blkid command injection

[Sebastian Krahmer <krahmer () suse de>]

Hi

There is a command injection inside blkid. It uses caching
files (/dev/.blkid.tab or /run/blkid/blkid.tab) to store info about the
UUID, LABEL etc it finds on certain devices.

However, it does not strip " character, so it can be confused to
build variable names containing embedded shell metas, which it would usually
encode inside the value.

Given an USB stick with /dev/sdb1 you can:

# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
# blkid -o udev /dev/sdb1
ID_FS_LABEL=X__/tmp/foo___
[...]

Seems to be OK, but invoking blkid a second time, taking the cache in effect:

# blkid -o udev /dev/sdb1
ID_FS_LABEL=X
ID_FS_LABEL_ENC=X
ID_FS_`/tmp/foo` "" UUID=...
[...]


"blkid -o udev" is often used in root context via udev or in automounters
(uam-pmount) to construct key=value environment variables inside shell scripts
which are then evaluated.
Might be possible to construct an embedded LD_PRELOAD= as well for the binary
case.

By injecting > character one can probably construct whole fake cache entries.

Sebastian




-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team