oss-sec mailing list archives
Re: blkid command injection
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 28 Nov 2014 00:17:24 +1100
On 11/27/2014 02:25 AM, Sebastian Krahmer wrote:
Hi There is a command injection inside blkid. It uses caching files (/dev/.blkid.tab or /run/blkid/blkid.tab) to store info about the UUID, LABEL etc it finds on certain devices. However, it does not strip " character, so it can be confused to build variable names containing embedded shell metas, which it would usually encode inside the value. Given an USB stick with /dev/sdb1 you can: # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1 # blkid -o udev /dev/sdb1 ID_FS_LABEL=X__/tmp/foo___ [...] Seems to be OK, but invoking blkid a second time, taking the cache in effect: # blkid -o udev /dev/sdb1 ID_FS_LABEL=X ID_FS_LABEL_ENC=X ID_FS_`/tmp/foo` "" UUID=... [...] "blkid -o udev" is often used in root context via udev or in automounters (uam-pmount) to construct key=value environment variables inside shell scripts which are then evaluated. Might be possible to construct an embedded LD_PRELOAD= as well for the binary case. By injecting > character one can probably construct whole fake cache entries. Sebastian
Karel Zak has committed a patch: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- blkid command injection Sebastian Krahmer (Nov 26)
- Re: blkid command injection cve-assign (Nov 26)
- Re: blkid command injection Murray McAllister (Nov 27)
- Re: blkid command injection Sebastian Krahmer (Dec 02)
- Re: blkid command injection Sebastian Krahmer (Dec 15)
- Re: blkid command injection Sebastian Krahmer (Dec 02)