datalen to specify the size of the output in data.An inlined data buffer of 64KB used for the reply.cmdlen to specify the size of the input in command.The command heap buffer used for receiving the user input, initialized in dsi_init_buffer() with a default size of 1MB.Size_t dsireadbuf /* size of the DSI read ahead buffer used in dsi_peek() */Ĭhar *eof /* end of currently used buffer */ * DSI readahead buffer used for buffered reads in dsi_peek */ Uint32_t flags /* DSI flags like DSI_SLEEPING, DSI_DISCONNECTED */ Uint8_t *commands /* DSI receive buffer */ * child and parent processes might interpret a couple of these Here is the struct definition with some members edited out for the sake of clarity: #define DSI_DATASIZ 65536 This represents the current connection, with its buffers and it is passed into most of the Netatalk functions. To manage a client in a child process, the daemon uses a DSI *dsi struct. Few notes about the server implementation The DSI struct It is also worth mentioning that the AFP protocol supports different schemes of authentication as well as anonymous connections.īut this is out of the scope of this write-up as the vulnerability is located in the DSI layer, before AFP authentication. In that case the first byte of the payload is an AFP command number specifying the requested operation.ĭsi_requestID is an id that should be unique for each request, giving the chance for the server to detect duplicated commands.Īs we will see later, Netatalk implements a replay cache based on this id to avoid executing a command twice. This is usually followed up by various DSICommand (2) to access more functionalities of the file share. A session should start with the dsi_command byte set as DSIOpenSession (4). The meaning of the payload depends on what dsi_command is used. Uint32_t dsi_reserved /* reserved field */Ī request is usually followed by a payload which length is specified by the dsi_len field. Uint8_t dsi_flags /* packet type: request or reply */ The protocol exchanges different packets encapsulated by Data Stream Interface (DSI) headers of 16 bytes. The server is implemented as an usual fork server with a parent process listening on the TCP port 548 and forking into new children to handle client sessions. Overview of server implementation The DSI layer The exploited vulnerability lies in the DSI layer, which is reachable without any form of authentication. Western Digital modified the sources a bit to accommodate the Android environment, but their changes are not relevant for this article so we will refer to the official sources.ĪFP data is carried over the Data Stream Interface (DSI) protocol. So the work presented in this article should also apply to other systems. Netatalk is distributed via the service afpd, also available on many Linux distributions and devices. This protocol is used in networked macOS environments to share files between devices. Netatalk is a free and Open Source implementation of the Apple Filing Protocol (AFP) file server. Instead we provide a detailed analysis of the vulnerabilty and how we exploited it. We will not discuss the initial surface discovery here to focus more on the vulnerability. This service was a prime target to compromise the device because it was running with root privileges and it was reachable from adjacent network. It exposed a few custom services and integrated some open source ones such as the Netatalk daemon. At the time of the contest (firmware 7.15.1-101) the device ran a custom Android distribution on a armv8l CPU. The Western Digital M圜loudHome is a consumer grade NAS with local network and cloud based functionalities. Vulnerability details and analysis Environment
0 Comments
Leave a Reply. |