I don't often tweet about patched bugs, but here's one that looks interesting - let's discuss ZDI-24-195 or kernel commit 38d20c62903d669693a1869aa68c4dd5674e2544, in a short 🧵
A researcher named fffvr (I couldn't find their Twitter handle), recently burned `ksmbd` vulnerability. If you manage to find an infoleak in the ksmbd path you could reach a full RCE with it.
Fortunately, there were a few other commits that fixed out-of-bounds read vulnerabilities in ksmbd. fffvr did not need to find additional vulnerabilities (ZDI-24-194,227,228) to achieve a full RCE.
Although some of these CVEs are in a post-auth scenario, we can assume that anonymous access is enabled and at least one share is available, therefore allowing a full remote code execution on any ksmbd instance.
To clarify, ksmbd is a relatively new attack surface. It has only existed for a few years in the Linux kernel, so it is not enabled by default in many places. ksmbd is not the traditional SMB file sharing implementation that Linux has had for years.
Why would anyone use ksmbd instead of the traditional SMB implementation?
One of the main reasons to use ksmbd instead of the traditional kernel SMB implementations is that ksmbd supports concurrency. However, due to improper locking, it also introduces potential vulnerabilities.
One of the main reasons to use ksmbd instead of the traditional kernel SMB implementations is that ksmbd supports concurrency. However, due to improper locking, it also introduces potential vulnerabilities.
Spotting the vuln is pretty easy.
ksmbd_tcp_new_connection is spawned from smbd_kthread_fn, a kernel thread that handles any new tcp connection. Every physical interface gets its own kthread to listen and spawn a new tcp thread whenever a connection occurs.
ksmbd_tcp_new_connection is spawned from smbd_kthread_fn, a kernel thread that handles any new tcp connection. Every physical interface gets its own kthread to listen and spawn a new tcp thread whenever a connection occurs.
The race occurs when opening and closing a tcp connection fast enough.
Once you close a tcp connection in the ksmbd path, the disconnect method will be triggered
Eventually leading to a teardown of the whole structure.
tcp_transport is a pretty small structure itself, but it has a few interesting fields that one might think about using when weaponizing this CVE.
If you open many tcp connections and manage to close them fast enough, you'd race against the close operation and eventually win.
The smart reader will be able to spot a few locations where it is possible to hijack control flow by carefully following the structures that are freed.
While some people dislike spraying, I think this race is pretty tight and requires a few slowdown operations in order to reliably exploit it, the careful reader will be able to spot them when opening a ksmbd connection and hanging it for a while.
The only thing that is needed is a feedback mechanism to leak data back to the user.
ZDI-24-227,195, 228 are out-of-bound reads that might allow that, I did not look into them and verified that.
Thanks to fffvr for reporting such a nice vuln, we don't see such things often.
ZDI-24-227,195, 228 are out-of-bound reads that might allow that, I did not look into them and verified that.
Thanks to fffvr for reporting such a nice vuln, we don't see such things often.
fffvr's Twitter:
https://twitter.com/delsploit/status/1773509870358241617?t=11iuaQsscazlNC-fr7Cxnw&s=19
• • •
Missing some Tweet in this thread? You can try to
force a refresh
