Redazione RHC : 8 July 2025 09:15
Experts have identified serious vulnerabilities in SMBClient for macOS that affect both user space and the operating system kernel. These vulnerabilities potentially allow remote execution of arbitrary code and disruption of critical system processes. During the analysis, it became clear that a wide range of users are at risk, as starting with macOS Big Sur, the SMB protocol has become the preferred method for arranging file sharing over the network.
SMBClient is a set of components, including both user processes and kernel drivers, designed to work with file systems that are accessible via network resources. A significant portion of the SMB client code interacts directly with the system kernel, which opens up additional attack vectors. Furthermore, the vulnerabilities can be exploited with minimal user intervention: it is sufficient to force a person to follow a specially crafted link of the type smb://.
The first of the discovered vulnerabilities is CVE-2025-24269 (CVSS score: 9.8) and is related to the smbfs.kext component, the macOS kernel driver for using SMB. The problem lies in the compressed data processing function smb2_rq_decompress_read, where in some cases the length of the input data is incorrectly verified. If one of the supported compression algorithms is used – LZNT1, LZ77 or LZ77_Huffman – the special field compress_len is read from the network packet, but its value is not validated in any way before copying the data to the compress_startp buffer. At the same time, the SMB_MALLOC_DATA macro, used to allocate memory, allows an attacker to control the size of the allocated block, which can reach up to 16 megabytes.
As a result, a dynamic memory overflow occurs within the xnu data heap, an area of kernel memory where the presence of control pointers is limited by additional protection mechanisms, but it is impossible to completely exclude the possibility of exploiting such a flaw. Experts point out that for a successful attack, it is enough to convince the user to click on a malicious smb:// link, which will allow the attacker to initiate interaction with the vulnerable server and trigger the transmission of specially crafted packets.
The second vulnerability, identified as CVE-2025-24235 (CVSS score: 5.5), concerns the Kerberos Helper library used to establish an SMB session. A classic security error was detected here: freeing an uninitialized stack variable. When parsing authentication tokens in the _KRBDecodeNegTokenInit function, a situation may arise where the internal call to _gss_decapsulate_token fails. However, even in this case, control is transferred to the memory release block, where the _free_NegotiationToken function operates with an uninitialized stack area.
Further investigation showed that the memory freeing process calls the _asn1_free function from the Heimdal library, which is designed to parse and clear ASN.1 structures. Since the structure to be freed has not been initialized, there is a risk of uncontrolled memory access, potentially leading to arbitrary code execution on the victim’s device. A successful attack can be achieved by using standard connection mechanisms, such as following an smb:// link or mounting a resource via mount_smbfs.
The third vulnerability, although not given an official CVE identifier, is still considered critical. It is related to an incorrect implementation of the mc_notifier process registration mechanism in the smbfs module. This service is responsible for notifications when network resources are unmounted. A user with any privilege level can register an arbitrary process identifier using the SMBIOC_UPDATE_NOTIFIER_PID ioctl request. If the resource is then unmounted, the system kernel will send the registered process a SIGTERM signal, which is the standard termination.
The problem is that the kernel does not check the permissions of the calling process or the correctness of the specified identifier. This allows an attacker to terminate almost all processes on the system, including the critical launchd process, which is responsible for starting and managing all user and system services. As a result, the system is in an inoperative state and requires a reboot. At the same time, to exploit this vulnerability, it is sufficient to have access to the device and the ability to open the /dev/nsmb device, which is possible in most scenarios even without leaving the user isolation (sandbox).
Apple has already fixed all three vulnerabilities. In particular, a compressed data block length check has been added to the SMB packet processing function to prevent the possibility of a memory overflow. Additionally, the Kerberos Helper library now preemptively cleans up the NegotiationToken structure before using and freeing it, thus preventing exploitation of the flaw. For the mc_notifier logging mechanism, a user permission check has been implemented that calls the SMBIOC_UPDATE_NOTIFIER_PID ioctl, which eliminates the possibility of uncontrolled termination of arbitrary processes.
Redazione