Guillaume Teissier and Quentin Minster

Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution


KSMBD is a young component in the Linux kernel upstreamed since 5.15 and shipping with Ubuntu 22.04. It offers an in-kernel SMB server focused on performance, and attempts to keep the complex, non-performance-critical parts of the protocol separate in a userspace daemon. This talk focuses on several vulnerabilities discovered in the KSMBD kernel module itself, which we chained to achieve kernel remote code execution. An exploit against a vulnerable Ubuntu 22.04 server will be performed live.

KSMBD as opposed to Samba mostly runs as a kernel module. It interfaces with the Linux virtual file system to achieve higher performance. Building on top of Samba experience, KSMBD chooses to delegate the handling of user authentication and Remote Procedure Call services to a group of privileged userspace processes, running as root in the default Ubuntu deployment.

During the summer of 2022, several vulnerabilities were uncovered through an audit of both the KSMBD kernel module and userland binaries. Among them, a bunch of various weaknesses, ranging from memory exhaustion to kernel use-after-free, a.k.a the much hyped ZDI-22-1690 / CVE-2022-47939 (rated a perfect CVSS 10.0 by ZDI, CVSS 9.8 by NIST). Those vulnerabilities were reported and patched.

Three of those vulnerabilities were chained to achieve kernel remote code execution: ZDI-22-1691, ZDI-22-1688, and ZDI-CAN-18259. Attacking over the network prevents us from reusing known techniques used in a local exploit, where the attacker may execute arbitrary code in userland. However, SMB protocol semantics and implementation helped us build effective remote primitives. Up-to-date kernel mitigations are bypassed and a demo will feature a remote kernel thread hijack ending into a `uid=0` reverse shell.


Guillaume Teissier is a French security researcher working for Thales group. His activities include vulnerability research on Linux and other systems, as well teaching Android security to students.

Quentin Minster is a French security researcher working for Thales Group. His activities include reverse engineering and vulnerability research, with a focus on low-level internals of Linux and other Unix systems.