Modify

Opened 7 years ago

Closed 5 years ago

Last modified 4 years ago

#1049 closed bug (fixed)

Issuing a "rm -r" command on a samba mounted share deletes files on the router's /

Reported by: David Ludovino <david.ludovino@…> Owned by:
Priority: normal Milestone: Firmware 2.3.7.0
Component: fon-base-firmware Version: 2.3.7.0 rc2
Severity: minor
Cc: Hardware: 2.0n (FON2300)

Description

I have an USB disk attached to Fonera 2.0n. One of it's partitions is used to backup my home folder. Here is it's entry on /etc/fstab

192.168.10.1/Media/configurations /media/configurations cifs iocharset=utf8,credentials=/home/david/.fonera_credentials,uid=1000,gid=1000,noauto 0 0

In the directory /media/configurations I ran the command "rm -r .*". Besides the hidden directories this also deleted files on the router's filesystem. The router still allowed me to browse the web but when I tried to access the dashboard (http://fonera) I got an error saying some file in /etc was missing.

After restarting the router it became nonfunctional and the only way to revive it was to restore the firmware.

I've got a hint that I might have some link under my preferences folders that points to somewhere in / and then the router recursively deletes files on it's /. Such would imply that the router is running the "rm -r" command with root privileges which is a severe security flaw.

Attachments (0)

Change History (5)

comment:1 Changed 5 years ago by matthijs

  • Milestone set to Firmware 2.3.7.0
  • Severity changed from unknown to minor
  • Status changed from new to testing-fix
  • Version changed from 2.3.6.1 (Gari jr.) to 2.3.7.0 rc2

Somehow we missed this ticket when it was reported. Since the issue is significant, I'll make sure we'll include a fix in the final 2.3.7.0 release.

It seems this issue can be fixed by disabling the "wide links" option in Samba, which prevents dereferencing links outside the root of the share. I'm currently testing a firmware with this option disabled, which seems to work so far.

Note that the Fonera is not a multi-user system, so the security impact of this bug is limited: Anyone with the router password needed to access Samba shares can also access SSH (in DEV mode) or the WebUI to flash in a new firmware, so there is not really privilege escalation here.

comment:2 Changed 5 years ago by matthijs

  • Resolution set to fixed
  • Status changed from testing-fix to closed

(In [2236]) samba: Don't let Samba dereference symbolic links.

Doing could allow users to access parts of the root filesystem through Samba, which is not desirable. Additionally, when mounted on a Linux system, using rm -rf could delete files from outside the shared USB disk, potentially breaking parts of the Fonera firmware and requiring a factory reset to fix.

Closes: #1049

comment:3 Changed 5 years ago by matthijs

Hmm, I just noticed I slightly misformulated that commit message. Samba still dereferences symbolic links, but only when they point to within the share root directory (e.g., within the same USB disk partition).

comment:4 Changed 5 years ago by matthijs

(In [2238]) samba3: Don't pass NULL to the realpath function.

The uClibc version or realpath doesn't handle NULL very well, but crashes with a segfault instead.

Normally, the samba configure process handles details like these, but our build process uses a fixed configuration instead of autodetecting things. In this fixed configuration, it was specified that realpath could handle NULL, while it really could not.

This commit updates the Samba configuration to not pass NULL into realpath.

When wide links was disabled in r2236, samba would start doing a realpath call on every share root when starting a connection. Effectively, this meant that samba worker processes would segfault as soon as a samba mount was attempted.

Looking at the code, it seems that realpath was also used during some file copy operations, so perhaps this commit also improves Samba stability.

References: #1049

comment:5 Changed 4 years ago by Melis

I am happy with my new ASUS RT-16N, which I bought for ~HKD655 a copule of weeks ago. I started it up, downloaded some firmware update utility from the ASUS website, and put Tomato USB on it with minimum fuss. I set it up and it's been working fine since, with no surprises whatsoever. It's rock solid alright, as rock solid as the old ASUS it replaces.Try use network time update. It's easy, just tick the option, and put in stdtime.gov.hk (which I use) or pool.ntp.org, and you shouldn't need to set time ever again.

Add Comment

Modify Ticket

Action
as closed The ticket will remain with no owner.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.