Bug 15341 (CVE-2023-34967) - [SECURITY] CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
Summary: [SECURITY] CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion ...
Status: RESOLVED FIXED
Alias: CVE-2023-34967
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15396
  Show dependency treegraph
 
Reported: 2023-03-23 09:40 UTC by Ralph Böhme
Modified: 2023-07-28 12:17 UTC (History)
4 users (show)

See Also:


Attachments
PoC Description (2.71 KB, text/plain)
2023-03-23 09:40 UTC, Ralph Böhme
no flags Details
Possible patch for master (7.95 KB, patch)
2023-05-31 15:03 UTC, Ralph Böhme
no flags Details
Advisory v1 (2.08 KB, text/plain)
2023-06-07 17:20 UTC, Ralph Böhme
jra: review-
Details
Advisory v2 (2.27 KB, text/plain)
2023-06-14 15:13 UTC, Ralph Böhme
jra: review+
Details
Patch for master (8.55 KB, patch)
2023-06-14 16:55 UTC, Ralph Böhme
metze: review+
jra: review+
slow: ci-passed+
Details
Patch for 4.18 (8.55 KB, patch)
2023-06-23 14:18 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details
Patch for 4.17 (8.55 KB, patch)
2023-06-23 14:18 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details
Patch for 4.16 (8.55 KB, patch)
2023-06-23 16:47 UTC, Ralph Böhme
metze: review+
slow: review? (jra)
slow: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2023-03-23 09:40:26 UTC
Created attachment 17841 [details]
PoC Description

ZDI-CAN-20228

-- CVSS -----------------------------------------

6.5: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Samba - Samba

-- VULNERABILITY DETAILS ------------------------
* Version tested:4.16.8
* Installer file:-
* Platform tested:ubuntu 22.10 desktop edition

---

### Analysis

```
a type confusion bug exists in mdssvc, which runs as rpc service in samba
an authenticated attacker can trigger the type confusion by issuing the malformed RPC request argument for the Spotlight RPC command, `openQueryWithParams:forContext:`
the `sl_rpc_open_query` function in Samba implements the stub for the `openQueryWithParams:forContext:` Spotlight RPC.
the crash is under the process rpcd_mdssvc, which runs as root
```

here is the process command line
`/usr/libexec/samba/rpcd_mdssvc --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0`

here is the smb.conf on the victim machine
```
[sambashare]
    comment = Samba on KUDU
    path = /home/user/sambashare
    read only = no
    browsable = yes
    guest ok = yes
    spotlight = yes
```

```
However, the default spotlight configuration set as `no`.
It seems some NAS vendor configured the spotlight as `yes`
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
```

here is the dump of the malformed argument from the POC's RPC request
```
DALLOC_CTX(#1): {
        sl_array_t(#2): {
                sl_array_t(#3): {
                        string: openQueryWithParams:forContext:
                        uint64_t: 0xdeadbeef
                        uint64_t: 0xcafebabe
                }
                sl_dict_t(#4): {
                        string: kMDQueryString
                        string: *
                        string: kMDScopeArray  # key
                        string: AAAABBBB       # value for path_scope
                }
        }
}
```

~~~C++
static bool slrpc_open_query(struct mds_ctx *mds_ctx,
                             const DALLOC_CTX *query, DALLOC_CTX *reply)                // (1) all the RPC request argument is unpacked and stored in the `query` with the `DALLOC_CTX` structure
                                                                                                                                                                //     each entry in the `DALLOC_CTX` is allocated with a label equals to its dynamic type to preserve the type information
{
...
        sl_array_t *array, *path_scope;
...

        path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,                               // (2) However, the unpacking process of the `sl_dict_t` type is different, because it discards the genuine type of the value.
                                                                                                                                                                //     Instead, the label is used to store the name of the key.
                                                                                                                                                                //     the dalloc_value_for_key() function is used to fetch value by key and it can't do type checking since the label didn't store the type information
                                                                                                                                                                //     so, all the dalloc_value_for_key() function in slrpc_open_query() are vulnerable, and their return value can be any type
                                                                                                                                                                //     POC takes this one and it return a char string "AAAABBBB"
                                          "DALLOC_CTX", 1, "kMDScopeArray");
        if (path_scope == NULL) {
                goto error;
        }

        scope = dalloc_get(path_scope, "char *", 0);                                                    // (3) however, the `path_scope` is `sl_arrray_t*`, but not `char*`
...
}

void *dalloc_get(const DALLOC_CTX *d, ...)
{
...
        elem = va_arg(args, int);
        if (elem >= talloc_array_length(d->dd_talloc_array)) {                                  // (4)
                result = -1;
                goto done;
        }

        p = talloc_check_name(d->dd_talloc_array[elem], type);
        if (p == NULL) {
                result = -1;
                goto done;
        }

done:
        va_end(args);
        if (result != 0) {
                p = NULL;
        }
        return p;
}


#define talloc_array_length(ctx) (talloc_get_size(ctx)/sizeof(*ctx))

_PUBLIC_ size_t talloc_get_size(const void *context)
{
        struct talloc_chunk *tc;

        if (context == NULL) {
                return 0;
        }

        tc = talloc_chunk_from_ptr(context);                                                                    // (5) CRASH due to derefereceing 0x4242424241414141 address

        return tc->size;
}

~~~

gdb output
```
Core was generated by `/usr/libexec/samba/rpcd_mdssvc --configfile=/etc/samba/smb.conf --worker-group='.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fdbca43bc46 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fdbca4227fc in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007fdbca97dc24 in dump_core () at ../../source3/lib/dumpcore.c:338
#6  0x00007fdbca98a3d0 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704
#7  0x00007fdbcad86fae in smb_panic (why=why@entry=0x7fff0a50a210 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197
#8  0x00007fdbcad87035 in fault_report (sig=11) at ../../lib/util/fault.c:81
#9  sig_fault (sig=11) at ../../lib/util/fault.c:92
#10 <signal handler called>
#11 talloc_chunk_from_ptr (ptr=0x4242424241414141) at ../../talloc.c:527
#12 talloc_get_size (context=0x4242424241414141) at ../../talloc.c:2827
#13 talloc_get_size (context=0x4242424241414141) at ../../talloc.c:2819
#14 0x00005557410b06ee in dalloc_get (d=0x555742387e20) at ../../source3/rpc_server/mdssvc/dalloc.c:138
#15 0x00005557410b3e83 in slrpc_open_query (mds_ctx=0x555742388130, query=0x5557423f3860, reply=0x5557423835f0) at ../../source3/rpc_server/mdssvc/mdssvc.c:933
#16 0x00005557410b5814 in mds_dispatch (mds_ctx=mds_ctx@entry=0x555742388130, request_blob=request_blob@entry=0x555742385c10, response_blob=0x5557423829b0) at ../../source3/rpc_server/mdssvc/mdssvc.c:1818
#17 0x00005557410b5cfb in _mdssvc_cmd (p=p@entry=0x555742382a48, r=r@entry=0x555742385bf0) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:235
#18 0x00005557410b6307 in mdssvc__op_dispatch_internal (dce_call=0x555742385a00, mem_ctx=<optimized out>, r=0x555742385bf0, dispatch=<optimized out>) at ./librpc/gen_ndr/ndr_mdssvc_scompat.c:166
#19 0x00007fdbcab7c45c in dcesrv_request (call=0x555742385a00) at ../../librpc/rpc/dcesrv_core.c:1957
#20 dcesrv_process_ncacn_packet (blob=..., pkt=<optimized out>, dce_conn=0x555742372ba0) at ../../librpc/rpc/dcesrv_core.c:2381
#21 dcesrv_loop_next_packet (dce_conn=0x555742372ba0, pkt=<optimized out>, buffer=...) at ../../librpc/rpc/dcesrv_core.c:2923
#22 0x00007fdbcab7d2a0 in dcesrv_read_fragment_done (subreq=<optimized out>) at ../../librpc/rpc/dcesrv_core.c:2901
#23 0x00007fdbca7a39ff in dcerpc_read_ncacn_packet_done (subreq=<optimized out>) at ../../librpc/rpc/dcerpc_util.c:630
#24 0x00007fdbca6a4226 in tstream_readv_pdu_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket_helpers.c:320
#25 0x00007fdbca69c38f in tstream_readv_done (subreq=<optimized out>) at ../../lib/tsocket/tsocket.c:604
#26 0x00007fdbca72a0a2 in tevent_common_invoke_immediate_handler (im=0x555742416b40, removed=removed@entry=0x0) at ../../tevent_immediate.c:190
#27 0x00007fdbca72a0ce in tevent_common_loop_immediate (ev=ev@entry=0x55574235b160) at ../../tevent_immediate.c:236
#28 0x00007fdbca72d990 in epoll_event_loop_once (ev=0x55574235b160, location=<optimized out>) at ../../tevent_epoll.c:918
#29 0x00007fdbca725ecb in std_event_loop_once (ev=0x55574235b160, location=0x7fdbcae16480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent_standard.c:110
#30 0x00007fdbca728368 in _tevent_loop_once (ev=ev@entry=0x55574235b160, location=location@entry=0x7fdbcae16480 "../../source3/rpc_server/rpc_worker.c:1199") at ../../tevent.c:790
#31 0x00007fdbcae12772 in rpc_worker_main (argc=<optimized out>, argv=<optimized out>, daemon_config_name=daemon_config_name@entry=0x5557410bbe44 "rpcd_mdssvc", num_workers=num_workers@entry=5, idle_seconds=idle_seconds@entry=60,
    get_interfaces=get_interfaces@entry=0x5557410a9530 <mdssvc_interfaces>, get_servers=0x5557410a9810 <mdssvc_servers>, private_data=0x0) at ../../source3/rpc_server/rpc_worker.c:1199
#32 0x00005557410a9430 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/rpc_server/rpcd_mdssvc.c:52
(gdb) f 11
#11 talloc_chunk_from_ptr (ptr=0x4242424241414141) at ../../talloc.c:527
(gdb) i r
rax            0x7fff0a50a890      140733366446224
rbx            0x0                 0
rcx            0x44                68
rdx            0x0                 0
rsi            0x5557410bbe50      93833241804368
rdi            0x4242424241414141  4774451407296217409
rbp            0x555742387e20      0x555742387e20
rsp            0x7fff0a50a858      0x7fff0a50a858
r8             0x1                 1
r9             0x5557410bc7ae      93833241806766
r10            0x555742415b62      93833262095202
r11            0x2                 2
r12            0x5557410bbe50      93833241804368
r13            0x5557410bc289      93833241805449
r14            0x5557410bbe50      93833241804368
r15            0x5557410bc1b0      93833241805232
rip            0x7fdbca73d619      0x7fdbca73d619 <talloc_get_size+9>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
(gdb) x/10i $pc-0x10
   0x7fdbca73d609:      (bad)
   0x7fdbca73d60a:      test   BYTE PTR [rax],al
   0x7fdbca73d60c:      add    BYTE PTR [rax],al
   0x7fdbca73d60e:      add    BYTE PTR [rax],al
   0x7fdbca73d610 <talloc_get_size>:    endbr64
   0x7fdbca73d614 <talloc_get_size+4>:  test   rdi,rdi
   0x7fdbca73d617 <talloc_get_size+7>:  je     0x7fdbca73d630 <talloc_get_size+32>
=> 0x7fdbca73d619 <talloc_get_size+9>:  mov    eax,DWORD PTR [rdi-0x60]
   0x7fdbca73d61c <talloc_get_size+12>: and    eax,0xfffffff1
   0x7fdbca73d61f <talloc_get_size+15>: cmp    eax,DWORD PTR [rip+0x39e3]        # 0x7fdbca741008 <talloc_magic>
(gdb)
```



-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Florent Saudel, Arnaud Gatignol (@thalium_team) working with Trend Micro Zero Day Initiative
Comment 1 Ralph Böhme 2023-03-23 09:41:06 UTC
Created attachment 17842 [details]
Patch for PoC Part 1
Comment 2 Ralph Böhme 2023-03-23 09:41:27 UTC
Created attachment 17843 [details]
Patch for PoC Part 2
Comment 3 Ralph Böhme 2023-05-31 15:03:00 UTC
Created attachment 17903 [details]
Possible patch for master
Comment 4 Ralph Böhme 2023-06-05 15:10:24 UTC
Reasessed CVE score as 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.
Comment 5 Ralph Böhme 2023-06-05 15:28:03 UTC
(In reply to Ralph Böhme from comment #4)
With PR:N instead of L (which is probably correct as anonymous access works, cf mdsearch -U% ...):

5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Comment 6 Ralph Böhme 2023-06-07 17:20:16 UTC
Created attachment 17911 [details]
Advisory v1
Comment 7 Jeremy Allison 2023-06-07 21:30:38 UTC
Comment on attachment 17911 [details]
Advisory v1

Quick request - can you explain why this is more than a self-DOS. It's hinted at by the "shared RPC mdssvc daemon process" but I think you could make it more explicit in the "Description" section.

Thanks !

Jeremy.
Comment 8 Ralph Böhme 2023-06-14 15:13:43 UTC
Created attachment 17917 [details]
Advisory v2

Updated advisory with changes as requested.
Comment 9 Jeremy Allison 2023-06-14 15:30:03 UTC
Comment on attachment 17917 [details]
Advisory v2

LGTM. Thanks !
Comment 10 Ralph Böhme 2023-06-14 16:55:40 UTC
Created attachment 17920 [details]
Patch for master
Comment 11 Jeremy Allison 2023-06-16 16:24:03 UTC
Comment on attachment 17920 [details]
Patch for master

Patch doesn't apply to current master. Needs a rebase I think, sorry.
Comment 12 Ralph Böhme 2023-06-16 16:41:39 UTC
(In reply to Jeremy Allison from comment #11)
Sorry, should have mentioned it as to be applied in order *after* 15340. Does it work that way?
Comment 13 Jeremy Allison 2023-06-16 17:05:58 UTC
Ah, I'll try that. I stripped out the earlier patch as I'm paranoid about pushing accidently :-).
Comment 14 Ralph Böhme 2023-06-21 09:30:36 UTC
(In reply to Jeremy Allison from comment #13)
ping :) Just checked, cherry-picking the patches in this order from my security branch to master works just fine, so an in order git am should work just fine.

Thanks!
Comment 15 Jeremy Allison 2023-06-21 22:57:34 UTC
Comment on attachment 17920 [details]
Patch for master

Sorry, my mistake. Now applied on top of #15340 and all works. LGTM.
Comment 16 Ralph Böhme 2023-06-23 14:18:06 UTC
Created attachment 17943 [details]
Patch for 4.18
Comment 17 Ralph Böhme 2023-06-23 14:18:53 UTC
Created attachment 17944 [details]
Patch for 4.17
Comment 18 Ralph Böhme 2023-06-23 16:47:20 UTC
Created attachment 17951 [details]
Patch for 4.16
Comment 19 Stefan Metzmacher 2023-06-25 17:18:51 UTC
The patches look good, but I guess the comment on the dalloc_value_for_key
prototype should be modified as well.

In addition I'm wondering if we should have the type specified before
the keyname.

Both is just cosmetic that can be changed in master later if desired.
Comment 20 Ralph Böhme 2023-07-07 14:25:16 UTC
Proposed release date for this CVE is the 19th of July.
Comment 21 Jule Anger 2023-07-19 14:24:40 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 22 Samba QA Contact 2023-07-19 14:28:56 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.11):

92d014bc44b32478aa597f38bf11687f1fc95ff1
5b4353cc60b75610f0aa12b1cced36d35a4d04d4
Comment 23 Samba QA Contact 2023-07-19 14:31:18 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.5):

4cb781242274f95e9a56e7e80599d6beaf8ca36a
f4aa21471254ff47a87ed1f3ea9cbc82d64d549b
Comment 24 Samba QA Contact 2023-07-19 14:32:08 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.10):

7812c56d4cb44a59a49c68d05a9c38c1d2ebeb19
049c13245649fab412b61a5b55e5a7dea72d7c72
Comment 25 Samba QA Contact 2023-07-19 14:56:19 UTC
This bug was referenced in samba v4-16-test:

92d014bc44b32478aa597f38bf11687f1fc95ff1
5b4353cc60b75610f0aa12b1cced36d35a4d04d4
Comment 26 Samba QA Contact 2023-07-19 14:59:54 UTC
This bug was referenced in samba v4-17-test:

7812c56d4cb44a59a49c68d05a9c38c1d2ebeb19
049c13245649fab412b61a5b55e5a7dea72d7c72
Comment 27 Samba QA Contact 2023-07-19 15:07:34 UTC
This bug was referenced in samba v4-18-test:

4cb781242274f95e9a56e7e80599d6beaf8ca36a
f4aa21471254ff47a87ed1f3ea9cbc82d64d549b
Comment 28 Samba QA Contact 2023-07-21 13:04:29 UTC
This bug was referenced in samba master:

3b3c30e2acfb00d04c4013e32343bc277d5b1aa8
4c60e35add4a1abd04334012a8d6edf1c3f396ba
Comment 29 Jule Anger 2023-07-21 15:00:30 UTC
Pushed to all branches.
Closing out bug report.
Thanks!
Comment 30 Samba QA Contact 2023-07-28 12:14:34 UTC
This bug was referenced in samba v4-19-test:

3b3c30e2acfb00d04c4013e32343bc277d5b1aa8
4c60e35add4a1abd04334012a8d6edf1c3f396ba
Comment 31 Samba QA Contact 2023-07-28 12:17:00 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):

3b3c30e2acfb00d04c4013e32343bc277d5b1aa8
4c60e35add4a1abd04334012a8d6edf1c3f396ba