[Bug 15026] Partial arbitrary file read via mount.cifs

[samba-bugs@samba.org]

https://bugzilla.samba.org/show_bug.cgi?id=15026

--- Comment #2 from Jeffrey Bencteux <jbe@improsec.com> ---
(In reply to David Disseldorp from comment #1)

> Please correct me if I'm wrong, but I don't expect that this would be exploitable
> on regular systems unless mount.cifs is installed with setuid-root, or an attacker
> somehow has access to the "credentails" path fed into a mount.cifs invocation.

That is partially correct, note that on a vanilla Debian 10, mount.cifs is
setuid-root by default:

$ ls -l /usr/sbin/mount.cifs 
-rwsr-xr-x 1 root root 35600 Jun 17  2018 /usr/sbin/mount.cifs

And likely it is the case on other distributions as otherwise the following
message is returned:

$ ./mount.cifs //127.0.0.1/share /mnt/share -v -o credentials=/etc/sudoers
This program is not installed setuid root -  "user" CIFS mounts not supported.

It however seems needed to either:

1) have privileged user rights to trigger the bug, such as the below line in
/etc/sudoers:

testuser ALL=NOPASSWD: /usr/sbin/mount.cifs

Which is less likely but possible.

2) Have the scenario you depict where a user can tamper a mount with a rogue
"credentials" option value.

This greatly reduce the risk IMO.

I think the explanation is in these lines of mount.cifs.c:

 115  * When an unprivileged user runs a setuid mount.cifs, we set certain
mount
 116  * flags by default. These defaults can be changed here.
 117  */
 118 #define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)

I expect some people to use rules such as the above sudo one to circumvent the
problem.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.