Ddos 
Image: BitsByWill
In a recent deep-dive analysis, security researcher BitsByWill examined two critical Linux kernel vulnerabilities—CVE-2023-52440 and CVE-2023-4130—both impacting ksmbd, the in-kernel SMB server. His work not only unpacks the technical details but also demonstrates how these flaws could be chained together into a powerful exploit.
CVE-2023-52440: A Controlled SLUB Overflow
The first vulnerability, CVE-2023-52440, was disclosed by Pumpkin of DEVCORE and resides in the function ksmbd_decode_ntlmssp_auth_blob(). As BitsByWill explains, “since sess_key_len is user controlled, we can cause an overflow of the fixed size sess_key buffer when executing cifs_arc4_crypt. This is actually quite an easy bug to trigger and gives us a controlled SLUB overflow.”
By modifying a single line in Impacket’s ntlm.py, an attacker can craft malicious NTLM authentication messages, resulting in an unauthenticated heap overflow during SMB session setup. BitsByWill notes the severity: “Honestly, this is an awesome primitive: unauthenticated remote controlled heap overflow of content and size.”
CVE-2023-4130: An Out-of-Bounds Read
The second vulnerability, CVE-2023-4130, again discovered by Pumpkin, lies in smb2_set_ea(). This flaw arises from improper validation of extended attribute (EA) buffers, allowing an attacker with write access to SMB shares to trick ksmbd into misinterpreting crafted structures.
As the analysis explains, “we can trick ksmbd into thinking there are additional smb2_ea_info entries by setting NextEntryOffset to a malicious value, as long as we do not exceed our buffer bounds… This will allow the subsequent ksmbd_vfs_setxattr to store OOB read data of adjacent heap chunks into xattr, which we can fetch with SMB3.queryInfo.”
This vulnerability provides a leak primitive, allowing attackers to extract kernel memory contents—a crucial step in bypassing mitigations like KASLR.
Combining the Bugs: From Overflow to Exploitation
What makes this analysis particularly compelling is the exploit chain. By pairing the overflow primitive (CVE-2023-52440) with the leak primitive (CVE-2023-4130), attackers gain both write and read capabilities over kernel memory.
BitsByWill highlights the real-world implications: “To summarize, on Linux 6.1.45 (as the leak bug was backported by 6.1.46), we can pwn ksmbd through users with write access to a share. I consider this an authenticated 0-click as you would need user credentials, but I am sure that there is at least one sysadmin out there who allows anonymously writeable shares.”
The final proof-of-concept exploit demonstrated ROP chain execution within the Linux kernel, granting a reverse shell.
The chaining of CVE-2023-52440 and CVE-2023-4130 shows how SMB vulnerabilities in Linux can be escalated into full kernel compromises. While patches have been issued, the research serves as a reminder that misconfigurations and outdated systems leave dangerous opportunities for attackers.
Related Posts:
- Critical Remote Code Execution Vulnerability in Linux Kernel
- 0-Click NTLM Authentication Bypass Hits Microsoft Telnet Server, PoC Releases, No Patch
- CVE-2024-26592 & 26594: Critical Linux Kernel Flaws Open Door for Code Execution and Data Theft
- Beware of Fake PoC Exploits for 0-Click RCE CVE-2024-38063 on GitHub
- Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks
Donate