edubuntu-bugs team mailing list archive

Thread
Date

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: "Jason A. Donenfeld" <885027@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Nov 2011 19:10:53 -0000
Reply-to: Bug 885027 <885027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still want to fix things, I've traced through the code
for your recent commit showing you where and how things are broken.


/tmp/burrito is a file

argv[2] = /tmp/burrito


332	    if (strncmp(action, "mount", 5) == 0) {
333	        dev = realpath(argv[2], NULL);

dev = /tmp/burrito

334	        if (dev == NULL) {
335	            fprintf(stderr, "Failed to resolve device node.\n");
336	            exit(EXIT_FAILURE);
337	        }
339	        check_dev(dev);


239     void check_dev(const char *dev) {

dev = /tmp/burrito

240	    char buffer[PATH_MAX+1];
241	    struct stat file_info;
242	
243	    if (dev == NULL || strlen(dev) < strlen(DEV)) {
244	        fprintf(stderr, "Invalid arguments\n");
245	        exit(EXIT_FAILURE);
246	    }

JUST BEFORE this next line, we modify /tmp/burrito so that it points to
/dev/sda

/tmp/burrito = -->/dev/sda

247	
248	    if (realpath(dev, buffer) == NULL) {
249	        fprintf(stderr, "Unable to resolve dev path\n");
250	        exit(EXIT_FAILURE);
251	    }

buffer = /dev/sda

252	
253	    if (strncmp(DEV, buffer, strlen(DEV)) != 0) {
254	        fprintf(stderr, "Trying to operate on a dev node not under /dev\n");
255	        exit(EXIT_FAILURE);
256	    }

this last block passes!


257	
258	    if (stat(dev, &file_info) != 0) {
259	        fprintf(stderr, "stat call on dev node failed\n");
260	        exit(EXIT_FAILURE);
261	    }
262	
263	    if (strstr(dev, "/shm/") != NULL) {
264	        fprintf(stderr, "naughty, naughty!\n");
265	        exit(EXIT_FAILURE);
266	    }

dev doesnt contain /shm/, since it's /tmp/burrito


267	
268	    if (!S_ISBLK(file_info.st_mode)) {
269	        fprintf(stderr, "dev node is not a block device\n");
270	        exit(EXIT_FAILURE);
271	    }


stat follows the link, so it sees /dev/sda which is a block device, so this passes

272	
273	}

:-)


As well, the problem presented in .70-Calibrer HAS NOT BEEN FIXED. You can still mount over /etc/pam.d or wherever due to the still existing race there. Implement the chdir logic that I've outlined above.


Then, just after this code block, change /tmp/burrito to point to anything -- any file image at all. No shm needed :-).


** Changed in: calibre
       Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions