An Overview of the CVE-2021-44142 Samba Out-of-Bounds Read/Write
During Pwn2own Austin 2021, a new vulnerability was discovered in Samba. The CVE associated with this vulnerability is CVE-2021-44142 and is rated with a CVSSv3 score of 9.9 out of 10. It is a heap-based buffer overflow, which allows remote attackers to execute arbitrary code in the context of root user on affected systems. A server is vulnerable to CVE-2021-44142 if it is running Samba before 4.13.17 and has fruit VFS module installed. Apart from the server config, the remote attacker also requires write access to a file’s extended attributes in Samba. For the attacker to exploit this vulnerability, some custom SMB packets need to be sent.
For some background, here is an overview of SMB. SMB is one of the most popular network protocols, which allows files to be shared, printers to be shared, and different protocols to be implemented on top of it such as MSRPC. When it comes to file and printer sharing, SMB is one of the most preferred protocols, being directly implemented in Microsoft Windows and Apple MacOS. SMB is not only used for personal computers but also for networking devices such as NAS. As most of the network devices are using Linux-based operating systems, an SMB implementation is required. One of the most popular open-source implementations of the SMB protocol is Samba. As most of the network devices are using Linux-based operating systems, an SMB implementation is required. One of the most popular open-source implementations of the SMB protocol is Samba.
SMB works as a request-response protocol: the client sends a request, and the server sends a response to that request. Depending on the operation that the client wants to perform, a specific request needs to be sent. Accordingly, the server needs to respond with a specific response for a specific request type, or in other words, each request type and each response type have their own structure. For a client to connect to an SMB file server and perform some file operations, it needs to first negotiate the version of the protocol, it needs to set up a session based on some credentials, connect to the required share point/tree, and finally open the file and perform the required operation. Each of the enumerated steps require one or more request/response messages exchanged.
An overview of the network packets that are sent by the attacker to exploit CVE-2021-44142 is presented in the following image:
The most relevant request sent by the attacker to exploit this vulnerability is the SetInfo Request. In the following image, we can see the data associated with the SetInfo Request.
The relevant field from the request is the EA Data field, which contains file metadata information in the Apple Double format. This format is not understood by Wireshark, however, Kaitai Struct can understand most of the structure. In the following image, we can see the structure of our Apple Double file that is presented by using Kaitai Web IDE.
The most relevant entry in the preceding image is the entry that contains information regarding the FINDER_INFO type. The structure describing the FINDER_INFO structure is presented in the following:
(snippet extracted from https://github.com/apple-oss-distributions/ntfs/blob/73053c238e3c281f105a437a91a2f2cc1c65faa5/kext/ntfs_sfm.h#L191)
The entry that contains the information regarding FINDER_INFO structure is particularly interesting because of its offset and length. The entire Apple Double file has 0x192 bytes and the FINDER_INFO structure is stored in last byte from the file, however, the structure should always be 32 bytes.
If we look at the Samba code before it was patched, we can see that the structure is copied directly without checking the entry field length before doing so. As the field is the last in the file and only one byte is allocated for the structure, we perform an out of bounds read for the last 31 bytes when we try to read this structure.
(snippet extracted from https://github.com/samba-team/samba/blob/ae3229e76d04e79addb2fa03319365a2f7675a82/source3/modules/vfs_fruit.c#L2185)
Similarly, there is an out-of-bounds write when we try to write the structure as shown in the following image:
(snippet extracted from https://github.com/samba-team/samba/blob/ae3229e76d04e79addb2fa03319365a2f7675a82/source3/modules/vfs_fruit.c#L2565)
A simulation of the vulnerability has been implemented as a STRIKE for Breaking Point. The strike can be found by StrikeId E22-3g3e1 and is present in the ATI-2022-04 release.