Vigil@nce - Samba: denial of service via mount.cifs
October 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When mount.cifs is installed suid root, a local attacker can send
a signal to the process, in order to create a denial of service in
mount tools.
Severity: 2/4
Creation date: 27/09/2011
IMPACTED PRODUCTS
– Samba
DESCRIPTION OF THE VULNERABILITY
The mount.cifs utility of the Samba suite is used to mount a
remote CIFS/SMB share in a local directory. When it is installed
suid root, all users on the system can use it, otherwise only root
is allowed.
The /etc/mtab file contains the list of mount points. This file is
updated each time a new resource is mounted by mount.cifs. The
/etc/mtab lock is used to ensure that two tools are not
simultaneously editing the file.
However, an attacker can call mount.cifs and then send it a
SIGKILL signal at the right time, so the lock is not deleted.
Other tools editing /etc/mtab will then fail.
When mount.cifs is installed suid root, a local attacker can
therefore send a signal to the process, in order to create a
denial of service in mount tools.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-denial-of-service-via-mount-cifs-11017