Vigil@nce: Samba, corruption of mtab via mount.cifs
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the mount.cifs command, in order to
inject invalid characters in the /etc/mtab file.
Severity: 1/4
Consequences: data creation/edition
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/02/2010
IMPACTED PRODUCTS
– Samba
DESCRIPTION OF THE VULNERABILITY
The mount.cifs utility of the Samba suite is used to mount a
remote CIFS/SMB share in a local directory.
The /etc/mtab file contains the list of mount points. This file is
updated each time a new resource is mounted by mount.cifs.
However, mount.cifs does not check if the device or mount point
name contains a special character (line feed, tabulation, etc.).
This invalid character is inserted in the /etc/mtab file, which
corrupts it.
A local attacker can therefore use the mount.cifs command, in
order to inject invalid characters in the /etc/mtab file, which
leads to a denial of service.
CHARACTERISTICS
Identifiers: CVE-2010-0547, VIGILANCE-VUL-9415
http://vigilance.fr/vulnerability/Samba-corruption-of-mtab-via-mount-cifs-9415