diff options
| author | Aurelien Aptel <aaptel@suse.com> | 2020-07-27 10:34:44 +0200 |
|---|---|---|
| committer | Pavel Shilovsky <pshilov@microsoft.com> | 2020-09-03 09:49:40 -0700 |
| commit | 48a654e2e763fce24c22e1b9c695b42804bbdd4a (patch) | |
| tree | 999bbded8f8db835a0d267e346f911876ffa63cf /smbinfo | |
| parent | 5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a (diff) | |
| download | cifs-utils-48a654e2e763fce24c22e1b9c695b42804bbdd4a.tar.gz cifs-utils-48a654e2e763fce24c22e1b9c695b42804bbdd4a.tar.bz2 cifs-utils-48a654e2e763fce24c22e1b9c695b42804bbdd4a.zip | |
CVE-2020-14342: mount.cifs: fix shell command injection
A bug has been reported recently for the mount.cifs utility which is
part of the cifs-utils package. The tool has a shell injection issue
where one can embed shell commands via the username mount option. Those
commands will be run via popen() in the context of the user calling
mount.
The bug requires cifs-utils to be built with --with-systemd (enabled
by default if supported).
A quick test to check if the mount.cifs binary is vulnerable is to look
for popen() calls like so:
$ nm mount.cifs | grep popen
U popen@@GLIBC_2.2.5
If the user is allowed to run mount.cifs via sudo, he can obtain a root
shell.
sudo mount.cifs -o username='`sh`' //1 /mnt
If mount.cifs has the setuid bit, the command will still be run as the
calling user (no privilege escalation).
The bug was introduced in June 2012 with commit 4e264031d0da7d3f2
("mount.cifs: Use systemd's mechanism for getting password, if
present.").
Affected versions:
cifs-utils-5.6
cifs-utils-5.7
cifs-utils-5.8
cifs-utils-5.9
cifs-utils-6.0
cifs-utils-6.1
cifs-utils-6.2
cifs-utils-6.3
cifs-utils-6.4
cifs-utils-6.5
cifs-utils-6.6
cifs-utils-6.7
cifs-utils-6.8
cifs-utils-6.9
cifs-utils-6.10
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14442
Reported-by: Vadim Lebedev <vadim@mbdsys.com>
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Diffstat (limited to 'smbinfo')
0 files changed, 0 insertions, 0 deletions