Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Samba is the open source implementation of the SMB protocol. This product works on Linux and MacOS. By default, it is on for many devices by default. On Apple devices, the Time Machine service uses Samba with Guest authentication allowed.

The fruit module in Samba is an added enhancement for the Apple SMB client to communicate with the Apple Filing Protocol (AFP). Using the open source implementation of AFP (Netatalk), Unix-lie systems can communicate with Apple devices. Once a session is established, smbd allows for users to set extended file attributes on a file via the SMB2_SET_INFO. Besides a few select attributes, all attributes can be set.

The Netatalk metadata of a file is stored in the extended attribute named org.netatalk.Metadata. Since this attribute is not in the denylist listed above, an attacker can arbitrary set this attribute. The Netatalk protocol assumes that the Metadata information is benign, which results in catastrophic results.

The function fruit_pread function reads the metadata of a file. When attempting to read from a buffer, an attacker controls the value of ADEID_FINDERI, which is used as an offset into a buffer. Although there is a bounds check to make sure the original index is within the bounds of the buffer, the value being read in is fixed at 32 bytes. As a result, if the index is put at the last possible byte on the buffer, we get an out of bounds read of 31 bytes.

The function fruit_pwrite writes metadata to a file. The same bug above also affects the write path as well. This allows for a memcpy with attacker controlled data to write 31 bytes of data onto the heap. It is interesting that both the read and write versions of this code path suffer from the same vulnerability.

The vulnerabilities above are enough to get code execution. However, the author of the post found a variant of the vulnerabilities above while writing this up. The bug above occurs because of bad validation for the index being used in a memcpy. The variant has the same problem but when handling dates. Since the entries are much smaller, this leads to only a 3 byte OOB read and OOB write.

The vulnerability was exploited by Nguyen Hoang Thac and Billy Jheng Bing-Jhong from STAR labs at Pwn2Own in 2021. Additionally, Orange Tsai independently found this vulnerability. The ability to set the file attributes of the metadata seems like a round-about way of exploiting this. I'm personally curious how they found this. To me, after finding the bad sync (memcpy) they could trace it back to the inputs. Or they noticed the file attributes being written arbitrarily was weird (source) then traced all paths to eventually find this vulnerability.

To patch this vulnerability, the application now validates the index being used. Additionally, the AFPINFO_EA_NETATALK file attribute is now a denylisted attribute to write. Overall, great primitives to lead to code execution in an obscure part of the Apple Ecosystem.