Skip to content

Heap out-of-bounds write in uams_dhx_pam.c

High
rdmark published GHSA-mxx4-9fhm-r3w5 Jun 29, 2024

Package

netatalk

Affected versions

< 3.2.1

Patched versions

3.2.1

Description

Impact

The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled.

Patches

Users should upgrade their systems to Netatalk 3.2.1 as soon as possible.

Workarounds

Disable the uams_dhx.so authentication module in your afp.conf file.

References

https://netatalk.io/support

Original bug report

The body of the issue ticket filed by @flysoar follows below.

Describe the bug
The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled.

The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c.
uams_dhx_pam.c
if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) {

To Reproduce
Compile the Netatalk with ASAN enabled.
The afp.conf file content is thefolloing.

[ Global ]
uam list = uams_guest.so,uams_dhx2.so,uams_pam.so
save password = no
set password = yes
unix charset = UTF8
use sendfile = yes
zeroconf = no
guest account = nobody
server quantum = 33000

 [ Public ] 
path =/tmp/afp_tmp/Public
ea = auto 
convert appledouble = no 
stat vol = no 
file perm = 777 
directory perm = 777
veto files = '/Network Trash Folder/.!@#$recycle/.systemfile/lost+found/Nas_Prog/.!@$mmc/'
rwlist = "admin","nobody","@allaccount"
valid users = "admin","nobody","@allaccount"
invalid users = 

 [ test ] 
path = /tmp/afp_tmp/test
ea = auto 
convert appledouble = no 
stat vol = no 
file perm = 777 
directory perm = 777
veto files = '/Network Trash Folder/.!@#$recycle/.systemfile/lost+found/Nas_Prog/.!@$mmc/'
rwlist = "admin","nobody","@allaccount"
valid users = "admin","nobody","@allaccount"
invalid users =

Expected behavior
A clear and concise description of what you expected to happen.

Environment

  • Server OS: Ubuntu2204
  • Netatalk 3.2.0

Logs
Attach syslogs from the malfunctioning process, maxdebug log level

Additional context

──────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x3               
$rcx   : 0x000055555561cd80  →  "localhost.lan"
$rdx   : 0x00000ffffe86100f  →  0x0000000000000000
$rsp   : 0x00007fffffffe0d0  →  0x0000000000460002
$rbp   : 0x00007fffffffe1c0  →  0x0000000000000000
$rsi   : 0xe               
$rdi   : 0x000055555561cd80  →  "localhost.lan"
$rip   : 0x00007ffff4304e58  →   mov BYTE PTR [r14+0x8], 0x0
$r8    : 0x1               
$r9    : 0x0               
$r10   : 0x0               
$r11   : 0x0               
$r12   : 0x00005555556156c8  →  0x0000000000414141 ("AAA"?)
$r13   : 0x00005555556154c0  →  0x0000603000000040  →  "/netatalk/fploginext/afp.conf"
$r14   : 0x000062d000010424  →  0x0000000000000000
$r15   : 0xff              
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────── stack ────
0x00007fffffffe0d0│+0x0000: 0x0000000000460002   ← $rsp
0x00007fffffffe0d8│+0x0008: 0x0000000000000003
0x00007fffffffe0e0│+0x0010: 0x000062d00000041c  →  0xff03414141030003
0x00007fffffffe0e8│+0x0018: 0x00007fffffffe1c0  →  0x0000000000000000
0x00007fffffffe0f0│+0x0020: 0x000062d000010424  →  0x0000000000000000
0x00007fffffffe0f8│+0x0028: 0x00005555556154c0  →  0x0000603000000040  →  "/netatalk/fploginext/afp.conf"
0x00007fffffffe100│+0x0030: 0x00007fffffffe200  →  0x00005555555fd5c4  →  0x0000000000000004
0x00007fffffffe108│+0x0038: 0x00007ffff430522c  →   mov rdx, QWORD PTR [rsp+0x18]
────────────────────────────────────────────── code:x86:64 ────
   0x7ffff4304e4b                  call   0x7ffff4304240 <uam_afpserver_option@plt>
   0x7ffff4304e50                  test   eax, eax
   0x7ffff4304e52                  js     0x7ffff4304f48
 → 0x7ffff4304e58                  mov    BYTE PTR [r14+0x8], 0x0
   0x7ffff4304e5d                  mov    edx, r15d
   0x7ffff4304e60                  mov    rsi, r12
   0x7ffff4304e63                  mov    rdi, r13
   0x7ffff4304e66                  call   0x7ffff4304310 <uam_getname@plt>
   0x7ffff4304e6b                  mov    rbx, rax
────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV
──────────────────────────────────────────────────── trace ────
[#0] 0x7ffff4304e58 → mov BYTE PTR [r14+0x8], 0x0
[#1] 0x7ffff430522c → mov rdx, QWORD PTR [rsp+0x18]
[#2] 0x55555557f2f7 → afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>)
[#3] 0x555555576696 → afp_over_dsi(obj=0x5555556154c0 <obj>)
[#4] 0x5555555c0468 → dsi_start(server_children=<optimized out>, dsi=0x631000000800, obj=0x5555556154c0 <obj>)
[#5] 0x5555555c0468 → main(ac=<optimized out>, av=<optimized out>)
───────────────────────────────────────────────────────────────

pocr.zip

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-38440

Weaknesses

No CWEs

Credits