CVE-2021-44142: Details on a Samba Code Execution Bug Demonstrated at Pwn2Own Austin
February 01, 2022 | The ZDI Research TeamRecently, Samba released a patch to address an Out-of-Bounds (OOB) Heap Read/Write vulnerability found in Samba versions prior to 4.13.17. This vulnerability was disclosed at Pwn2Own Austin 2021 by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) of STAR Labs. After the event, Lucas Leong of Trend Micro Zero Day Initiative discovered additional variants of the vulnerability which were disclosed to Samba as part of this fix. This bug was also independently reported to Samba by Orange Tsai of DEVCORE.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samba. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of EA metadata in the Samba server daemon (smbd) when opening a file. An attacker can leverage this vulnerability to execute code in the context of root.
Now that the patch has been made available, let’s take a more detailed look at the bugs involved and the patch released to fix them. Much of this information was derived from the white paper submitted by STARLabs as a part of their Pwn2Own entry.
Background
Within Samba, the server daemon that provides the file sharing service is known as smbd
. This analysis was conducted on smbd
version 4.9.5, which can be downloaded here. While this isn’t the latest version of Samba, there are still quite a few vendors that incorporate this version or prior versions in their products. This was the case during Pwn2Own Austin 2021. Since Samba provides file sharing between devices, it is often enabled by default. The configuration of smbd
is found in /etc/samba/smb.conf
. Here’s a portion of an smb.conf
file showing how Samba would be configured to support a Time Machine share for Apple devices:
In this section, you can see that guest ok = yes
is declared, which allows guest authentication. The vfs objects
list contains three modules: catia
, fruit
, and streams_xattr
. The bugs we’re concerned with reside in the fruit
module, which provides enhanced compatibility with Apple SMB clients. As stated by the vendor advisory, “The problem in vfs_fruit
exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk
or fruit:resource=file
. If both options are set to different settings than [sic] the default values, the system is not affected by the security issue.”
The Vulnerability
The fruit
module that ships with Samba is designed to provide interoperability between Samba and Netatalk. Netatalk is an open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like systems to serve as file servers for Apple devices. Once a session is established, smbd
allows an unauthenticated user to set extended file attributes of a file via SMB2_SET_INFO
. This is done by the set_ea function
found in “source3/smbd/trans2.c”. The name of the attribute must not be within the private Samba attribute name list, which includes user.SAMBA_PAI
, user.DOSATTRIB
, user.SAMBA_STREAMS
, and security.NACL
. With the exception of these attributes, an attacker can set arbitrary extended attributes.
The fruit
module handles requests that access a file with the stream name :AFP_AfpInfo
or :AFP_Resource
. If using the stream name :AFP_AfpInfo
, an attacker can open, read, and write Netatalk metadata of a file. Netatalk metadata is stored in a adouble
structure, which is initialized by the ad_get
/ad_fget
functions.
The Netatalk metadata of a file is stored in the value of the extended attribute identified by the name org.netatalk.Metadata
. The metadata will be parsed to fill the adouble
(AppleDouble) structure. Since org.netatalk.Metadata
isn't in the private Samba attribute name list discussed above, an attacker can set an arbitrary value for this attribute. Therefore, it's possible for an attacker to inject malformed metadata values. This can lead to multiple out-of-bounds memory accesses when the adouble
structure is later used.
Let’s take a more detailed look at the bugs used to exploit this vulnerability during the Pwn2Own competition.
ZDI-22-245: Heap Out-Of-Bounds Read
The fruit_pread
function reads metadata of a file. Since our file stream is named :AFP_AfpInfo
and the file type is ADOUBLE_META
, the function chain fruit_pread_meta
-> fruit_pread_meta_adouble
will be executed.
Consider the following source code:
At line 4279, the ad_fget
function creates an adouble
structure containing attacker-controlled data.
At line 4285, the call to ad_get_entry
returns the pointer to the ADEID_FINDERI
entry. Since this is controllable by the attacker, they can make p
point to the last byte of the ad->data
buffer. This will cause the memcpy
call at line 4300 to read past the end of the allocated buffer and dump up to thirty-one bytes of memory from the heap.
ZDI-22-246: Heap Out-Of-Bounds Write
The fruit_pwrite
function is used to write metadata to a file. Since we can already control an ADEID_FINDERI
entry, we can leverage that to control a memcpy
call, which allows us to write up to thirty-one bytes of data to the heap.
Consider the following source code:
At line 4657, the ad_fget
function creates the ad
adouble
structure from metadata. As mentioned before, an attacker could inject malformed metadata here and control the values within.
Later at line 4664, the ad_get_entry
returns the pointer to the ADEID_FINDERI
entry. Since this is controllable by the attacker, they can set p
to point to the last byte of the ad->data
buffer. This allows the memcpy
call at line 4671 to write past the end of the ad->ad_data
buffer. Since ad->ad_data
is allocated from heap memory, the attacker can leverage this vulnerability to write up to 31 bytes of data past the end of the heap buffer.
ZDI-22-244: Heap-based Buffer Overflow
When analyzing the bugs used during Pwn2Own, ZDI Vulnerability Researcher Lucas Leong noticed a variant of the vulnerability used at the contest.
In the case of the bugs used during Pwn2Own, Samba fails to validate the ADEID_FINDERI
function, which leads to an OOB read and OOB write. Further analysis from Lucas found that Samba does not validate the ADEID_FILEDATESI
entry either. This leads to OOB read in ad_getdate
and an OOB write in ad_setdate
. This leads to an overflow of three bytes, as seen in the code below:
An attacker can possibly leverage this vulnerability to execute code in the context of the smbd
daemon.
Patch details
The source code of the patch for CVE-2021-44142 can be found here. The primary change from the vendor was an update to two areas to mitigate this vulnerability.
First, Samba added the function ad_entry_check_size()
, which validates the size of each entry when parsing the AppleDouble format.
Second, Samba added the Netatalk extended attribute AFPINFO_EA_NETATALK
to the list of the private attribute name list. Since an attacker needs to set the malformed extended attribute on a file at the beginning stage of this exploit, this change effectively blocks any user attempting to set any Netatalk extended attribute. This is a generic mitigation for this attack vector.
Conclusion
Samba patched this and other bugs on January 31, 2022. They assigned CVE-2021-44142 to cover the bugs discussed in this report. In addition to 4.13.17, Samba 4.14.12 and 4.15.5 have been released to address this vulnerability. The vendor does list removing the fruit VFS module from the list of configured VFS in “smb.conf” as a workaround. However, this will severely impact the functionality of any macOS systems attempting to access the Samba server. Because of this, you should focus on testing and deploying the patch to remediate this vulnerability. It’s also recommended to reach out to any third-party vendors with devices on your enterprise to ensure they have consumed the patch and provided updates to their devices as well. It is expected that many different vendors will need to update the version of Samba they ship with their devices, so expect lots of additional patches to address these bugs.
Thanks again to Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) of STAR Labs for participating in Pwn2Own Austin 2021 and demonstrating this bug. At the contest, they won $45,000 from this exploit alone, and a total of $113,500 for the entire event. We certainly hope to see them at future competitions. Until then, follow the team for the latest in exploit techniques and security patches.