Headline
CVE-2022-23123: ZDI-22-528
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.
March 23rd, 2022
(Pwn2Own) Netatalk getdirparams Out-Of-Bounds Read Information Disclosure Vulnerability****ZDI-22-528
ZDI-CAN-15830
CVE ID
CVE-2022-23123
CVSS SCORE
5.3, (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
AFFECTED VENDORS
Netatalk
AFFECTED PRODUCTS
Netatalk
VULNERABILITY DETAILS
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
ADDITIONAL DETAILS
Netatalk has issued an update to correct this vulnerability. More details can be found at:
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
DISCLOSURE TIMELINE
- 2021-12-03 - Vulnerability reported to vendor
- 2022-03-23 - Coordinated public release of advisory
CREDIT
Orange Tsai (@orange_8361) from DEVCORE Research Team
BACK TO ADVISORIES
Related news
Gentoo Linux Security Advisory 202311-2 - Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution Versions greater than or equal to 3.1.18 are affected.
Debian Linux Security Advisory 5503-1 - Multiple security issues were discovered in Netatalk, an implementation of the Apple Filing Protocol (AFP) for offering file service (mainly) to macOS clients, which may result in the execution of arbitrary code or information disclosure.
Ubuntu Security Notice 6146-1 - It was discovered that Netatalk did not properly validate the length of user-supplied data in the DSI structures. A remote attacker could possibly use this issue to execute arbitrary code with the privileges of the user invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Netatalk did not properly validate the length of user-supplied data in the ad_addcomment function. A remote attacker could possibly use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.