Skip to content

Heap out-of-bounds write in directory.c

High
rdmark published GHSA-mj6v-cr68-mj9q Jun 29, 2024

Package

netatalk

Affected versions

< 3.2.1

Patched versions

3.2.1

Description

Impact

The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in an out-of-bounds write to the metadata of the next heap block, allowing an attacker to execute code in the root context.

Patches

Users should upgrade their systems to Netatalk 3.2.1 as soon as possible.

Workarounds

Disable the uams_guest.so authentication module in your afp.conf file.

References

https://netatalk.io/support

Original bug report

The body of the issue ticket filed by @flysoar follows below.

Describe the bug
The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in an out-of-bounds write to the metadata of the next heap block, allowing an attacker to execute code in the root context.

The vulnerability is located in the FPMapName operation of Netatalk, in the afp_mapname function found in /etc/afp/directory.c.
directory.c
ibuf[ len ] = '\0';

To Reproduce
Compile the Netatalk with ASAN enabled.
The afp.conf file content is thefolloing.

[ Global ]
uam list = uams_guest.so,uams_clrtxt.so,uams_dhx2.so
save password = no
unix charset = UTF8
use sendfile = yes
zeroconf = no
guest account = nobody
server quantum = 33000

 [ Public ] 
path =/tmp/afp_tmp/Public
ea = auto 
convert appledouble = no 
stat vol = no 
file perm = 777 
directory perm = 777
veto files = '/Network Trash Folder/.!@#$recycle/.systemfile/lost+found/Nas_Prog/.!@$mmc/'
rwlist = "admin","nobody","@allaccount"
valid users = "admin","nobody","@allaccount"
invalid users = 

 [ test ] 
path = /tmp/afp_tmp/test
ea = auto 
convert appledouble = no 
stat vol = no 
file perm = 777 
directory perm = 777
veto files = '/Network Trash Folder/.!@#$recycle/.systemfile/lost+found/Nas_Prog/.!@$mmc/'
rwlist = "admin","nobody","@allaccount"
valid users = "admin","nobody","@allaccount"
invalid users =

Expected behavior
Crash.

Environment

  • Server OS: Ubuntu2204
  • Client OS [e.g. macOS Sonoma]
  • Netatalk Version 3.2.0

Logs
Attach syslogs from the malfunctioning process, maxdebug log level

Additional context

──────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x2               
$rcx   : 0x1               
$rdx   : 0x3               
$rsp   : 0x00007fffffffe200  →  0x0000631000010f10  →  0x0000000600000003  →  0x0000000000000000
$rbp   : 0x000062d000000400  →  0x312e3350ffff0216
$rsi   : 0x1               
$rdi   : 0x000062d000010403  →  0x0000000000000000
$rip   : 0x000055555559b796  →  <afp_mapname+929> mov BYTE PTR [rdi], 0x0
$r8    : 0x0000631000010ef0  →  0x0000000000000000
$r9    : 0x0               
$r10   : 0x0               
$r11   : 0x246             
$r12   : 0x0000631000010ef0  →  0x0000000000000000
$r13   : 0x000062d000000404  →  0x206f4e0f312e3350
$r14   : 0x0000631000000ef0  →  0x0000000000000000
$r15   : 0xffff            
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────── stack ────
0x00007fffffffe200│+0x0000: 0x0000631000010f10  →  0x0000000600000003  →  0x0000000000000000    ← $rsp
0x00007fffffffe208│+0x0008: 0x0000000000000003
0x00007fffffffe210│+0x0010: 0x0000000000000016
0x00007fffffffe218│+0x0018: 0x0000631000000ee6  →  0x62d0000004000003
0x00007fffffffe220│+0x0020: 0x0000631000010f10  →  0x0000000600000003  →  0x0000000000000000
0x00007fffffffe228│+0x0028: 0x0000631000010ef0  →  0x0000000000000000
0x00007fffffffe230│+0x0030: 0x00005555555fdcb8  →  0x0000000000000000
0x00007fffffffe238│+0x0038: 0x0000555555576696  →  <afp_over_dsi+4191> mov r14d, eax
────────────────────────────────────────────── code:x86:64 ────
   0x55555559b790 <afp_mapname+923> jg     0x55555559b796 <afp_mapname+929>
   0x55555559b792 <afp_mapname+925> test   al, al
   0x55555559b794 <afp_mapname+927> jne    0x55555559b7d8 <afp_mapname+995>
 → 0x55555559b796 <afp_mapname+929> mov    BYTE PTR [rdi], 0x0
   0x55555559b799 <afp_mapname+932> test   r15d, r15d
   0x55555559b79c <afp_mapname+935> je     0x55555559bc7d <afp_mapname+2184>
   0x55555559b7a2 <afp_mapname+941> cmp    bl, 0x6
   0x55555559b7a5 <afp_mapname+944> ja     0x55555559bc84 <afp_mapname+2191>
   0x55555559b7ab <afp_mapname+950> movzx  ebx, bl
────────────────────────────────── source:directory.c+2333 ────
   2328          break;
   2329      default :
   2330          return( AFPERR_PARAM );
   2331      }
   2332  
 → 2333      ibuf[ len ] = '\0';
   2334  
   2335      if ( len == 0 )
   2336          return AFPERR_PARAM;
   2337      else {
   2338          switch ( sfunc ) {
────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "afpd", stopped 0x55555559b796 in afp_mapname (), reason: SIGSEGV
──────────────────────────────────────────────────── trace ────
[#0] 0x55555559b796 → afp_mapname(obj=<optimized out>, ibuf=0x62d000000404 "P3.1\017No User Authent", '\276' <repeats 4072 times>, ibuflen=<optimized out>, rbuf=0x631000000ef0 "", rbuflen=0x631000010ef0)
[#1] 0x555555576696 → afp_over_dsi(obj=0x5555556154c0 <obj>)
[#2] 0x5555555c0468 → dsi_start(server_children=<optimized out>, dsi=0x631000000800, obj=0x5555556154c0 <obj>)
[#3] 0x5555555c0468 → main(ac=<optimized out>, av=<optimized out>)

pocm.zip

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-38441

Weaknesses

No CWEs

Credits