CVE-2023-24941: What is the Microsoft Network File System Vulnerability?
CVE-2023-24941 is a Remote Code Execution (RCE) vulnerability targeting the Microsoft Network File System.
This vulnerability is a critical security flaw affecting supported Windows Server versions and has been rated with a CVSSv3 score of 9.8.
It is reported that this vulnerability allows a malicious attacker to gain system-level privileges on an affected server.
Let's Examine the Security Vulnerability
Microsoft Windows comes with various network features that can be used to communicate with non-Windows file shares. One of these modules is NFS.
Network File System (NFS) is a network file system protocol initially developed by Sun Microsystems in 1984. Version 2 was documented in RFC 1094. Version 3 was documented in RFC 1813. Version 4 was developed by the IETF and documented in RFC 3010 (published in December 2000) and RFC 3530 (published in April 2003). NFS allows users to access remote file shares just as if they were accessing the local file system. Different levels of access and permissions, such as read-write and read-only, can be set in the share. Additionally, IP/UID/GID/Kerberos security can be used. NFS uses the Open Network Computing (ONC) Remote Procedure Call (RPC) for exchanging control messages. ONC RPC was originally developed by Sun Microsystems and can also be referred to as Sun RPC.
When ONC RPC messages are transmitted over TCP, a Fragment header structure (shown in the table below) is added to the beginning of the messages to specify the message's length. This allows the recipient to distinguish between multiple messages sent over a single TCP session. Other protocols like UDP do not use this field. Note that all multi-byte values are encoded in big-endian byte order.
In NFSv4 protocol, a utf8string is transmitted in the following format:
RFC 1094: NFS: Network File System Protocol specification
This RFC describes a protocol that Sun Microsystems, Inc., and others are using. A new version of the protocol is under development, but others may benefit from the descriptions of the current protocol, and discussion of some of the design issues.
datatracker.ietf.org
RFC 3010: NFS version 4 Protocol
NFS (Network File System) version 4 is a distributed file system protocol which owes heritage to NFS protocol versions 2 [STANDARDS-TRACK]
datatracker.ietf.org
RFC 5531: RPC: Remote Procedure Call Protocol Specification Version 2
This document describes the Open Network Computing (ONC) Remote Procedure Call (RPC) version 2 protocol as it is currently deployed and accepted. This document obsoletes RFC 1831. [STANDARDS-TRACK]
datatracker.ietf.org
Kod:
Offset Size Description
--------- ----- ----------------------------------
0x0000 4 LEN
0x0004 LEN String data
The security vulnerability is triggered when the server processes incoming NFSv4.1 calls containing utf8strings when the server's memory is insufficient. When a server parses a received string, a buffer is allocated to store the string data. The code does not handle the parsing failure properly, which leads to the null termination byte still being written to the end of an invalid buffer.
An unauthenticated remote attacker can exploit this security vulnerability by sending a crafted call to the victim's Network File System service. Successfully exploiting this security vulnerability can lead to remote code execution.
Source Code Solution
The following code is taken from version 10.0.17763.4252 of nfssvr.sys.
Kod:
**************************************************************
* FUNCTION *
**************************************************************
undefined __fastcall XdrDecodeString(longlong param_1, uint pa
undefined AL:1 <RETURN>
longlong RCX:8 param_1
uint EDX:4 param_2
void * R8:8 param_3
XdrDecodeString
1c001dfec MOV qword ptr [RSP + 0x8],RBX
1c001dff1 MOV qword ptr [RSP + 0x10],RSI
1c001dff6 PUSH RDI
1c001dff7 SUB RSP,0x20
1c001dffb CMP dword ptr [RCX + 0x108],0x0
1c001e002 MOV RSI,R8
1c001e005 MOV EDI,EDX
1c001e007 MOV RBX,RCX
1c001e00a JL LAB_1c001e091
1c001e010 MOV R9,qword ptr [RCX + 0x48]
1c001e014 TEST R9,R9
1c001e017 JNZ LAB_1c001e01d
1c001e019 XOR EAX,EAX
1c001e01b JMP LAB_1c001e040
LAB_1c001e01d
1c001e01d MOV EDX,dword ptr [R9 + 0x40]
1c001e021 SUB EDX,dword ptr [R9 + 0x38]
1c001e025 MOV R8D,dword ptr [R9 + 0x4c]
1c001e029 CMP R8D,EDX
1c001e02c JC LAB_1c001e035
1c001e02e MOV ECX,R8D
1c001e031 SUB ECX,EDX
1c001e033 JMP LAB_1c001e038
LAB_1c001e035
1c001e035 OR ECX,0xffffffff
LAB_1c001e038
1c001e038 XOR EAX,EAX
1c001e03a CMP R8D,EDX
1c001e03d CMOVNC EAX,ECX
LAB_1c001e040
1c001e040 CMP EAX,EDI
1c001e042 JC LAB_1c001e091
1c001e044 TEST R9,R9
1c001e047 JNZ LAB_1c001e04d
1c001e049 XOR EDX,EDX
1c001e04b JMP LAB_1c001e051
LAB_1c001e04d
1c001e04d MOV RDX,qword ptr [R9 + 0x40]
LAB_1c001e051
1c001e051 MOV R8,RDI
1c001e054 MOV RCX,RSI
1c001e057 CALL memcpy
1c001e05c MOV RAX,qword ptr [RBX + 0x48]
1c001e060 ADD qword ptr [RAX + 0x40],RDI
1c001e064 MOV RCX,qword ptr [RBX + 0x48]
1c001e068 TEST RCX,RCX
1c001e06b JNZ LAB_1c001e077
1c001e06d MOV R8,qword ptr [RCX + 0x40]
1c001e071 XOR EAX,EAX
1c001e073 XOR EDX,EDX
1c001e075 JMP LAB_1c001e082
LAB_1c001e077
1c001e077 MOV RDX,qword ptr [RCX + 0x40]
1c001e07b MOV RAX,qword ptr [RCX + 0x38]
1c001e07f MOV R8,RDX
LAB_1c001e082
1c001e082 SUB RAX,RDX
1c001e085 AND EAX,0x3
1c001e088 ADD RAX,R8
1c001e08b MOV qword ptr [RCX + 0x40],RAX
1c001e08f JMP LAB_1c001e09e
LAB_1c001e091
1c001e091 MOV R8,RSI
1c001e094 MOV EDX,EDI
1c001e096 MOV RCX,RBX
1c001e099 CALL XdrDecodeOpaqueSlow
LAB_1c001e09e
1c001e09e MOV byte ptr [RDI + RSI*0x1],0x0 ;Always writes null terminator
1c001e0a2 MOV RBX,qword ptr [RSP + 0x30]
1c001e0a7 MOV RSI,qword ptr [RSP + 0x38]
1c001e0ac ADD RSP,0x20
1c001e0b0 POP RDI
1c001e0b1 RET
To detect an attack exploiting this security vulnerability, the detection device should monitor and analyze traffic on ports 2049/TCP and 2049/UDP.
When ONC RPC messages are transmitted over TCP, a Fragment header structure (as shown in the table above) is added to the beginning of the messages to specify the message's length. This allows the recipient to distinguish between multiple messages sent over a single TCP session. Other protocols like UDP do not use this field. The vulnerable method, XdrDecodeString, can trigger this security vulnerability only when called from its address Nfs4SvrXdrpDecode_STRING.
The following fields are parsed using RFC 3530 and Nfs4SvrXdrpDecode_STRING is defined in RFC 3530:
Kod:
OPEN4args.claim.file
OPEN4args.claim.delegate_cur_info.file
OPEN4args.claim.delegate_cur_info.file_delegate_prev
EXCHANGE_ID4args.eia_client_impl_id.nii_domain
EXCHANGE_ID4args.eia_client_impl_id.nii_name
RENAME4args.oldname
RENAME4args.newname
SECINFO4args.name
CREATE4args.objname
CREATE4args.linkdata
NFS4 messages should monitor the fields mentioned above. Any valid field value can trigger this security vulnerability, but an attacker can request a large buffer during string processing to increase the likelihood of a failed allocation. String lengths greater than the specified value of 0x1000 should be considered suspicious. If found, it is likely that an attack exploiting this security vulnerability is being attempted.
Keep in mind that the detection of larger strings can be based on the typical allowed limit of 0x1000 file path strings and can be adjusted higher or lower to account for various server configurations.
CVE-2023-24941 Resolution
Microsoft addressed this issue in May as CVE-2023-24941. In their write-up, they mention that disabling NFSv4.1 and downgrading to NFSv2 or NFSv3 can be used temporarily to mitigate this security vulnerability. However, they also note that if you haven't already installed CVE-2022-26937 from the May 2022 Windows security updates, you should not use this mitigating method. A better option is to test and deploy the latest patch for NFSv1 to completely eliminate this security vulnerability.
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
Source : https://www.turkhackteam.org/konular/cve-2023-24941-microsoft-ag-dosya-sistem-acigi-nedir.2045933/