CVE-2022-45188: Netatalk Heap-Based Buffer Overflow in afp_getappl Leads to Remote Code Execution

A critical vulnerability, tracked as CVE-2022-45188, has been discovered in Netatalk, an open-source implementation of the Apple Filing Protocol (AFP). The vulnerability, found in Netatalk versions up to and including 3.1.13, results from a heap-based buffer overflow in the afp_getappl function. An attacker can exploit this vulnerability by crafting a malicious .appl file, which can lead to remote code execution. This issue particularly affects platforms such as FreeBSD, which is used for TrueNAS, by providing remote root access.

The following code snippet demonstrates the vulnerable function, afp_getappl, in Netatalk

int afp_getappl(AFPObj *obj, char *ibuf, size_t ibuflen,
                  char *rbuf, size_t *rbuflen)
{
    ...
    memcpy(cur->de_name, from, size); // Vulnerable memcpy call
    ...
}

As shown, the vulnerability stems from the improper handling of user-controlled input during the memcpy call, which can result in a heap-based buffer overflow.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious .appl file and sending it to a host running a vulnerable version of Netatalk. Since the vulnerability allows for remote code execution, a successful attack can enable the attacker to gain full control over the affected system, including root access on some platforms such as FreeBSD.

To exploit this vulnerability, an attacker needs to

1. Craft a malicious .appl file with a carefully crafted payload, designed to overflow the vulnerable heap buffer.

Transfer the malicious .appl file to the target system running a vulnerable version of Netatalk.

3. Access the .appl file on the target system using AFP, triggering the vulnerability and executing the attacker's payload.

Original References

The vulnerability was initially reported to the Netatalk project by a security researcher. The official details and patch for the vulnerability can be found on the Netatalk project's GitHub page:

- Netatalk GitHub Repository: https://github.com/Netatalk/Netatalk
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45188
- NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2022-45188

Mitigation and Patch

The Netatalk project has released a patch for this vulnerability in version 3.1.14. It is highly advised to update Netatalk to the latest stable release to protect against this critical vulnerability.

To update Netatalk on affected systems, perform the following steps

1. Download the latest stable release (3.1.14 or later) from the Netatalk GitHub repository: https://github.com/Netatalk/Netatalk/releases
2. Follow the installation instructions provided in the README file to install the updated version of Netatalk, replacing the vulnerable version.

Conclusion

The CVE-2022-45188 vulnerability is a critical issue in Netatalk, allowing attackers to gain remote code execution by exploiting a heap-based buffer overflow in the afp_getappl function. It is crucial for users and administrators to update affected Netatalk installations to the latest stable release (3.1.14 or later) to safeguard their systems against potential attacks.

Timeline

Published on: 11/12/2022 05:15:00 UTC
Last modified on: 05/17/2023 01:15:00 UTC