libsmb2 Buffer Overflow Vulnerability in Chained PDU Processing

A buffer overflow vulnerability has been identified in libsmb2 versions 6.2 and later. The issue arises when the library processes SMB2 chained Protocol Data Units (PDUs) using the NextCommand feature. libsmb2 repeatedly invokes the smb2_add_iovector() function to add to a fixed-size I/O vector array, without properly checking the upper limit of the vector count. This oversight allows an attacker to craft responses with numerous chained PDUs, leading to an overflow of the vector count and enabling heap out-of-bounds writes. Such memory corruption can cause crashes and potentially allow for arbitrary code execution. Additionally, the vulnerability includes a denial-of-service aspect, as the memory corruption can lead to application crashes. The issue is exacerbated by the fact that the SMB2_OPLOCK_BREAK path bypasses message ID validation, further increasing the vulnerability's exploitability.

Impact

Exploitation of this vulnerability causes memory corruption, application crashes, and potentially allows for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by connecting a libsmb2 client to a malicious SMB server that sends crafted chained SMB2 responses. This can be done by specifying the appropriate SMB URL with the desired authentication mechanism, such as NTLMSSP or Kerberos.

Remediation

Users can update to libsmb2 version 6.2 or later, where this vulnerability has been fixed.