Bug 15340 (CVE-2023-34966) - [SECURITY] CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability
Summary: [SECURITY] CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop D...
Alias: CVE-2023-34966
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
Depends on:
Blocks: 15396
  Show dependency treegraph
Reported: 2023-03-23 09:29 UTC by Ralph Böhme
Modified: 2023-07-28 12:17 UTC (History)
4 users (show)

See Also:

Possible patch for master (6.12 KB, patch)
2023-05-31 15:02 UTC, Ralph Böhme
no flags Details
Advisory v1 (2.00 KB, text/plain)
2023-06-07 17:19 UTC, Ralph Böhme
slow: review? (metze)
jra: review+
Patch for master (6.53 KB, patch)
2023-06-14 16:54 UTC, Ralph Böhme
jra: review+
metze: review+
slow: ci-passed+
Patch for 4.18 (6.53 KB, patch)
2023-06-23 14:14 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Patch for 4.17 (6.53 KB, patch)
2023-06-23 14:15 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Patch for 4.16 (6.53 KB, patch)
2023-06-23 16:46 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2023-03-23 09:29:17 UTC
Created attachment 17839 [details]


-- CVSS -----------------------------------------

5.9: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Samba - Samba

-- VULNERABILITY DETAILS ------------------------
* Version tested:4.16.8
* Installer file:-
* Platform tested:ubuntu 22.10 desktop edition


### Analysis

an infinite loop bug exists in mdssvc, which runs as rpc service in samba
an authenticated attacker can trigger the bug by issuing the malformed RPC request argument for any Spotlight RPC command
the `sl_unpack_loop` function in Samba implements the unpacking of the request argument
when a NULL type argument is parsed and its `tag.count` and `tag.size` fields are set to `0`, it will trigger an infinite loop within the `sl_upack_loop()` function.
the process rpcd_mdssvc will run with 100% cpu and runs as root

here is the process command line
`/usr/libexec/samba/rpcd_mdssvc --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0`

here is the smb.conf on the victim machine
    comment = Samba on KUDU
    path = /home/user/sambashare
    read only = no
    browsable = yes
    guest ok = yes
    spotlight = yes

However, the default spotlight configuration set as `no`.
It seems some NAS vendor configured the spotlight as `yes`

static ssize_t sl_unpack_loop(DALLOC_CTX *query,
                              const char *buf,
                              ssize_t offset,
                              size_t bufsize,
                              int count,                                // (1) count is set to 1 by `sl_unpack()`
                              ssize_t toc_offset,
                              int encoding)
        int i, toc_index, subcount;
        uint64_t result;

        while (count > 0) {
                struct sl_tag tag;

                if (offset >= toc_offset) {
                        return -1;

                result = sl_unpack_tag(buf, offset, bufsize, encoding, &tag);
                if (result == -1) {
                        return -1;

                switch (tag.type) {                                     // (2) tag.type == SQ_TYPE_NULL
                case SQ_TYPE_NULL: {
                        sl_nil_t nil = 0;

                        subcount = tag.count;                   // (3) tag.count == 0
                        if (subcount > count) {
                                return -1;
                        for (i = 0; i < subcount; i++) {
                                result = dalloc_add_copy(query, &nil, sl_nil_t);
                                if (result != 0) {
                                        return -1;
                        offset += tag.size;                             // (4) tag.size == 0, offset remains the same
                        count -= subcount;                              // (5) subcount = 0, count is not decremented, then the parse will loop infinitely

        return offset;

gdb output
(gdb) bt
#0  0x0000559df58d0763 in sl_unpack_tag (buf=buf@entry=0x559df6f821c0 "\001", offset=offset@entry=88, bufsize=bufsize@entry=252, encoding=encoding@entry=1, tag=tag@entry=0x7fff10ddc470)
    at ../../source3/rpc_server/mdssvc/marshalling.c:659
#1  0x0000559df58d242a in sl_unpack_loop (query=query@entry=0x559df6f899a0, buf=buf@entry=0x559df6f821c0 "\001", offset=88, offset@entry=8, bufsize=bufsize@entry=252, count=2, count@entry=3, toc_offset=toc_offset@entry=176, encoding=1)
    at ../../source3/rpc_server/mdssvc/marshalling.c:1078
#2  0x0000559df58d254d in sl_unpack_cpx (encoding=1, toc_offset=176, cpx_query_count=3, cpx_query_type=<optimized out>, bufsize=252, offset=8, buf=0x559df6f821c0 "\001", query=0x559df6f66860)
    at ../../source3/rpc_server/mdssvc/marshalling.c:942
#3  sl_unpack_loop (query=<optimized out>, buf=0x559df6f821c0 "\001", offset=<optimized out>, bufsize=252, count=1, toc_offset=176, encoding=1) at ../../source3/rpc_server/mdssvc/marshalling.c:1104
#4  0x0000559df58d35bd in sl_unpack (query=0x559df6f66860, buf=<optimized out>, bufsize=<optimized out>) at ../../source3/rpc_server/mdssvc/marshalling.c:1372
#5  0x0000559df58d16af in mds_dispatch (mds_ctx=mds_ctx@entry=0x559df6efb130, request_blob=request_blob@entry=0x559df6f898f0, response_blob=0x559df6ef59b0) at ../../source3/rpc_server/mdssvc/mdssvc.c:1783
#6  0x0000559df58d1cfb in _mdssvc_cmd (p=p@entry=0x559df6ef5a48, r=r@entry=0x559df6f898d0) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:235
#7  0x0000559df58d2307 in mdssvc__op_dispatch_internal (dce_call=0x559df6ef6660, mem_ctx=<optimized out>, r=0x559df6f898d0, dispatch=<optimized out>) at ./librpc/gen_ndr/ndr_mdssvc_scompat.c:166
#8  0x00007f435f77145c in dcesrv_request (call=0x559df6ef6660) at ../../librpc/rpc/dcesrv_core.c:1957
#9  dcesrv_process_ncacn_packet (blob=..., pkt=<optimized out>, dce_conn=0x559df6ee5ba0) at ../../librpc/rpc/dcesrv_core.c:2381
#10 dcesrv_loop_next_packet (dce_conn=0x559df6ee5ba0, pkt=<optimized out>, buffer=...) at ../../librpc/rpc/dcesrv_core.c:2923
#11 0x00007f435f7722a0 in dcesrv_read_fragment_done (subreq=<optimized out>) at ../../librpc/rpc/dcesrv_core.c:2901
#12 0x00007f435f3989ff in dcerpc_read_ncacn_packet_done (subreq=<optimized out>) at ../../librpc/rpc/dcerpc_util.c:630
#13 0x00007f435f299226 in tstream_readv_pdu_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket_helpers.c:320
#14 0x00007f435f29138f in tstream_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket.c:604
#15 0x00007f435f31f0a2 in tevent_common_invoke_immediate_handler (im=0x559df6f89b40, removed=removed@entry=0x0) at ../../tevent_immediate.c:190
#16 0x00007f435f31f0ce in tevent_common_loop_immediate (ev=ev@entry=0x559df6ece160) at ../../tevent_immediate.c:236
#17 0x00007f435f322990 in epoll_event_loop_once (ev=0x559df6ece160, location=<optimized out>) at ../../tevent_epoll.c:918
#18 0x00007f435f31aecb in std_event_loop_once (ev=0x559df6ece160, location=0x7f435fa0b480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent_standard.c:110
#19 0x00007f435f31d368 in _tevent_loop_once (ev=ev@entry=0x559df6ece160, location=location@entry=0x7f435fa0b480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent.c:790
#20 0x00007f435fa07772 in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=daemon_config_name@entry=0x559df58d7e44 "rpcd_mdssvc", num_workers=num_workers@entry=5, idle_seconds=idle_seconds@entry=60,
    get_interfaces=get_interfaces@entry=0x559df58c5530 <mdssvc_interfaces>, get_servers=0x559df58c5810 <mdssvc_servers>, private_data=0x0) at ../../source3/rpc_server/rpc_worker.c:1199
#21 0x0000559df58c5430 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_mdssvc.c:52

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Florent Saudel (@thalium_team) working with Trend Micro Zero Day Initiative
Comment 1 Ralph Böhme 2023-03-23 09:32:09 UTC
Created attachment 17840 [details]
Patch for reproduer
Comment 2 Ralph Böhme 2023-05-31 15:02:43 UTC
Created attachment 17902 [details]
Possible patch for master
Comment 3 Ralph Böhme 2023-06-05 15:23:56 UTC
Calculating CVE score as 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Comment 4 Ralph Böhme 2023-06-07 17:19:22 UTC
Created attachment 17910 [details]
Advisory v1
Comment 5 Jeremy Allison 2023-06-07 21:28:34 UTC
Comment on attachment 17910 [details]
Advisory v1

Comment 6 Ralph Böhme 2023-06-14 16:54:45 UTC
Created attachment 17919 [details]
Patch for master
Comment 7 Jeremy Allison 2023-06-16 16:19:44 UTC
Comment on attachment 17919 [details]
Patch for master

Comment 8 Ralph Böhme 2023-06-23 14:14:44 UTC
Created attachment 17941 [details]
Patch for 4.18
Comment 9 Ralph Böhme 2023-06-23 14:15:37 UTC
Created attachment 17942 [details]
Patch for 4.17
Comment 10 Ralph Böhme 2023-06-23 16:46:39 UTC
Created attachment 17950 [details]
Patch for 4.16
Comment 11 Ralph Böhme 2023-07-07 14:24:43 UTC
Proposed release date for this CVE is the 19th of July.
Comment 12 Jule Anger 2023-07-19 14:23:43 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 13 Samba QA Contact 2023-07-19 14:29:36 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.11):

Comment 14 Samba QA Contact 2023-07-19 14:30:48 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.10):

Comment 15 Samba QA Contact 2023-07-19 14:31:26 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.5):

Comment 16 Samba QA Contact 2023-07-19 14:56:02 UTC
This bug was referenced in samba v4-16-test:

Comment 17 Samba QA Contact 2023-07-19 14:59:46 UTC
This bug was referenced in samba v4-17-test:

Comment 18 Samba QA Contact 2023-07-19 15:07:58 UTC
This bug was referenced in samba v4-18-test:

Comment 19 Samba QA Contact 2023-07-21 13:04:05 UTC
This bug was referenced in samba master:

Comment 20 Jule Anger 2023-07-21 15:00:13 UTC
Pushed to all branches.
Closing out bug report.
Comment 21 Samba QA Contact 2023-07-28 12:14:25 UTC
This bug was referenced in samba v4-19-test:

Comment 22 Samba QA Contact 2023-07-28 12:17:38 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):