Merge pull request #2127 from HackTricks-wiki/research_update_src_binary-exploitation_linux-kernel-exploitation_ksmbd-streams_xattr-oob-write-cve-2025-37947_20260414_032056

carlospolop · web-flow · commit 21f4ebf4e8f4 · 2026-04-14T05:27:57.000+02:00
Research Update Enhanced src/binary-exploitation/linux-kerne...
diff --git a/src/binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md b/src/binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md
@@ -19,6 +19,12 @@ Example smb.conf
 
 Root cause (allocation clamped, memcpy at unclamped offset)
 - The function computes size = *pos + count, clamps size to XATTR_SIZE_MAX (0x10000) when exceeded, and recomputes count = (*pos + count) - 0x10000, but still performs memcpy(&stream_buf[*pos], buf, count) into a 0x10000-byte buffer. If *pos ≥ 0x10000 the destination pointer is already outside the allocation, producing an OOB write of count bytes.
+- `streams_xattr` stores SMB alternate data streams inside POSIX extended attributes, so the 0x10000 ceiling comes from the Linux single-xattr size limit rather than from an SMB protocol field. That makes the bug practical only when the share explicitly enables `vfs objects = streams_xattr` and the filesystem supports xattrs.
+
+Why the write offset matters
+- The vulnerable path is not just "write more than 64KiB". The missing check was that `*pos` was not validated against the current stream length (`v_len`) before the append/copy logic ran.
+- Upstream fixed this by rejecting writes where `*pos >= v_len` with `-EINVAL`. Pre-fix, an attacker could reuse a valid authenticated handle to a named stream and send a raw SMB2 WRITE whose `file_offset` already points at or past the end of the existing stream, which turns the post-clamp `memcpy()` into a deterministic page overflow.
+- The public PoC demonstrates this by authenticating with `libsmb2`, opening a stream path such as `1337:`, extracting `SessionId`/`TreeId`/`FileId`, and then sending a handcrafted SMB2 WRITE with `file_offset = 0x10018` and a small `Length`.
 
 <details>
 <summary>Vulnerable function snippet (ksmbd_vfs_stream_write)</summary>
@@ -52,6 +58,7 @@ Offset steering and OOB length
 Triggering the bug via SMB streams write
 - Use the same authenticated SMB connection to open a file on the share and issue a write to a named stream (streams_xattr). Set file_offset ≥ 0x10000 with a small length to generate a deterministic OOB write of controllable size.
 - libsmb2 can be used to authenticate and craft such writes over SMB2/3.
+- In practice, reusing the negotiated SMB session is convenient because the exploit only needs to patch a few dynamic fields in the WRITE request (`TreeId`, `SessionId`, `FileId`) and can then transmit the malformed packet directly on the same socket.
 
 Minimal reachability (concept)
 ```c
@@ -79,6 +86,11 @@ sudo cat /proc/pagetypeinfo | sed -n '/Node 0, zone  Normal/,/Node/p'
 sudo ./bpf-tracer.sh
 ```
 
+What to trace while tuning
+- `kvmalloc_node(0x10000)` confirms when the vulnerable stream write actually consumes an order-4 allocation.
+- `load_msg`/`kretprobe:load_msg` lets you estimate how many `msg_msgseg` allocations are attached to each sprayed message, which is useful when tuning primary/secondary message sizes for a specific kernel build.
+- If the exploit is ported to a different distro/kernel, re-check cache names, inline `msg_msg` payload sizes, `anon_pipe_buf_ops` offsets, and gadget addresses rather than assuming the Ubuntu 22.04 LTS `5.15.0-153-generic` constants still match.
+
 Exploitation plan (msg_msg + pipe_buffer), adapted from CVE-2021-22555
 1) Spray many System V msg_msg primary/secondary messages (4KiB-sized to fit kmalloc-cg-4k).
 2) Trigger ksmbd OOB to corrupt a primary message’s next pointer so that two primaries share one secondary.
@@ -106,16 +118,20 @@ Mitigations and reachability
 - Fix: clamp both allocation and destination/length or bound memcpy against the allocated size; upstream patches track as CVE-2025-37947.
 - Remote exploitation would additionally require a reliable infoleak and remote heap grooming; this write-up focuses on local LPE.
 
+See also
+
+{{#ref}}
+../../network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md
+{{#endref}}
+
 References PoC and tooling
 - libsmb2 for SMB auth and streams writes
 - eBPF tracer script to log kvmalloc addresses and histogram allocations (e.g., grep 4048 out-4096.txt)
 - Minimal reachability PoC and full local exploit are publicly available (see References)
 
 ## References
 - [ksmbd - Exploiting CVE-2025-37947 (3/3) — Doyensec](https://blog.doyensec.com/2025/10/08/ksmbd-3.html)
-- [libsmb2](https://github.com/sahlberg/libsmb2)
-- [KSMBD-CVE-2025-37947: proof-of-concept.c](https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/proof-of-concept.c)
-- [KSMBD-CVE-2025-37947: CVE-2025-37947.c (full exploit)](https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/CVE-2025-37947.c)
-- [bpf-tracer.sh](https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/bpf-tracer.sh)
+- [Linux upstream fix: `ksmbd: prevent out-of-bounds stream writes by validating *pos`](https://github.com/torvalds/linux/commit/0ca6df4f40cf4c32487944aaf48319cb6c25accc)
+- [KSMBD-CVE-2025-37947 PoC repository](https://github.com/doyensec/KSMBD-CVE-2025-37947)
 
 {{#include ../../banners/hacktricks-training.md}}
