Bug 14040 (CVE-2019-14847) - [SECURITY] CVE-2019-14847 dirsync / ranged_results crash
Summary: [SECURITY] CVE-2019-14847 dirsync / ranged_results crash
Status: RESOLVED FIXED
Alias: CVE-2019-14847
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/m...
Keywords:
Depends on:
Blocks: 14162
  Show dependency treegraph
 
Reported: 2019-07-13 19:46 UTC by Douglas Bagnall
Modified: 2019-11-05 08:47 UTC (History)
8 users (show)

See Also:


Attachments
panic-action file (1.79 KB, application/x-shellscript)
2019-08-15 00:55 UTC, Adam Xu
no flags Details
patch for master and v4.11 (to fix behaviour only) v1 (6.53 KB, patch)
2019-10-15 04:21 UTC, Andrew Bartlett
no flags Details
patch for Samba 4.9 (cherry-picked of security fix from master plus correctness) v1 (7.52 KB, patch)
2019-10-15 04:24 UTC, Andrew Bartlett
dbagnall: review+
abartlet: review+
abartlet: ci-passed+
Details
patch for Samba 4.10 (cherry-picked of security fix from master plus correctness) v1 (7.52 KB, patch)
2019-10-15 04:25 UTC, Andrew Bartlett
dbagnall: review+
abartlet: review+
abartlet: ci-passed+
Details
advisory with CVE (v1) (2.23 KB, text/plain)
2019-10-15 21:21 UTC, Andrew Bartlett
no flags Details
revised CVE text with 4.11 mentioned (v2) (2.38 KB, text/plain)
2019-10-15 21:40 UTC, Douglas Bagnall
no flags Details
CVE text with 4.11 and -M single (v3) (2.39 KB, text/plain)
2019-10-15 21:46 UTC, Douglas Bagnall
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2019-07-13 19:46:51 UTC
Reported on the Samba list by Adam Xu, a reliable spontaneous crash affecting 4.9 and 4.10:

--------------------------8<-----------------------------

 I'm using sernet samba for several years. I found that there's error in the log.samba file like this:

[2019/07/10 14:55:25.892988,  0] ../../lib/util/fault.c:79(fault_report)
  ===============================================================
[2019/07/10 14:55:25.893187,  0] ../../lib/util/fault.c:80(fault_report)
  INTERNAL ERROR: Signal 11 in pid 9906 (4.10.6-SerNet-RedHat-5.el7)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2019/07/10 14:55:25.893241,  0] ../../lib/util/fault.c:82(fault_report)
  ===============================================================
[2019/07/10 14:55:25.893272,  0] ../../lib/util/fault.c:128(smb_panic_default)
  smb_panic_default: PANIC (pid 9906): internal error
[2019/07/10 14:55:25.894560,  0] ../../lib/util/fault.c:261(log_stack_trace)
  BACKTRACE: 58 stack frames:
   #0 /usr/lib64/samba/libsamba-util.so.0(log_stack_trace+0x2f) [0x7f3dfe3ce32d]
   #1 /usr/lib64/samba/libsamba-util.so.0(smb_panic+0xa2) [0x7f3dfe3ce492]
   #2 /usr/lib64/samba/libsamba-util.so.0(+0x13771) [0x7f3dfe3ce771]
   #3 /lib64/libpthread.so.0(+0xf5d0) [0x7f3df0a2e5d0]
   #4 /usr/lib64/samba/ldb/dirsync.so(+0x3dbd) [0x7f3de37c3dbd]
   #5 /usr/lib64/samba/ldb/dirsync.so(+0x4b4e) [0x7f3de37c4b4e]
   #6 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #7 /usr/lib64/samba/ldb/ranged_results.so(+0x15dc) [0x7f3ddfab65dc]
   #8 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #9 /usr/lib64/samba/ldb/acl.so(+0x74ed) [0x7f3de43f14ed]
   #10 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #11 /usr/lib64/samba/ldb/encrypted_secrets.so(+0x3cc6) [0x7f3de31aacc6]
   #12 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #13 /usr/lib64/samba/ldb/operational.so(+0x3a5b) [0x7f3de092aa5b]
   #14 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #15 /usr/lib64/samba/ldb/extended_dn_out.so(+0x2cee) [0x7f3de2d9ccee]
   #16 /usr/lib64/samba/ldb/extended_dn_out.so(+0x354d) [0x7f3de2d9d54d]
   #17 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #18 /usr/lib64/samba/libdsdb-module-samba4.so(dsdb_next_callback+0x6d) [0x7f3de8f24ca7]
   #19 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #20 /usr/lib64/samba/ldb/partition.so(+0x56e8) [0x7f3de03146e8]
   #21 /usr/lib64/samba/libldb.so.1(ldb_module_send_entry+0x144) [0x7f3dfd9497dc]
   #22 /usr/lib64/samba/libldb-key-value-samba4.so(ldb_kv_search_indexed+0x6f3) [0x7f3de1f72518]
   #23 /usr/lib64/samba/libldb-key-value-samba4.so(ldb_kv_search+0x368) [0x7f3de1f6ee2e]
   #24 /usr/lib64/samba/libldb-key-value-samba4.so(+0x56a3) [0x7f3de1f6d6a3]
   #25 /usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172) [0x7f3dfc8b5bbc]
   #26 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6) [0x7f3dfc8b5d22]
   #27 /usr/lib64/samba/libtevent.so.0(+0xc180) [0x7f3dfc8b7180]
   #28 /usr/lib64/samba/libtevent.so.0(+0xa167) [0x7f3dfc8b5167]
   #29 /usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7f3dfc8b0880]
   #30 /usr/lib64/samba/libldb.so.1(ldb_wait+0x143) [0x7f3dfd946542]
   #31 /usr/lib64/samba/service/ldap.so(ldapsrv_do_call+0x81f) [0x7f3de564f53e]
   #32 /usr/lib64/samba/service/ldap.so(+0x558f) [0x7f3de564c58f]
   #33 /usr/lib64/samba/libtevent.so.0(+0x67a4) [0x7f3dfc8b17a4]
   #34 /usr/lib64/samba/libtevent.so.0(tevent_common_invoke_immediate_handler+0x125) [0x7f3dfc8b147c]
   #35 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_immediate+0x1c) [0x7f3dfc8b14ae]
   #36 /usr/lib64/samba/libtevent.so.0(+0xc16b) [0x7f3dfc8b716b]
   #37 /usr/lib64/samba/libtevent.so.0(+0xa167) [0x7f3dfc8b5167]
   #38 /usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7f3dfc8b0880]
   #39 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x17) [0x7f3dfc8b0a6e]
   #40 /usr/lib64/samba/libtevent.so.0(+0xa117) [0x7f3dfc8b5117]
   #41 /usr/lib64/samba/libtevent.so.0(_tevent_loop_wait+0xa) [0x7f3dfc8b0ad6]
   #42 /usr/lib64/samba/process_model/standard.so(+0x2e16) [0x7f3de99ffe16]
   #43 /usr/lib64/samba/libservice-samba4.so(+0x38b3) [0x7f3dfdd908b3]
   #44 /usr/lib64/samba/libtevent.so.0(tevent_common_invoke_fd_handler+0x82) [0x7f3dfc8b105f]
   #45 /usr/lib64/samba/libtevent.so.0(+0xc415) [0x7f3dfc8b7415]
   #46 /usr/lib64/samba/libtevent.so.0(+0xa167) [0x7f3dfc8b5167]
   #47 /usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7f3dfc8b0880]
   #48 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x17) [0x7f3dfc8b0a6e]
   #49 /usr/lib64/samba/libtevent.so.0(+0xa117) [0x7f3dfc8b5117]
   #50 /usr/lib64/samba/libtevent.so.0(_tevent_loop_wait+0xa) [0x7f3dfc8b0ad6]
   #51 /usr/lib64/samba/process_model/standard.so(+0x2630) [0x7f3de99ff630]
   #52 /usr/lib64/samba/libservice-samba4.so(task_server_startup+0x61) [0x7f3dfdd91d6d]
   #53 /usr/lib64/samba/libservice-samba4.so(server_service_startup+0x15c) [0x7f3dfdd907b3]
   #54 /usr/sbin/samba(+0x5e4d) [0x5654cae0de4d]
   #55 /usr/sbin/samba(main+0x2b) [0x5654cae0e165]
   #56 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f3deffa6495]
   #57 /usr/sbin/samba(+0x4299) [0x5654cae0c299]
[2019/07/10 14:55:25.898651,  0] ../../source4/smbd/process_standard.c:160(standard_child_pipe_handler)
  standard_child_pipe_handler: Child 9906 () terminated with signal 6

This error usually occurs after 30 minutes of restarting samba. but it seems that the AD DC function  is not affected. Does this  bug exist in all samba or only in sernet samba?
my OS:centos 7.6
samba version: sernet 4.9.11 or 4.10.6


-----------------------8<-------------------------

c.f. bug 13556.

The crash appears to be in either dirsync_filter_entry() or dirsync_filter_entry(), but that doesn't help much.
Comment 1 Douglas Bagnall 2019-07-13 19:49:35 UTC
Are there sernet packages with debug symbols?
Comment 2 Douglas Bagnall 2019-07-14 21:15:51 UTC
Could be already fixed by 23f72c4d712f8d1fec3d67a66d477709d5b0abe2 or 2852dce541e7d923b1a2807f9ba29b62b043d219.
Comment 3 Stefan Metzmacher 2019-07-15 09:17:02 UTC
(In reply to Douglas Bagnall from comment #1)

On debian/ubuntu we have sernet-samba-dbg.
On rhel/centos/oracle 6/7 we have sernet-samba-debuginfo
On rhel/centos/oracle 8 each sernet-samba* packages
has its sernet-samba*-debuginfo packages and there's
a sernet-samba-debugsource package.

I'd have to research why suse/sles packages don't have debuginfo packages.
Comment 4 Douglas Bagnall 2019-08-06 23:29:33 UTC
Adam, can we use this one for the bug for the moment, not #14075, because there may be security implications if people can trigger the crash remotely, and this bug is restricted to you and the Samba developers. It will be made public later.

Are you able to install the debug packages for samba? They should be called something like sernet-samba-debuginfo. Installing those will provide a traceback with more detail.
Comment 5 Adam Xu 2019-08-07 07:16:03 UTC
I have install sernet-samba-debuginfo. and what shoud I do next?
Comment 6 Björn Jacke 2019-08-08 10:28:22 UTC
you will have a script like /usr/share/samba/panic-action on your system. You can add

panic action = "/usr/share/samba/panic-action %d"

to your smb.conf. This will trigger a mail to root with a helpful set of debuggin information when a samba process crashes.
Comment 7 Björn Jacke 2019-08-08 10:29:43 UTC
PS: you should have /usr/bin/gdb and a "mail" binary installed also.
Comment 8 Adam Xu 2019-08-09 01:22:10 UTC
(In reply to Björn Jacke from comment #6)
seems no panic-action script in sernet-samba-debuginfo rpm package. there are just a lot .c and .h file in /usr/src/debug/samba-4.10.6.

How cloud I get panic-action script?
Comment 9 Karolin Seeger 2019-08-09 06:55:59 UTC
(In reply to Adam Xu from comment #8)
Hi Adam,

it's /usr/share/samba/panic-action and comes with sernet-samba-common package.

Hope that helps.

Karolin
Comment 10 Adam Xu 2019-08-15 00:55:25 UTC
Created attachment 15394 [details]
panic-action file
Comment 11 Adam Xu 2019-08-15 00:56:36 UTC
there's no panic-action in sernet-samba-common rpm package also.
someone send me a panic-action file from mail. but it didn't work.
I have installed gdb and samba debug package. I have added configration like:
[global]
......
        panic action = "/usr/local/bin/panic-action %d"

the error occurs but nothing logs to my system mail.
I have uploaded panic-action to the attachement. please help.
Comment 12 Andrew Bartlett 2019-08-15 01:02:15 UTC
Remember you can debug a panic action by sending signal 11 to the target process, rather than inducing the crash. 

This may assist you in getting us the backtrace we need.

Or just set 'panic action = /bin/sleep 9999999' and attach with gdb -p $PID manually.

We need, one way or the other, a 'bt full' from the crashing process.
Comment 13 Björn Jacke 2019-09-24 14:16:29 UTC
you need to remove the " " from the panic action. This is inconsistent from smbd and samba ad. The man page example got the " " removed already now. Does it give you a debug info mail in case of a crash if you change that?
Comment 14 Adam Xu 2019-09-25 09:02:13 UTC
(In reply to Björn Jacke from comment #13)
thank you. I got some debug info after I removed the "" from smb.conf. I will upload the system mail file to attachment.
Comment 15 Adam Xu 2019-09-25 09:04:06 UTC
Created attachment 15488 [details]
debug info file via mail
Comment 16 Andrew Bartlett 2019-09-25 09:12:46 UTC
This is the block where the NULL de-reference happens. 

		attr = dsdb_attribute_by_lDAPDisplayName(dsc->schema,
				el->name);
		keep = false;

		if (attr->linkID & 1) {
			/*
			 * Attribute is a backlink so let's remove it
			 */
			continue;
		}

The implication is that this happens in conjunction with ranged_results, because we have 

ldapattrname =3D 0x55f7b5186a00 "member;range=3D1-1"

which is why attr is NULL and so we fault.
Comment 17 Andrew Bartlett 2019-09-25 09:14:52 UTC
(In reply to Andrew Bartlett from comment #16)
Now we understand it it is pretty clear for me that we will need a CVE for this.

I've asked Red Hat for one.
Comment 18 Andrew Bartlett 2019-09-25 09:17:57 UTC
(In reply to Douglas Bagnall from comment #2)
Yes, almost certainly already fixed by 23f72c4d712f8d1fec3d67a66d477709d5b0abe2.

Yay for proactive fixes from static analysis, this means that Samba 4.11 is not impacted.
Comment 19 Andrew Bartlett 2019-09-25 18:15:11 UTC
 CVSS v3.1 Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

This is on the basis that we can crash the prefork and single-mode LDAP server, and prefork is now a well supported option in Samba 4.10. 

Samba 4.8 and installations of Samba 4.9 and 4.10 using the default 'standard' process model are not impacted (this is a self-DoS of the attackers own connection).  Samba 4.11 is not impacted as the bug was already fixed.

However, versions of Samba earlier than Samba 4.7 are, as they always ran the LDAP server in single process mode.
Comment 20 Andrew Bartlett 2019-09-26 02:36:10 UTC
Fixing the crash is simple, and the patch in master does that.  It essentially neuters ranged_results for that attribute however, any attribute not found (due to the ;) will just not be reported.

We can just do that for the security fix, but for master and supported releases we should try and fix the server to match the MS Windows behaviour.
Comment 21 Andrew Bartlett 2019-10-14 22:38:11 UTC
I've confirmed that 23f72c4d712f8d1fec3d67a66d477709d5b0abe2 fixes it, when backported to Samba 4.10.

Steps to reproduce:

make testenv

 bin/ldbsearch -H ldb://`pwd`/st/ad_dc/private/sam.ldb --controls="dirsync:1:0:0" -U$USERNAME%$PASSWORD
(for a local crash)

 bin/ldbsearch -H ldap://$SERVER --controls="dirsync:1:0:0" -U$USERNAME%$PASSWORD cn=administrators 'member;range=1-1'
(for a 'remote' crash against the running LDAP server).
Comment 22 Andrew Bartlett 2019-10-14 23:05:24 UTC
Testing against windows 1703 shows that the ;range=1-1 part is lost when dirsync is in use, the full result is returned.
Comment 23 Andrew Bartlett 2019-10-15 04:21:14 UTC
Created attachment 15539 [details]
patch for master and v4.11 (to fix behaviour only) v1
Comment 24 Andrew Bartlett 2019-10-15 04:24:14 UTC
Created attachment 15540 [details]
patch for Samba 4.9 (cherry-picked of security fix from master plus correctness) v1
Comment 25 Andrew Bartlett 2019-10-15 04:25:19 UTC
Created attachment 15541 [details]
patch for Samba 4.10 (cherry-picked of security fix from master plus correctness) v1
Comment 26 Andrew Bartlett 2019-10-15 04:27:04 UTC
While this will likely still require a CVE, it requires some unusual privilege to exploit, as the user doing the dirsync must have GET_CHANGES privilege, eg the permissions normally given to an RODC.  

Default users will not have this right.
Comment 27 Andrew Bartlett 2019-10-15 19:48:20 UTC
I've scored it as: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9)
Comment 28 Andrew Bartlett 2019-10-15 20:05:10 UTC
Adam,

I'm writing up the CVE advisory text.  Can I credit you as the original reporter?

Is there an affiliation you would like to list? (typically a company you found it while working for).

Thanks!
Comment 29 Andrew Bartlett 2019-10-15 21:21:12 UTC
Created attachment 15543 [details]
advisory with CVE (v1)
Comment 30 Douglas Bagnall 2019-10-15 21:40:19 UTC
Created attachment 15544 [details]
revised CVE text with 4.11 mentioned (v2)
Comment 31 Douglas Bagnall 2019-10-15 21:46:27 UTC
Created attachment 15545 [details]
CVE text with 4.11 and -M single (v3)
Comment 32 Adam Xu 2019-10-16 00:18:34 UTC
(In reply to Andrew Bartlett from comment #28)
of course you can.
Comment 33 Andrew Bartlett 2019-10-17 18:52:27 UTC
Just as a status update:

I'm happy with this except I'm having trouble getting the 4.9 branch to pass CI on the private GitLab CI due to unrelated failures.  

If someone (else?) can get a good CI on 4.9 it I'm hoping we can include it in this or the next the security release.
Comment 34 Andrew Bartlett 2019-10-19 06:20:58 UTC
Comment on attachment 15540 [details]
patch for Samba 4.9 (cherry-picked of security fix from master plus correctness) v1

CI of the Samba 4.9 patch passed on sn-devel for the 'samba' task and Gitlab CI for the rest.
Comment 35 Andrew Bartlett 2019-10-19 06:21:43 UTC
Assigning to Karolin for the next available security release.

The version numbers in the advisory may need to be updated.
Comment 36 Karolin Seeger 2019-10-21 09:24:48 UTC
Planned release date: Tuesday, October 29
Opening bug report for vendors.
Comment 37 Karolin Seeger 2019-10-29 10:04:46 UTC
Samba 4.11.2, 4.10.10 and 4.9.15 have been shipped to address this defect.
Comment 38 Karolin Seeger 2019-10-29 10:05:32 UTC
Patch does not apply on current master:

Wende an: CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results style attributes and dirsync
Wende an: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync
error: Anwendung des Patches fehlgeschlagen: source4/dsdb/samdb/ldb_modules/dirsync.c:1014
error: source4/dsdb/samdb/ldb_modules/dirsync.c: Patch konnte nicht angewendet werden
Anwendung des Patches fehlgeschlagen bei 0002 CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync
Comment 39 Karolin Seeger 2019-10-30 09:48:49 UTC
Pushed to v4-{11,10,9}-test.
Master still missing, patch does not apply.
Comment 40 Andrew Bartlett 2019-10-30 21:08:04 UTC
(In reply to Karolin Seeger from comment #39)
Looks like intermediate changes created trouble.

I've rebased the patches and created a merge request.
Comment 41 Andrew Bartlett 2019-10-30 21:09:29 UTC
As the release is now public I've marked the bug public also after checking the attachments and comments.  I've made the full backtrace private, we don't need that to be public.
Comment 42 Andrew Bartlett 2019-10-30 21:16:57 UTC
Removing vendor alias now this is public.  If you (as a vendor) wish to still track this, please CC individually.

Thanks!
Comment 43 Andrew Bartlett 2019-11-03 21:21:15 UTC
Patch for master landed as 03205663b3e5939896c1aad93c4a45cd769b06b4