Bugtraq mailing list archives
Re: Samba 3.x + kernel 2.6.x local root vulnerability
From: Urban Widmark <urban () teststation com>
Date: Wed, 11 Feb 2004 22:42:26 +0100 (CET)
On Tue, 10 Feb 2004, Frank Louwers wrote:
I think his point is this: Image you have a user account luser on box foo. You do not have root on foo. However, you do have root on box bar. If you are allowed to smbmount stuff on foo as user luser, (which is a BadThing(tm), but default behaviour on some systems as it seems), and you smbmount a share on bar, and use that suid shell, you actually have root control on foo!
Some posts in this thread have made comparisons with how things work with nfs. Unfortunately they are not valid, or this would indeed be just a usage error. Here is my attempt at clarifying what the problem is. The following combinations are needed to be vulnerable: Client: Linux smbfs in 2.6.x or 2.4.25-pre8 with unix extensions in .config or 2.4.x + cifs-UE patches Server: samba 3.x with unix extensions enabled (default?), or any other server that implements these extensions and supports suid flag or device nodes (I think samba3 is the only one). - It is not a requirement that you mount the fs as a luser. Even if root does it there is still a vulnerability if the user can make a suid root binary on the server. - Without UE, smbfs fakes the uid/gid as given to it by smbmnt and a non-root user can't change it from his own. This is why you can't set uid/gid with 2.4. With UE, smbfs ignores the uid/gid and instead accepts the server values the same way nfs or any network fs with unix like id:s would. Same goes for file modes. - root can set nosuid,nodev in the mount command as he would with nfs, but it does not affect the mount syscall because of what smbmnt doesn't do. - The problem is really that smbfs, unlike nfs, isn't mounted using mount and thus has its own rules (mostly for nothing better than historical reasons). "mount -t smbfs ..." calls /sbin/mount.smbfs if found, which in turn calls smbmnt that executes the mount syscall. I understand my patch to disable the suid+device code in smbfs was posted earlier in this thread. Linus hated it because the problem isn't really in the kernel. The following patch will be in future samba releases, possibly modified so that root can enable suid for mounts as he specifies. /Urban - Linux smbfs maintainer diff -urN -X exclude samba-3.0.2-orig/source/client/smbmnt.c samba-3.0.2/source/client/smbmnt.c --- samba-3.0.2-orig/source/client/smbmnt.c Thu Aug 28 23:42:42 2003 +++ samba-3.0.2/source/client/smbmnt.c Tue Feb 10 22:56:58 2004 @@ -240,7 +240,7 @@ data.dir_mode |= S_IXOTH; } - flags = MS_MGC_VAL; + flags = MS_MGC_VAL | MS_NOSUID | MS_NODEV; if (mount_ro) flags |= MS_RDONLY;
Current thread:
- Samba 3.x + kernel 2.6.x local root vulnerability Michal Medvecky (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Michael Kjorling (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Seth Arnold (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Patrick J. Volkerding (Feb 09)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Frank Louwers (Feb 11)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Urban Widmark (Feb 12)
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Darren Reed (Feb 13)
- Message not available
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Guille -bisho- (Feb 10)
- Message not available
- Re: Samba 3.x + kernel 2.6.x local root vulnerability Felipe Franciosi (Feb 11)
- <Possible follow-ups>
- RE: Samba 3.x + kernel 2.6.x local root vulnerability John . Airey (Feb 11)