Fedora Account System
Red Hat Associate
Red Hat Customer
The ad_gpo_extract_smb_components() function in SSSD's AD GPO provider converts backslashes to forward slashes in the gPCFileSysPath LDAP attribute but does not sanitize .. path components. A differential between libsmbclient's path clamping (resolves .. at the share root) and the kernel's path resolution (resolves .. fully) allows an attacker with AD GPO management access to write files outside the GPO cache directory as root. On SELinux-enforcing systems (the default on RHEL), the traversal can target /var/lib/sss/pubconf/krb5.include.d/ (labeled sssd_public_t), enabling Kerberos KDC redirection and authentication bypass. On SELinux-permissive or disabled systems, arbitrary file write as root is possible.