Modern OpenAFS compiles with ASLR and NX (non-executable stack). Therefore, a heap spray is used. The attacker allocates multiple large ACL (Access Control List) structures before sending the overflow. Those ACL structures contain return-oriented programming (ROP) chains that pivot execution to a known RX connection structure. The ROP chain then calls system("/bin/sh") .
// Vulnerable pseudo-code in src/afs/afs_file.c int afs_GetData(struct rx_call *call, afs_int32 *offset, afs_int32 *length, ...) { char buffer[4096]; if (*length > 4096) { // BUG: Some versions didn't cap length properly memcpy(buffer, rx_GetData(call), *length); } } afs3-fileserver exploit
The AFS3 file server exploit is a type of remote code execution (RCE) vulnerability that affects the AFS3 file server, specifically the rxkad and rxfast protocols. The vulnerability allows an attacker to send a malicious packet to the file server, which can lead to arbitrary code execution, privilege escalation, and ultimately, unauthorized access to sensitive data. Modern OpenAFS compiles with ASLR and NX (non-executable
Many exploits rely on unauthenticated Rx packets. Force -rxk5 on your fileserver processes. In /etc/openafs/server/ThisCell : The vulnerability allows an attacker to send a
You might think, "AFS is ancient. Nobody uses it." That assumption is dangerous.
The AFS3 file server exploit has significant consequences for organizations that rely on AFS3 for file sharing and management. Some of the potential impacts include:
service may start on port 7000. This can cause conflicts with legitimate AFS services or Docker containers, potentially creating a surface for intercepting traffic or causing local service failures. Reconnaissance and IoT Targeting: Security scanners like