
How can you remediate CVE-2021-44142?
The recommended solution for resolving the vulnerability is a software upgrade.
Many major Linux distributions have released patched Samba versions. See the relevant upgrade instructions for Ubuntu, Red Hat, and Debian (at the time of writing, no fix is available in Debian yet).
Conclusion
While Samba’s CVE-2021-44142 introduces a critical out-of-bounds vulnerability with a CVSS score of 9.9, there are several nontrivial preconditions that need to be met for successful exploitation. This includes the configuration of a shared resource with write-access enabled and the inclusion of the vulnerable vfs_fruit module. Since the module is not loaded by default in common Linux distros or in a default configuration of Samba, we do not expect widespread exploitation of this issue outside of vulnerable-by-default NAS devices.