edubuntu-bugs team mailing list archive

[Dan Rosenberg <885027@xxxxxxxxxxxxxxxxxx>]

Kovid: Hopefully you're willing to resume discussion with me, as I am
interested in helping resolve these issues.

The current checks in place are insufficient to prevent users from
mounting any device to any location, because there are timing issues
that may be exploited.  Here are the following steps that are performed
by calibre-mount-helper to verify that the mountpoint resides in /media,
based on latest trunk:

---

in main():

1. Resolve realpath() of mountpoint, use this from now on

in check_mount_point():

2. If the path exists, call realpath() again and check that the result of this begins with "/media"
3. Check that the result of the first realpath begins with "/media"

in do_mount():

4. Create the directory if it does not exist
5. Call realpath() again and check that the result of this begins with "/media"
6. Create the marker and mount on top of the mountpoint

---

This is subject to race conditions, because an attacker can do the
following:

1. Use calibre-mount-helper to mount a legitimate filesystem into
/media/staging, just so the attacker can now write somewhere in /media

2. Invoke calibre-mount-helper again, this time to mount a filesystem on
top of /media/staging/mp

3. The instant calibre-mount-helper creates the /media/staging/mp
directory (which previously did not exist) and places the marker file
inside (but before it completes the mounting), move the mp directory out
of the way and replace it with a symbolic link to wherever the attacker
wants to mount to.

Because mount() follows symbolic links, this will allow the attacker to
mount on top of whatever he wants.

You've recently attempted to restrict the mount device to a block
device, but these restrictions are subject to similar timing issues that
may be exploited in conjunction with the above problems.  In this case,
the steps performed by calibre-mount-helper are as follows:

---

in main():
1. Call realpath() and use this from now on

in check_dev():
2. Call realpath() again and check that the result begins with "/dev/"
3. Call stat() on the original device name and check that it's a block device

in do_mount():
4. Mount the device

---

This can be exploited to allow for arbitrary filesystems to be mounted
as follows:

1. Originally, place a file at /dev/shm/overlay

2. Invoke calibre-mount-helper

3. After calibre-mount-helper calls realpath() for the first time (the
result of which will be "/dev/shm/overlay"), replace /dev/shm/overlay
with a symbolic link to /dev/sda1 or similar

4. After the call to stat(), which will follow the symbolic link and
confirm the device is a block device, replace the symbolic link with a
symbolic link to the filesystem you want to mount

5. calibre-mount-helper will mount this filesystem

---

These types of races can be exploited with precision using the inotify
subsystem.

The proper solution is to chdir() into the mountpoint before mounting
there, calling realpath() on ".", verifying it's in /media, calling
stat() on ".", verifying it belongs to the user, and then mounting on
".".  To fix the device issue, you should verify the device is root-
owned and is not in /dev/shm.

I hope this clears things up.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions