CVE-2021-44142: Details on a Samba Code Execution Bug Demonstrated at Pwn2Own Austin

Within Samba, the server daemon that provides the file sharing service is known as smbd. This analysis was conducted on smbd version 4.9.5, which can be downloaded here. While this isn’t the latest version of Samba, there are still quite a few vendors that incorporate this version or prior versions in their products. This was the case during Pwn2Own Austin 2021. Since Samba provides file sharing between devices, it is often enabled by default. The configuration of smbd is found in /etc/samba/smb.conf. Here’s a portion of an smb.conf file showing how Samba would be configured to support a Time Machine share for Apple devices:

In this section, you can see that guest ok = yes is declared, which allows guest authentication. The vfs objects list contains three modules: catia, fruit, and streams_xattr. The bugs we’re concerned with reside in the fruit module, which provides enhanced compatibility with Apple SMB clients. As stated by the vendor advisory, “The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than [sic] the default values, the system is not affected by the security issue.”

The Vulnerability

The fruit module that ships with Samba is designed to provide interoperability between Samba and Netatalk. Netatalk is an open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like systems to serve as file servers for Apple devices. Once a session is established, smbd allows an unauthenticated user to set extended file attributes of a file via SMB2_SET_INFO. This is done by the set_ea function found in “source3/smbd/trans2.c”. The name of the attribute must not be within the private Samba attribute name list, which includes user.SAMBA_PAI, user.DOSATTRIB, user.SAMBA_STREAMS, and security.NACL. With the exception of these attributes, an attacker can set arbitrary extended attributes.

The fruit module handles requests that access a file with the stream name :AFP_AfpInfo or :AFP_Resource. If using the stream name :AFP_AfpInfo, an attacker can open, read, and write Netatalk metadata of a file. Netatalk metadata is stored in a adouble structure, which is initialized by the ad_get/ad_fget functions.

The Netatalk metadata of a file is stored in the value of the extended attribute identified by the name org.netatalk.Metadata. The metadata will be parsed to fill the adouble (AppleDouble) structure. Since org.netatalk.Metadata isn't in the private Samba attribute name list discussed above, an attacker can set an arbitrary value for this attribute. Therefore, it's possible for an attacker to inject malformed metadata values. This can lead to multiple out-of-bounds memory accesses when the adouble structure is later used.

Let’s take a more detailed look at the bugs used to exploit this vulnerability during the Pwn2Own competition.

ZDI-22-245: Heap Out-Of-Bounds Read

The fruit_pread function reads metadata of a file. Since our file stream is named :AFP_AfpInfo and the file type is ADOUBLE_META, the function chain fruit_pread_meta -> fruit_pread_meta_adouble will be executed.

Consider the following source code:

At line 4279, the ad_fget function creates an adouble structure containing attacker-controlled data.

At line 4285, the call to ad_get_entry returns the pointer to the ADEID_FINDERI entry. Since this is controllable by the attacker, they can make p point to the last byte of the ad->data buffer. This will cause the memcpy call at line 4300 to read past the end of the allocated buffer and dump up to thirty-one bytes of memory from the heap.

ZDI-22-246: Heap Out-Of-Bounds Write

The fruit_pwrite function is used to write metadata to a file. Since we can already control an ADEID_FINDERI entry, we can leverage that to control a memcpy call, which allows us to write up to thirty-one bytes of data to the heap.

Consider the following source code:

At line 4657, the ad_fget function creates the ad adouble structure from metadata. As mentioned before, an attacker could inject malformed metadata here and control the values within.

Later at line 4664, the ad_get_entry returns the pointer to the ADEID_FINDERI entry. Since this is controllable by the attacker, they can set p to point to the last byte of the ad->data buffer. This allows the memcpy call at line 4671 to write past the end of the ad->ad_data buffer. Since ad->ad_data is allocated from heap memory, the attacker can leverage this vulnerability to write up to 31 bytes of data past the end of the heap buffer.

ZDI-22-244: Heap-based Buffer Overflow

When analyzing the bugs used during Pwn2Own, ZDI Vulnerability Researcher Lucas Leong noticed a variant of the vulnerability used at the contest.

In the case of the bugs used during Pwn2Own, Samba fails to validate the ADEID_FINDERI function, which leads to an OOB read and OOB write. Further analysis from Lucas found that Samba does not validate the ADEID_FILEDATESI entry either. This leads to OOB read in ad_getdate and an OOB write in ad_setdate. This leads to an overflow of three bytes, as seen in the code below:

An attacker can possibly leverage this vulnerability to execute code in the context of the smbd daemon.

Patch details

The source code of the patch for CVE-2021-44142 can be found here. The primary change from the vendor was an update to two areas to mitigate this vulnerability.

First, Samba added the function ad_entry_check_size(), which validates the size of each entry when parsing the AppleDouble format.

Second, Samba added the Netatalk extended attribute AFPINFO_EA_NETATALK to the list of the private attribute name list. Since an attacker needs to set the malformed extended attribute on a file at the beginning stage of this exploit, this change effectively blocks any user attempting to set any Netatalk extended attribute. This is a generic mitigation for this attack vector.