{"id":71235,"date":"2022-02-07T19:00:36","date_gmt":"2022-02-07T11:00:36","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=71235"},"modified":"2022-02-08T09:54:55","modified_gmt":"2022-02-08T01:54:55","slug":"samba-%e6%bc%8f%e6%b4%9e-cve-2021-44142-%e5%88%86%e6%9e%90%e8%88%87%e4%bf%ae%e8%a3%9c","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=71235","title":{"rendered":"Samba \u6f0f\u6d1e CVE-2021-44142 \u5206\u6790\u8207\u4fee\u88dc"},"content":{"rendered":"\n

<\/h1>\n\n\n\n

\u672c\u6587\u8aaa\u660e Samba \u6700\u65b0\u7684\u6f0f\u6d1e\u4ee5\u53ca\u5982\u4f55\u9632\u7bc4\u7cfb\u7d71\u906d\u99ed\u5ba2\u7d93\u7531\u6b64\u6f0f\u6d1e\u99ed\u5165\u3002<\/p><\/blockquote>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
<\/div>\n\n\n\n

\u524d\u4e0d\u4e45\uff0c\u5728\u8da8\u52e2\u79d1\u6280 Zero Day Initiative (ZDI<\/a>) \u8209\u8fa6\u7684 \u00a0Pwn2Own Austin 2021<\/a> \u99ed\u5ba2\u5927\u8cfd\u4e0a\uff0c\u53c3\u8cfd\u8005\u63ed\u9732\u4e86\u4e00\u500b Samba \u8edf\u9ad4\u7684\u8a18\u61b6\u9ad4\u8b80\u5beb\u8d85\u51fa\u908a\u754c (OOB) \u6f0f\u6d1e\u3002\u6703\u5f8c\uff0cZDI \u91dd\u5c0d\u9019\u500b\u6f0f\u6d1e\u505a\u4e86\u9032\u4e00\u6b65\u7684\u7814\u7a76\u4e4b\u5f8c\uff0c\u53c8\u767c\u73fe\u4e86\u5e7e\u500b\u8a72\u6f0f\u6d1e\u7684\u8b8a\u9ad4<\/a>\uff0c\u63a5\u8457\u4fbf\u5c07\u7814\u7a76\u767c\u73fe\u901a\u5831\u7d66 Samba \u958b\u767c\u5718\u968a\u3002\u96d6\u7136\u6211\u5011\u76ee\u524d\u5c1a\u672a\u770b\u5230\u4efb\u4f55\u5229\u7528\u6b64\u6f0f\u6d1e (\u00a0CVE-2021-44142<\/a>) \u7684\u653b\u64ca\uff0c\u4f46\u9019\u500b\u6f0f\u6d1e\u7684 CVSS \u56b4\u91cd\u6027\u7b49\u7d1a\u9054\u5230 9.9 \u5206 (\u6839\u64da\u6211\u5011\u901a\u5831\u7684\u4e09\u500b\u8b8a\u9ad4)\u3002\u99ed\u5ba2\u82e5\u80fd\u6210\u529f\u653b\u64ca\u6b64\u6f0f\u6d1e\uff0c\u5c31\u80fd\u5f9e\u9060\u7aef\u4ee5\u7cfb\u7d71\u7ba1\u7406\u54e1 (root) \u8eab\u5206\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\u3002\u51e1\u662f\u5b89\u88dd\u4e86 Samba \u8edf\u9ad4\u4e26\u4f7f\u7528\u865b\u64ec\u6a94\u6848\u7cfb\u7d71 (VFS) \u6a21\u7d44\u300cvfs_fruit\u300d\u7684\u96fb\u8166\u90fd\u53d7\u5230\u5f71\u97ff\u3002Samba \u5df2\u7d93\u91cb\u51fa\u6240\u6709\u76f8\u95dc\u7684\u4fee\u88dc\u66f4\u65b0\u4f86\u9632\u7bc4\u6b64\u6f0f\u6d1e\u53ef\u80fd\u5e36\u4f86\u7684\u653b\u64ca\u3002\u8da8\u52e2\u79d1\u6280\u7684\u5ba2\u6236\u76ee\u524d\u90fd\u5b89\u5168\u7121\u865e<\/a>\uff0c\u6b64\u5916\u4e5f\u53ef\u63a1\u7528\u624b\u52d5\u65b9\u5f0f\u4f86\u89e3\u6c7a\u6b64\u6f0f\u6d1e\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u4f55\u8b02 Samba\uff1f<\/strong><\/h3>\n\n\n\n


Samba<\/a> \u662f\u4e00\u5957\u7528\u4f86\u8207 Windows \u7cfb\u7d71\u4e92\u901a\u7684\u8edf\u9ad4\uff0c\u5b83\u5be6\u4f5c\u4e86 Windows \u7684 Server Message Block (SMB) \u7db2\u8def\u6a94\u6848\u8207\u5217\u5370\u670d\u52d9\u529f\u80fd\uff0c\u53ef\u5728\u7d55\u5927\u591a\u6578\u7684 Unix \u548c\u985e Unix \u7cfb\u7d71 (\u5982 Linux \u53ca macOS) \u7cfb\u7d71\u4e0a\u57f7\u884c\uff0c\u70ba\u6240\u6709\u4f7f\u7528 SMB\/Common Internet File System (CIFS) \u901a\u8a0a\u5354\u5b9a\u7684\u7528\u6236\u7aef\u63d0\u4f9b\u6a94\u6848\u8207\u5217\u5370\u670d\u52d9\u3002\u5982\u6b64\u4e00\u4f86\uff0c\u7db2\u8def\u7cfb\u7d71\u7ba1\u7406\u54e1\u5c31\u80fd\u5c07\u975e Windows \u96fb\u8166\u6574\u5408\u81f3 Windows \u74b0\u5883\u6574\u5408\uff0c\u64d4\u4efb\u7db2\u57df\u63a7\u5236\u5668 (DC) \u6216\u4e00\u822c\u7684\u7db2\u57df\u6210\u54e1\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n\n\n\n\n

\u4f55\u8b02 CVE-2021-44142\uff1f<\/strong><\/h3>\n\n\n\n


CVE-2021-44142 \u662f Samba \u8edf\u9ad4\u7684\u4e00\u500b\u6f0f\u6d1e\uff0c\u53ef\u8b93\u99ed\u5ba2\u5f9e\u9060\u7aef\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\u3002\u66f4\u7cbe\u78ba\u4e00\u9ede\u4f86\u8aaa\uff0c\u6b64\u6f0f\u6d1e\u662f\u51fa\u73fe\u5728 Samba \u4f3a\u670d\u5668\u7a0b\u5f0f\u300csmbd \u300d\u958b\u555f\u6a94\u6848\u4e26\u89e3\u6790 EA metadata \u7684\u7a0b\u5f0f\u78bc\u3002\u7d93\u7531\u6b64\u6f0f\u6d1e\uff0c\u99ed\u5ba2\u5c31\u80fd\u4ee5 root \u8eab\u5206\u57f7\u884c\u7a0b\u5f0f\u78bc\uff0c\u751a\u81f3\u4e0d\u9700\u7d93\u904e\u8a8d\u8b49\u3002<\/p>\n\n\n\n

\u96d6\u7136\u6211\u5011\u5206\u6790\u7684\u7248\u672c (smbd 4.9.5) \u4e26\u975e\u6700\u65b0\u7248\u672c\uff0c\u4f46\u6b63\u5982 Pwn2Own 2021<\/a> \u99ed\u5ba2\u5927\u8cfd\u6642\u6240\u898b\uff0c\u6709\u4e0d\u5c11\u5ee0\u5546\u7684\u7522\u54c1\u5167\u5efa\u7684\u90fd\u662f\u9019\u500b\u6216\u66f4\u65e9\u7684\u4f3a\u670d\u5668\u7248\u672c\u3002\u800c\u4e14\u9019\u4e9b\u7522\u54c1\u6703\u9810\u8a2d\u555f\u7528 Samba \u4f86\u8b93\u4e0d\u540c\u88dd\u7f6e\u4e4b\u9593\u80fd\u5920\u5206\u4eab\u6a94\u6848\u8207\u4e92\u901a\uff0c\u5c24\u5176\u662f\u958b\u653e\u539f\u59cb\u78bc\u7684 NetaTalk<\/a>\u3002NetaTalk \u662f\u4e00\u500b\u5be6\u4f5c Apple Filing Protocol (AFP) \u901a\u8a0a\u5354\u5b9a\u4ee5\u652f\u63f4 Apple \u88dd\u7f6e\u7684\u514d\u8cbb\u6a94\u6848\u4f3a\u670d\u5668\u8edf\u9ad4\u3002\u5982\u540c Samba \u5718\u968a\u7684\u516c\u544a<\/a>\u6307\u51fa\uff0c\u53ea\u8981 vfs_fruit \u7684\u7d44\u614b\u4f7f\u7528\u7684\u662f\u9810\u8a2d\u503c\u4ee5\u5916\u7684\u8a2d\u5b9a\uff0c\u5c31\u4e0d\u6703\u53d7\u5230\u6b64\u6f0f\u6d1e\u5f71\u97ff\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u53d7\u5f71\u97ff\u7684\u5c0d\u8c61\u70ba\u4f55\uff1f<\/strong><\/h3>\n\n\n\n


Samba \u5df2\u91dd\u5c0d\u6b64\u6f0f\u6d1e\u91cb\u51fa\u4fee\u88dc\u66f4\u65b0\u539f\u59cb\u7a0b\u5f0f\u78bc<\/a>\uff0c\u6b64\u5916\u4e5f\u4fee\u6b63\u4e86\u4e00\u4e9b\u4ed6\u5011\u63a5\u7372\u901a\u5831\u7684\u5176\u4ed6\u6f0f\u6d1e\u3002Samba \u63d0\u5230\u6b64\u6f0f\u6d1e\u5c0d\u6240\u6709 4.13.17 \u4ee5\u524d\u7684 Samba \u7248\u672c\u90fd\u6709\u5f71\u97ff\u3002\u4ed6\u5011\u76ee\u524d\u5df2\u91cb\u51fa\u4e86 Samba 4.13.17\u30014.14.12 \u548c 4.15.5 \u7b49\u7248\u672c\u4f86\u4fee\u6b63\u9019\u500b\u6f0f\u6d1e\uff0c \u4e26\u5efa\u8b70<\/a>\u7cfb\u7d71\u7ba1\u7406\u54e1\u61c9\u76e1\u901f\u5347\u7d1a\u5230\u9019\u4e9b\u7248\u672c\uff0c\u6216\u5957\u7528\u4fee\u88dc\u66f4\u65b0\u3002\u9664\u6b64\u4e4b\u5916\uff0c\u7db2\u8def\u5132\u5b58 (NAS) \u88dd\u7f6e\u4e5f\u53ef\u80fd\u53d7\u5230\u6b64\u6f0f\u6d1e\u5f71\u97ff\uff0c\u6240\u4ee5\u672a\u4f86\u5ee0\u5546\u61c9\u8a72\u4e5f\u6703\u91dd\u5c0d\u81ea\u5bb6\u7684\u88dd\u7f6e\u91cb\u51fa\u4e00\u4e9b\u66f4\u65b0\u3002\u6839\u64da Samba \u7684\u5ee0\u5546\u6e05\u55ae<\/a>\u986f\u793a\uff0c\u76ee\u524d\u53ef\u80fd\u53d7\u6b64\u6f0f\u6d1e\u5f71\u97ff\u7684\u5305\u62ec\u901a\u8a0a\u3001\u80fd\u6e90\u3001\u653f\u5e9c\u6a5f\u95dc\u3001\u88fd\u9020\u3001\u79d1\u5b78\u7814\u7a76\u4ee5\u53ca\u79d1\u6280\u7b49\u95dc\u9375\u7522\u696d\uff0c\u6b64\u5916\u4e5f\u5305\u62ec\u4e00\u4e9b\u6d88\u8cbb\u6027\u88dd\u7f6e\uff0c\u5982\u5bb6\u96fb\u548c\u7269\u806f\u7db2 (IoT) \u88dd\u7f6e\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u5982\u4f55\u9632\u7bc4 Samba \u6f0f\u6d1e\uff1f<\/strong><\/h3>\n\n\n\n


Samba \u5728\u4eca\u5e74 1 \u6708\u5df2\u7d93\u91cb\u51fa<\/a> \u4fee\u88dc\u66f4\u65b0\u4e26\u5efa\u8b70\u7cfb\u7d71\u7ba1\u7406\u54e1\u76e1\u901f\u5957\u7528\u5c0d\u61c9\u7684\u66f4\u65b0\u3002\u96d6\u7136\u4ed6\u5011\u4e5f\u5efa\u8b70\u53ef\u4ee5\u5c07 fruit VFS \u6a21\u7d44\u5f9e vfs \u7269\u4ef6\u7a0b\u5f0f\u78bc\u4e2d\u79fb\u9664\u4f86\u66ab\u6642\u89e3\u6c7a\u6b64\u554f\u984c\uff0c\u4f46\u9019\u6a23\u505a\u6703\u56b4\u91cd\u5f71\u97ff macOS \u7cfb\u7d71\u5b58\u53d6\u4f3a\u670d\u5668\u4e0a\u7684\u8cc7\u6599\u3002\u56e0\u6b64\uff0c\u6211\u5011\u5efa\u8b70\u7cfb\u7d71\u7ba1\u7406\u54e1\u6700\u597d\u9084\u662f\u76e1\u5feb\u6e2c\u8a66\u4e26\u90e8\u7f72\u4e0a\u8ff0\u4fee\u88dc\u66f4\u65b0\u4f86\u89e3\u6c7a\u6b64\u6f0f\u6d1e\u3002\u6b64\u5916\uff0cZDI \u4e5f\u6307\u51fa\uff0c\u8a31\u591a\u4e0d\u540c\u5ee0\u5546\u90fd\u53ef\u80fd\u9700\u8981\u66f4\u65b0\u81ea\u5bb6\u88dd\u7f6e (\u5982 NAS) \u5167\u5efa\u7684 Samba \u7248\u672c\uff0c\u56e0\u6b64\u53ef\u9810\u898b\u672a\u4f86\u9084\u6703\u6709\u66f4\u591a\u4fee\u88dc\u66f4\u65b0\u51fa\u73fe\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

Samba \u662f\u5426\u66fe\u7d93\u88ab\u7528\u65bc\u653b\u64ca\uff1f<\/strong><\/h3>\n\n\n\n


\u4e4b\u524d\u7684 Samba \u7248\u672c (\u5982 3.6.3 \u548c\u66f4\u65e9\u7248\u672c) \u5df2\u77e5\u542b\u6709\u4e00\u4e9b\u8cc7\u5b89\u554f\u984c<\/a>\u53ef\u80fd\u8b93\u672a\u7d93\u6388\u6b0a\u7684\u4f7f\u7528\u8005\u5229\u7528 Samba \u7684\u9060\u7aef\u7a0b\u5e8f\u547c\u53eb<\/a>\u6f0f\u6d1e\u900f\u904e\u533f\u540d\u9023\u7dda\u53d6\u5f97\u7cfb\u7d71\u7ba1\u7406\u54e1\u6b0a\u9650\u3002\u9664\u6b64\u4e4b\u5916\u9084\u6709\u5176\u4ed6\u901a\u5831\u904e\u7684\u6f0f\u6d1e\u9084\u6709\uff1a<\/p>\n\n\n\n