CVE CyberSecurity Database News

CVE-2022-23125 - Remote Code Execution Vulnerability in Netatalk (ZDI-CAN-15869) – Deep Dive

Poster -

Netatalk, the open-source AFP (Apple Filing Protocol) file server that helps macOS and Unix systems share files, was found to have a critical vulnerability in its copyapplfile function. This weakness (tracked as CVE-2022-23125, formerly known as ZDI-CAN-15869) may allow remote attackers to execute arbitrary code as root, *without any need for authentication*. Let’s break down what this means, how it works, and how you can protect yourself.

Vulnerability location: copyapplfile function

- CVE: CVE-2022-23125
- Discovered by: Trend Micro's Zero Day Initiative (ZDI-CAN-15869)

Technical Details: What Went Wrong

Netatalk’s copyapplfile function handles file copying and, as part of this process, parses a user-supplied length (len). The function does not properly check if this length fits into a fixed-size stack buffer before copying, opening the door to a classic stack buffer overflow.

Vulnerable Source Code

Let’s look at a simplified version of the vulnerable function (based on open-source Netatalk 3.1.12):

void copyapplfile(char *src, char *dst, int len) {
    char buffer[256];  // Fixed-length stack-based buffer

    // Vulnerable: len is supplied by attacker over the network!
    memcpy(buffer, src, len);  // No check if len <= 256!
    // ... further processing involving buffer ...
}


*Exploiters can set len to anything, including values way larger than 256, causing overflow of buffer.*

In Practice

If an attacker sends a network request to the affected Netatalk instance, and sets the len field in the request to a value bigger than the buffer, they can overwrite critical parts of the stack, including the instruction pointer (return address). This lets them inject and execute code of their choosing as the privileged root user.

Exploitability

No authentication required: Anyone on the network can exploit this, whether or not they have access to a shared folder.

How an Attack Works

1. Attacker crafts a malicious network packet that says it wants an AFP copy operation to occur, using the vulnerable code path.
2. The packet contains a “len” value much bigger than the stack buffer (say, 100 bytes instead of 256).

Netatalk blindly copies data, overflowing the buffer.

4. Attackers overwrite return address on the stack, redirecting Netatalk to execute their malicious code.

Example Exploit Snippet

NOTE: The following code is for educational purposes only! Do not use for illegal activity.

This is a pseudo-Python example of what an initial exploit could look like – in reality, crafting a working exploit would need more protocol specifics:

import socket

# Target IP and port (default AFP port is 548)
TARGET_IP = "192.168.1.100"
TARGET_PORT = 548

# Fill 'len' bigger than 256 to cause overflow
malicious_len = x400  # 1024 bytes

# Shellcode or payload to gain root (in a real scenario)
payload = b"\x90" * 600 + b"\xcc" * 100  # NOP sled + INT3 breakpoint (just as example)
packet = b"AFP_COPY" + malicious_len.to_bytes(4, 'big') + payload

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((TARGET_IP, TARGET_PORT))
    s.sendall(packet)
    print("Malicious packet sent!")


*This snippet cannot exploit the bug directly but shows the concept – sending a large, crafted AFP packet.*

Real-World Impact

- Any exposed Netatalk server (e.g., in NAS devices, home servers, corporate environments) is at risk of full compromise.

Upgrade to Netatalk version 3.1.13 or later.

- Download Netatalk 3.1.13
- Check with your NAS vendor (QNAP, Synology, etc.) for firmware/software updates.

- If you can’t patch

- Disable Netatalk/AFP wherever possible.

Official References and Further Reading

- CVE-2022-23125 NVD Entry
- Zero Day Initiative Advisory ZDI-22-218
- Netatalk Security Announcements
- Netatalk 3.1.13 Release Notes

Final Words

CVE-2022-23125 is a serious pre-auth remote code execution flaw in a protocol still found in many storage and file-share appliances. The bug is easy to exploit with basic network access and can lead to total system takeover as root. If you run Netatalk, patch *now*, and check your systems for suspicious activity.

Stay safe, patch early, patch often!

*This article is an exclusive, simplified breakdown for security beginners and professionals alike. Reach out to your IT team or device vendor with urgency if you suspect you’re running vulnerable Netatalk servers.*

Timeline

Published on: 03/28/2023 19:15:00 UTC
Last modified on: 04/03/2023 18:19:00 UTC