oss-sec mailing list archives
blkid command injection
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 26 Nov 2014 16:25:25 +0100
Hi There is a command injection inside blkid. It uses caching files (/dev/.blkid.tab or /run/blkid/blkid.tab) to store info about the UUID, LABEL etc it finds on certain devices. However, it does not strip " character, so it can be confused to build variable names containing embedded shell metas, which it would usually encode inside the value. Given an USB stick with /dev/sdb1 you can: # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1 # blkid -o udev /dev/sdb1 ID_FS_LABEL=X__/tmp/foo___ [...] Seems to be OK, but invoking blkid a second time, taking the cache in effect: # blkid -o udev /dev/sdb1 ID_FS_LABEL=X ID_FS_LABEL_ENC=X ID_FS_`/tmp/foo` "" UUID=... [...] "blkid -o udev" is often used in root context via udev or in automounters (uam-pmount) to construct key=value environment variables inside shell scripts which are then evaluated. Might be possible to construct an embedded LD_PRELOAD= as well for the binary case. By injecting > character one can probably construct whole fake cache entries. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- blkid command injection Sebastian Krahmer (Nov 26)
- Re: blkid command injection cve-assign (Nov 26)
- Re: blkid command injection Murray McAllister (Nov 27)
- Re: blkid command injection Sebastian Krahmer (Dec 02)
- Re: blkid command injection Sebastian Krahmer (Dec 15)
- Re: blkid command injection Sebastian Krahmer (Dec 02)