An arbitrary file access vulnerability exists in the SMB Server Apple macOS 11.2. A specially crafted SMB request can leak metadata of arbitrary files. This vulnerability can be triggered by sending a malicious packet to the vulnerable server.
Apple macOS 11.2
4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
macOS is a series of proprietary operating systems developed by Apple with macOS 11.2, with Big Sur being the latest.
Server Message Block (SMB) is a network file sharing protocol widely used in Windows network environments and macOS contains a proprietary implementation of both server and client components. SMB is often used in office and enterprise environments for file and printer sharing.
Three distinct versions and multiple dialects of SMB protocol are supported by macOS’ SMB server. This vulnerability is present in SMB2 and newer versions of the protocol, more specifically in the
QUERY_DIRECTORY processing which is used to enumerate directory information and contents. Protocol specifications show that
QUERY_DIRECTORY structure can contain a unicode buffer that represents a search string to be run on a queried directory. This search string is meant to contain a file name or a wildcard string to filter results of the query.
Normally, an authenticated user only permitted to access and query directories and files that fall under the share that is being accessed. A file open query, for example, on a file outside the share will fail with insufficient access right error if attempted as proper checks are made. When
QUERY_DIRECTORY is being processed in
darwin::darwin_directory::query_directory gets called which basically treats the input string in two ways. First, if the query string contains special characters, it treats it as a special regex and then iterates over results which it passes to
darwin::query_relative_name function. Second, if no special characters are present in the string, query string is passed to
darwin::query_relative_name almost directly. The vulnerability lies in the fact that the query string can contain a regular UNIX path that beings with
/ which would allow an attacker to access any file on the file system , presuming the underlying user has access right to it. Metadata about the file or directory is returned to the user which can include access timestamps, sizes and other information. Following example shows
QUERY_DIRECTORY response that reveals metadata of
Find Response (0x0e) [Info Level: SMB2_FIND_ID_FULL_DIRECTORY_INFO (38)] StructureSize: 0x0009 Blob Offset: 0x00000048 Blob Length: 102 Info: 000000000000000000c316529052d601dc01e99d3a77d601… FileIdBothDirectoryInfo: etcpasswd Next Offset: 0 File Index: 0x00000000 Create: Jul 4, 2020 22:51:26.000000000 PDT Last Access: Aug 20, 2020 14:41:09.511010800 PDT Last Write: Jul 4, 2020 22:51:26.000000000 PDT Last Change: Aug 20, 2020 14:41:09.512743300 PDT End Of File: 6946 Allocation Size: 8192 File Attributes: 0x00000020 Filename Length: 22 EA Size: 0 Reserved: 00000000 File Id: 0x000000030004305a Filename: etcpasswd
Additionally, if the file or directory does not exist, an error is sent in reply. This can be used to enumerate existing files and directories, especially user home directories which would reveal usernames which could be useful in further attacks.
2021-03-15 - Vendor Disclosure
2021-05-25 - Vendor Patched
2021-06-02 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.