Bug 15340 (CVE-2023-34966) - [SECURITY] CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability
Summary: [SECURITY] CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop D...
Status: RESOLVED FIXED
Alias: CVE-2023-34966
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15396
  Show dependency treegraph
 
Reported: 2023-03-23 09:29 UTC by Ralph Böhme
Modified: 2023-07-28 12:17 UTC (History)
4 users (show)

See Also:


Attachments
Possible patch for master (6.12 KB, patch)
2023-05-31 15:02 UTC, Ralph Böhme
no flags Details
Advisory v1 (2.00 KB, text/plain)
2023-06-07 17:19 UTC, Ralph Böhme
slow: review? (metze)
jra: review+
Details
Patch for master (6.53 KB, patch)
2023-06-14 16:54 UTC, Ralph Böhme
jra: review+
metze: review+
slow: ci-passed+
Details
Patch for 4.18 (6.53 KB, patch)
2023-06-23 14:14 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details
Patch for 4.17 (6.53 KB, patch)
2023-06-23 14:15 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details
Patch for 4.16 (6.53 KB, patch)
2023-06-23 16:46 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2023-03-23 09:29:17 UTC
Created attachment 17839 [details]
PoC

ZDI-CAN-20229

-- CVSS -----------------------------------------

5.9: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Samba - Samba

-- VULNERABILITY DETAILS ------------------------
* Version tested:4.16.8
* Installer file:-
* Platform tested:ubuntu 22.10 desktop edition

---

### Analysis

```
an infinite loop bug exists in mdssvc, which runs as rpc service in samba
an authenticated attacker can trigger the bug by issuing the malformed RPC request argument for any Spotlight RPC command
the `sl_unpack_loop` function in Samba implements the unpacking of the request argument
when a NULL type argument is parsed and its `tag.count` and `tag.size` fields are set to `0`, it will trigger an infinite loop within the `sl_upack_loop()` function.
the process rpcd_mdssvc will run with 100% cpu and runs as root
```

here is the process command line
`/usr/libexec/samba/rpcd_mdssvc --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0`

here is the smb.conf on the victim machine
```
[sambashare]
    comment = Samba on KUDU
    path = /home/user/sambashare
    read only = no
    browsable = yes
    guest ok = yes
    spotlight = yes
```

```
However, the default spotlight configuration set as `no`.
It seems some NAS vendor configured the spotlight as `yes`
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
```

~~~C++
static ssize_t sl_unpack_loop(DALLOC_CTX *query,
                              const char *buf,
                              ssize_t offset,
                              size_t bufsize,
                              int count,                                // (1) count is set to 1 by `sl_unpack()`
                              ssize_t toc_offset,
                              int encoding)
{
        int i, toc_index, subcount;
        uint64_t result;

        while (count > 0) {
                struct sl_tag tag;

                if (offset >= toc_offset) {
                        return -1;
                }

                result = sl_unpack_tag(buf, offset, bufsize, encoding, &tag);
                if (result == -1) {
                        return -1;
                }

                switch (tag.type) {                                     // (2) tag.type == SQ_TYPE_NULL
...
                case SQ_TYPE_NULL: {
                        sl_nil_t nil = 0;

                        subcount = tag.count;                   // (3) tag.count == 0
                        if (subcount > count) {
                                return -1;
                        }
                        for (i = 0; i < subcount; i++) {
                                result = dalloc_add_copy(query, &nil, sl_nil_t);
                                if (result != 0) {
                                        return -1;
                                }
                        }
                        offset += tag.size;                             // (4) tag.size == 0, offset remains the same
                        count -= subcount;                              // (5) subcount = 0, count is not decremented, then the parse will loop infinitely
                        break;
                }
...
                }
        }

        return offset;
}
~~~

gdb output
```
(gdb) bt
#0  0x0000559df58d0763 in sl_unpack_tag (buf=buf@entry=0x559df6f821c0 "\001", offset=offset@entry=88, bufsize=bufsize@entry=252, encoding=encoding@entry=1, tag=tag@entry=0x7fff10ddc470)
    at ../../source3/rpc_server/mdssvc/marshalling.c:659
#1  0x0000559df58d242a in sl_unpack_loop (query=query@entry=0x559df6f899a0, buf=buf@entry=0x559df6f821c0 "\001", offset=88, offset@entry=8, bufsize=bufsize@entry=252, count=2, count@entry=3, toc_offset=toc_offset@entry=176, encoding=1)
    at ../../source3/rpc_server/mdssvc/marshalling.c:1078
#2  0x0000559df58d254d in sl_unpack_cpx (encoding=1, toc_offset=176, cpx_query_count=3, cpx_query_type=<optimized out>, bufsize=252, offset=8, buf=0x559df6f821c0 "\001", query=0x559df6f66860)
    at ../../source3/rpc_server/mdssvc/marshalling.c:942
#3  sl_unpack_loop (query=<optimized out>, buf=0x559df6f821c0 "\001", offset=<optimized out>, bufsize=252, count=1, toc_offset=176, encoding=1) at ../../source3/rpc_server/mdssvc/marshalling.c:1104
#4  0x0000559df58d35bd in sl_unpack (query=0x559df6f66860, buf=<optimized out>, bufsize=<optimized out>) at ../../source3/rpc_server/mdssvc/marshalling.c:1372
#5  0x0000559df58d16af in mds_dispatch (mds_ctx=mds_ctx@entry=0x559df6efb130, request_blob=request_blob@entry=0x559df6f898f0, response_blob=0x559df6ef59b0) at ../../source3/rpc_server/mdssvc/mdssvc.c:1783
#6  0x0000559df58d1cfb in _mdssvc_cmd (p=p@entry=0x559df6ef5a48, r=r@entry=0x559df6f898d0) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:235
#7  0x0000559df58d2307 in mdssvc__op_dispatch_internal (dce_call=0x559df6ef6660, mem_ctx=<optimized out>, r=0x559df6f898d0, dispatch=<optimized out>) at ./librpc/gen_ndr/ndr_mdssvc_scompat.c:166
#8  0x00007f435f77145c in dcesrv_request (call=0x559df6ef6660) at ../../librpc/rpc/dcesrv_core.c:1957
#9  dcesrv_process_ncacn_packet (blob=..., pkt=<optimized out>, dce_conn=0x559df6ee5ba0) at ../../librpc/rpc/dcesrv_core.c:2381
#10 dcesrv_loop_next_packet (dce_conn=0x559df6ee5ba0, pkt=<optimized out>, buffer=...) at ../../librpc/rpc/dcesrv_core.c:2923
#11 0x00007f435f7722a0 in dcesrv_read_fragment_done (subreq=<optimized out>) at ../../librpc/rpc/dcesrv_core.c:2901
#12 0x00007f435f3989ff in dcerpc_read_ncacn_packet_done (subreq=<optimized out>) at ../../librpc/rpc/dcerpc_util.c:630
#13 0x00007f435f299226 in tstream_readv_pdu_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket_helpers.c:320
#14 0x00007f435f29138f in tstream_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket.c:604
#15 0x00007f435f31f0a2 in tevent_common_invoke_immediate_handler (im=0x559df6f89b40, removed=removed@entry=0x0) at ../../tevent_immediate.c:190
#16 0x00007f435f31f0ce in tevent_common_loop_immediate (ev=ev@entry=0x559df6ece160) at ../../tevent_immediate.c:236
#17 0x00007f435f322990 in epoll_event_loop_once (ev=0x559df6ece160, location=<optimized out>) at ../../tevent_epoll.c:918
#18 0x00007f435f31aecb in std_event_loop_once (ev=0x559df6ece160, location=0x7f435fa0b480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent_standard.c:110
#19 0x00007f435f31d368 in _tevent_loop_once (ev=ev@entry=0x559df6ece160, location=location@entry=0x7f435fa0b480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent.c:790
#20 0x00007f435fa07772 in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=daemon_config_name@entry=0x559df58d7e44 "rpcd_mdssvc", num_workers=num_workers@entry=5, idle_seconds=idle_seconds@entry=60,
    get_interfaces=get_interfaces@entry=0x559df58c5530 <mdssvc_interfaces>, get_servers=0x559df58c5810 <mdssvc_servers>, private_data=0x0) at ../../source3/rpc_server/rpc_worker.c:1199
#21 0x0000559df58c5430 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_mdssvc.c:52
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Florent Saudel (@thalium_team) working with Trend Micro Zero Day Initiative
Comment 1 Ralph Böhme 2023-03-23 09:32:09 UTC
Created attachment 17840 [details]
Patch for reproduer
Comment 2 Ralph Böhme 2023-05-31 15:02:43 UTC
Created attachment 17902 [details]
Possible patch for master
Comment 3 Ralph Böhme 2023-06-05 15:23:56 UTC
Calculating CVE score as 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Comment 4 Ralph Böhme 2023-06-07 17:19:22 UTC
Created attachment 17910 [details]
Advisory v1
Comment 5 Jeremy Allison 2023-06-07 21:28:34 UTC
Comment on attachment 17910 [details]
Advisory v1

LGTM.
Comment 6 Ralph Böhme 2023-06-14 16:54:45 UTC
Created attachment 17919 [details]
Patch for master
Comment 7 Jeremy Allison 2023-06-16 16:19:44 UTC
Comment on attachment 17919 [details]
Patch for master

LGTM.
Comment 8 Ralph Böhme 2023-06-23 14:14:44 UTC
Created attachment 17941 [details]
Patch for 4.18
Comment 9 Ralph Böhme 2023-06-23 14:15:37 UTC
Created attachment 17942 [details]
Patch for 4.17
Comment 10 Ralph Böhme 2023-06-23 16:46:39 UTC
Created attachment 17950 [details]
Patch for 4.16
Comment 11 Ralph Böhme 2023-07-07 14:24:43 UTC
Proposed release date for this CVE is the 19th of July.
Comment 12 Jule Anger 2023-07-19 14:23:43 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 13 Samba QA Contact 2023-07-19 14:29:36 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.11):

01cf3cf7a83f0f3fcdf1f4026327c84e4c17f853
cb6f3e2202473eeccf81e34ebcdb4bc4f726548a
Comment 14 Samba QA Contact 2023-07-19 14:30:48 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.10):

6e5e5c7f64eef80e10473e860a1662ce66491e8e
c77b31f1bcb8778007cfa584e15f3bb2f7135752
Comment 15 Samba QA Contact 2023-07-19 14:31:26 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.5):

1a208f258aa80ddbfb135e54d3d5c5d07dc0fdea
207489b6b922cddf945227b20ae8543a4e01b686
Comment 16 Samba QA Contact 2023-07-19 14:56:02 UTC
This bug was referenced in samba v4-16-test:

01cf3cf7a83f0f3fcdf1f4026327c84e4c17f853
cb6f3e2202473eeccf81e34ebcdb4bc4f726548a
Comment 17 Samba QA Contact 2023-07-19 14:59:46 UTC
This bug was referenced in samba v4-17-test:

6e5e5c7f64eef80e10473e860a1662ce66491e8e
c77b31f1bcb8778007cfa584e15f3bb2f7135752
Comment 18 Samba QA Contact 2023-07-19 15:07:58 UTC
This bug was referenced in samba v4-18-test:

1a208f258aa80ddbfb135e54d3d5c5d07dc0fdea
207489b6b922cddf945227b20ae8543a4e01b686
Comment 19 Samba QA Contact 2023-07-21 13:04:05 UTC
This bug was referenced in samba master:

10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9
38664163fcac985d87e4274d198568e0fe88595e
Comment 20 Jule Anger 2023-07-21 15:00:13 UTC
Pushed to all branches.
Closing out bug report.
Thanks!
Comment 21 Samba QA Contact 2023-07-28 12:14:25 UTC
This bug was referenced in samba v4-19-test:

10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9
38664163fcac985d87e4274d198568e0fe88595e
Comment 22 Samba QA Contact 2023-07-28 12:17:38 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):

10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9
38664163fcac985d87e4274d198568e0fe88595e