Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Apple Filing Protocol (AFP) is an alternative for the SMB protocol for sharing files over the network. Netatalk is an implementation of the AFP protocol on Unix platforms. The authors were attacking the Western Digital NAS for pwn2own. They exploited a known vulnerability in the project, labeled as CVE-2018-1160.

The AppleDouble file format aims to store files metadata to allow sharing of that information between file systems. When reading data in for the file format, it checks to see how many entries are allowed for the header. However, if there are too many entries then the header should be invalid and stop. For some reason, this ONLY logs an error message and does not exit. This error occurs three different times.

When calling this functionality, the header contains an offset that can be used out of bounds. As a result, an out of bounds reads and writes with calls to memmove; an attacker has some control over the source, destination and full control over the size of the copy. The binary has most modern protections (NX, PIE and ASLR - 2). This means that this cannot be a one shot exploit - an information leak followed by code execution will be required.

It should be noted that the configuration of the service allows anybody (anon) to create, read or modify files in the public share (without any authentication). So, to get the memory leak, they forced the memmove() source to be outside of the stack buffer to leak data that was being copied to a file. By reading the file, they got their information leak with specific offsets.

While testing the info leak, they came to an interesting realization: if the file being written is larger than 0x1000 bytes, then it is mmapped at a high address next to the other libraries. Of interest, the library ld-2.28.so was always 0xC000 bytes after the beginning of the file. So, how to get code execution?

memmove is a more optimized version memcpy but has specific requirements on alignment. If this alignment is not met, then a function pointer called _dl_rtld_lock_recursive would be hit. By overwriting this variable in the loader with a badly aligned memmove, the authors controlled a function pointer with a single parameter going into it. Using the leak from before, they could call system and know where their data was at for the payload.

For pwn2own, they got this to work on the third try! The main difference between their setup and the pwn2own setup was that they needed to extend the sleeps for all of the shenanigans to happen in a timely manner. Good write up!