Skip to content

ksmbd - Fuzzing Improvements and Vulnerability Discovery (2/... #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 8, 2025
Merged

ksmbd - Fuzzing Improvements and Vulnerability Discovery (2/... #1383

merged 2 commits into from
Sep 8, 2025

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://blog.doyensec.com/2025/09/02/ksmbd-2.html
  • Blog Title: ksmbd - Fuzzing Improvements and Vulnerability Discovery (2/3)
  • Suggested Section: Generic Methodologies & Resources / Pentesting Network / SMB (SMB2/SMB3) – ksmbd attack surface and protocol fuzzing with syzkaller

🎯 Content Summary

Doyensec’s ksmbd Fuzzing (Part 2): Deeper State, Grammar-Aware Inputs, and 23 Vulnerabilities

Context

This second post in Doyensec’s ksmbd series explains how they expanded fuzzing for Linux’s in-kernel SMB server (ksmbd) to reach deeper, stateful code paths and uncover 23 bugs (mostly UAF and OOB). It provides concrete harness code, syzkaller configs (including experimental features), sanitizer outcomes, and a CVE-indexed bug list. Kerberos and ...

🔧 Technical Details

Expand SMB attack surface via configuration: Enable durable handles, leases, multi-channel, and VFS objects to force ksmbd into deeper parsers/handlers beyond defaults (oplocks). Target hot paths in smb2pdu.c, smbacl.c, ndr.c, oplock.c, vfs.c, vfs_cache.c.

Make stateful SMB fuzzable without Kerberos: Patch NTLMv2 acceptance, allow guest, and set map to guest = bad user. Patch out SMB credits (post-CVE-2024-50285 hardening) and raise max connections to 65536 to avoid rate-limiting/exhaustion during fuzzing.

Stateful request chaining: Within a single pseudo-syscall, parse responses to extract SessionId, TreeID, and FileIDs and reuse them across smb2_create → smb2_ioctl → smb2_close to preserve server state and reach deeper handlers.

Grammar-driven SMB2 generation: Translate Microsoft SM...

🤖 Agent Actions

I analyzed the blog and HackTricks, explored the repo, and implemented an update.

What I checked

  • Reviewed at least 5 relevant files to find the best place:
    • src/network-services-pentesting/pentesting-smb/README.md
    • src/generic-methodologies-and-resources/pentesting-network/README.md
    • src/windows-hardening/ntlm/README.md
    • src/AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md
    • src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md
  • No page existed for ksmbd-specific attack surface or fuzzing, and there was no syzkaller content under SMB. The SMB page is the most appropriate section for this content.

What I added

  • New page (technical methodology) under SMB:

    • File: src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md
    • Title: ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)
    • Content includes:
      • How to expand ksmbd attack surface via configuration (durable handles, multi-channel, leases, oplocks, VFS objects) to hit smb2pdu.c, ndr.c, smbacl.c, oplock.c, vfs.c, vfs_cache.c.
      • Fuzzing-oriented auth/rate-limiting adjustments: guest, map to guest = bad user, accept NTLMv2, patch SMB credits, increase max connections.
      • Stateful harness design with code snippet to parse SessionId/TreeID/FileIDs and chain SMB2 ops (create → ioctl → close).
      • Grammar-driven SMB2 PDU generation example (SMB2 IOCTL structure).
      • Directed fuzzing via syzkaller focus_areas with JSON example, plus a Python builder for malicious Security Descriptors to hit ACL math/overflow (dacloffset).
      • ANYBLOB/anyTypes corpus seeding from public SMB pcaps (tshark + syz_ksmbd_send_req program generation example).
      • Sanitizer strategy (KASAN/KUBSAN/UBSAN) with a concrete UBSAN declared-bounds example for num_subauth=0 → sub_auth[-1].
      • Throughput/parallelism notes and a practical checklist.
      • References section including the Doyensec blog, syzkaller docs/commits, kernel sanitizer docs, Microsoft SMB specs, Wireshark sample captures, and background reading.
    • Banners included at top and bottom, and a properly formatted References section.

  • Linked the new page from the main SMB page:

    • Modified src/network-services-pentesting/pentesting-smb/README.md to add:
      • “ksmbd attack surface and SMB2/SMB3 protocol fuzzing (syzkaller)” with an internal reference block:
        {{#ref}}
        ksmbd-attack-surface-and-fuzzing-syzkaller.md
        {{#endref}}

Rationale

  • The blog contains highly technical content (stateful protocol fuzzing, syzkaller configuration, grammar-aware generation, sanitizer findings) not present in HackTricks’ SMB area. It belongs with the SMB section (network-services-pentesting/pentesting-smb) and is clearly linked from the main SMB README for discoverability.
  • Focused on the reusable methodology and concrete snippets rather than cataloging CVEs, aligning with HackTricks guidance.

Changes implemented

  • Created: src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md
  • Modified: src/network-services-pentesting/pentesting-smb/README.md to add the internal link

If you want me to also cross-link from the AI-Assisted-Fuzzing page or other fuzzing-related areas, I can add references, but I prioritized keeping the update within the SMB pentesting section as requested.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Build master and others added 2 commits September 4, 2025 09:18
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://blog.doyensec.com/2025/09/02/ksmbd-2.html

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources / Pentesting Network / SMB (SMB2/SMB3) – ksmbd attack surface and protocol fuzzing with syzkaller".

Repository Maintenance:

  • MD Files Formatting: 875 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions bot force-pushed the master branch 6 times, most recently from 4d8992e to 318e919 Compare September 7, 2025 17:52
@carlospolop
Copy link
Collaborator Author

merge

@github-actions github-actions bot force-pushed the master branch 8 times, most recently from 33225ba to b083058 Compare September 8, 2025 04:05
@carlospolop carlospolop merged commit 4b54ccf into master Sep 8, 2025
@carlospolop carlospolop deleted the update_ksmbd_-_Fuzzing_Improvements_and_Vulnerability_Dis_20250904_124648 branch September 8, 2025 06:02
github-actions bot pushed a commit that referenced this pull request Sep 8, 2025
@carlospolop
Merge pull request #1383 from HackTricks-wiki/update_ksmbd_-_Fuzzing_…
8ab21c6 
…Improvements_and_Vulnerability_Dis_20250904_124648

ksmbd - Fuzzing Improvements and Vulnerability Discovery (2/...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop