Zero Day Initiative — CVE-2023-24941: Microsoft Network File System Remote Code Execution

CVE-2023-24941: Microsoft Network File System Remote Code Execution

June 01, 2023 | Trend Micro Research Team

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Network File Service (NFS). This bug was originally discovered by Wei in Kunlun Lab with Cyber KunLun. The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to an affected server. The following is a portion of their write-up covering CVE-2023-24941, with a few minimal modifications.

A remote code execution vulnerability has been reported in Microsoft Network File System (NFS). The vulnerability is triggered when handling incoming NFSv4.1 calls.

The Vulnerability

Microsoft Windows ships with several network features, some of which can be used to communicate with non-Windows file shares. One of these modules is NFS.

Network File System (NFS) is a network file system protocol originally developed by Sun Microsystems in 1984. Version 2 is documented in RFC 1094. Version 3 is documented in RFC 1813. Version 4 was developed by the IETF and is documented in RFC 3010 (released December 2000) and RFC 3530 (released April 2003). NFS allows users to access remote file shares in the same way that the local file system is accessed. Different access levels and permissions can be set on the share, such as read-write and read-only. Additionally, IP/UID/ GID/Kerberos security can be used. NFS uses Open Network Computing (ONC) Remote Procedure Call (RPC) to exchange control messages. ONC RPC was originally developed by Sun Microsystems, it can also be referred to as Sun RPC.

When ONC RPC messages are transferred over TCP, they are prepended with a Fragment header structure (as illustrated in the following table) that specifies the length of the message. This allows the receiver to distinguish multiple messages sent over a single TCP session. Other protocols such as UDP do not use this field. Note that all multi-byte values are encoded in big-endian byte order.

In the NFS4 protocol, a utf8string is transferred in the following format:

Offset Size Description
--------- ----- ----------------------------------
0x0000 4 LEN
0x0004 LEN String data
view raw CVE-2023-24941-0.txt hosted with ❤ by GitHub

A remote codes execution vulnerability has been reported in Microsoft Network File System. The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. When a server is parsing a received string, a buffer is allocated to store the string data. The code does not properly handle the allocation failing, resulting in the null termination byte still being written to the end of an invalid buffer.

A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to the victim Network File System service. Successful exploitation of this vulnerability can result in remote code execution.

Source Code Walkthrough

The following code snippet was taken from nfssvr.sys version 10.0.17763.4252. Comments added by Trend Micro have been highlighted.

**************************************************************
* FUNCTION *
**************************************************************
undefined __fastcall XdrDecodeString(longlong param_1, uint pa
undefined AL:1 <RETURN>
longlong RCX:8 param_1
uint EDX:4 param_2
void * R8:8 param_3
XdrDecodeString
1c001dfec MOV qword ptr [RSP + 0x8],RBX
1c001dff1 MOV qword ptr [RSP + 0x10],RSI
1c001dff6 PUSH RDI
1c001dff7 SUB RSP,0x20
1c001dffb CMP dword ptr [RCX + 0x108],0x0
1c001e002 MOV RSI,R8
1c001e005 MOV EDI,EDX
1c001e007 MOV RBX,RCX
1c001e00a JL LAB_1c001e091
1c001e010 MOV R9,qword ptr [RCX + 0x48]
1c001e014 TEST R9,R9
1c001e017 JNZ LAB_1c001e01d
1c001e019 XOR EAX,EAX
1c001e01b JMP LAB_1c001e040
LAB_1c001e01d
1c001e01d MOV EDX,dword ptr [R9 + 0x40]
1c001e021 SUB EDX,dword ptr [R9 + 0x38]
1c001e025 MOV R8D,dword ptr [R9 + 0x4c]
1c001e029 CMP R8D,EDX
1c001e02c JC LAB_1c001e035
1c001e02e MOV ECX,R8D
1c001e031 SUB ECX,EDX
1c001e033 JMP LAB_1c001e038
LAB_1c001e035
1c001e035 OR ECX,0xffffffff
LAB_1c001e038
1c001e038 XOR EAX,EAX
1c001e03a CMP R8D,EDX
1c001e03d CMOVNC EAX,ECX
LAB_1c001e040
1c001e040 CMP EAX,EDI
1c001e042 JC LAB_1c001e091
1c001e044 TEST R9,R9
1c001e047 JNZ LAB_1c001e04d
1c001e049 XOR EDX,EDX
1c001e04b JMP LAB_1c001e051
LAB_1c001e04d
1c001e04d MOV RDX,qword ptr [R9 + 0x40]
LAB_1c001e051
1c001e051 MOV R8,RDI
1c001e054 MOV RCX,RSI
1c001e057 CALL memcpy
1c001e05c MOV RAX,qword ptr [RBX + 0x48]
1c001e060 ADD qword ptr [RAX + 0x40],RDI
1c001e064 MOV RCX,qword ptr [RBX + 0x48]
1c001e068 TEST RCX,RCX
1c001e06b JNZ LAB_1c001e077
1c001e06d MOV R8,qword ptr [RCX + 0x40]
1c001e071 XOR EAX,EAX
1c001e073 XOR EDX,EDX
1c001e075 JMP LAB_1c001e082
LAB_1c001e077
1c001e077 MOV RDX,qword ptr [RCX + 0x40]
1c001e07b MOV RAX,qword ptr [RCX + 0x38]
1c001e07f MOV R8,RDX
LAB_1c001e082
1c001e082 SUB RAX,RDX
1c001e085 AND EAX,0x3
1c001e088 ADD RAX,R8
1c001e08b MOV qword ptr [RCX + 0x40],RAX
1c001e08f JMP LAB_1c001e09e
LAB_1c001e091
1c001e091 MOV R8,RSI
1c001e094 MOV EDX,EDI
1c001e096 MOV RCX,RBX
1c001e099 CALL XdrDecodeOpaqueSlow
LAB_1c001e09e
1c001e09e MOV byte ptr [RDI + RSI*0x1],0x0 ;Always writes null terminator
1c001e0a2 MOV RBX,qword ptr [RSP + 0x30]
1c001e0a7 MOV RSI,qword ptr [RSP + 0x38]
1c001e0ac ADD RSP,0x20
1c001e0b0 POP RDI
1c001e0b1 RET
view raw CVE-2023-24941-1.txt hosted with ❤ by GitHub

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on ports 2049/TCP and 2049/UDP.

When ONC RPC messages are transferred over TCP, they are prepended with a Fragment header structure (as illustrated in the table above) that specifies the length of the message. This allows the receiver to distinguish multiple messages sent over a single TCP session. Other protocols such as UDP do not use this field. The vulnerable method XdrDecodeString can only trigger this vulnerability when called from Nfs4SvrXdrpDecode_STRING.

The following fields are parsed using Nfs4SvrXdrpDecode_STRING and are defined in RFC 3530:

OPEN4args.claim.file
OPEN4args.claim.delegate_cur_info.file
OPEN4args.claim.delegate_cur_info.file_delegate_prev
EXCHANGE_ID4args.eia_client_impl_id.nii_domain
EXCHANGE_ID4args.eia_client_impl_id.nii_name
RENAME4args.oldname
RENAME4args.newname
SECINFO4args.name
CREATE4args.objname
CREATE4args.linkdata
view raw CVE-2023-24941-2.txt hosted with ❤ by GitHub

The detection device should monitor the above fields in all NFS4 messages. Any valid field value could trigger this vulnerability, but an attacker would request a large buffer to increase the probability of the failed allocation happening during the string processing. String lengths greater than 0x1000 should be considered suspicious. If found, an attack exploiting this vulnerability is likely underway.

Note that the detection of strings larger than 0x1000 is based on the typical allowed limit of file path strings and can be adjusted higher or lower to account for various server configurations.

Conclusion

Microsoft patched this bug in May as CVE-2023-24941. In their write-up, they note that disabling NFSv4.1 and downgrading to NFSv2 or NFSv3 can be used as a temporary mitigation for this vulnerability. However, they also note that you should not employ this mitigation unless you have already installed CVE-2022-26937 from the May 2022 Windows security updates. The better option is to test and deploy the latest patch for NFSv1 to completely address this vulnerability.

Special thanks to Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.