Red Hat Bugzilla – Bug 1552641
CVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed mount point names
Last modified: 2018-03-15 10:15:54 EDT
In util-linux before 2.32-rc1, bash-completion/umount does not correctly escape special characters embedded in mountpoint names, which may allow an attacker to execute arbitrary shell commands on behalf of the victim user by mounting filesystems in specially crafted mountpoints. For the vulnerability to be triggered, the victim user has to use autocompletion while running the umount command. An attacker may be able to mount filesystems with custom mountpoints by connecting a USB device with a crafted Volume name, by using UDisks2, FUSE or with the help of desktop environments. Upstream issue: https://github.com/karelzak/util-linux/issues/539 Upstream patch: https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55 References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179
Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 1552642]
Well, it's pretty poor design if we have system component (udisks?) which is able to blindly create a mountpoint according to request from unprivileged user. This is impossible without udisk, because standard way is to specify mountpoint in fstab and system admin has full control on mountpoint name.
I wasn't able to reproduce the issue on Fedora/RHEL as specified in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179, because udisks2 uses polkit for authorization checks and, on Fedora 27 and RHEL 7.4, the polkit action for "org.freedesktop.udisks2.filesystem-mount-system" requires admin authentication. I'm still investigating if there are other ways to have the same result, but for sure udisks2 is used when you insert an USB device and in that case it does not require any authentication to mount the filesystem.
I didn't try to reproduce this issue -- I read the Debian report only. The problem is not authentication, but core of the problem is mountpoint (directory) name. It's bad if unprivileged user has full control on this. From my point of view it's strange report. The core of the problem is something else that the bash-completion script. Unfortunately, nobody has talked about it with upstream before CVE allocation... The bash-completion script is fixed now, are fixed also all another (3rd-party) scripts? I don't think so... Thanks for investigation, let's hope we're better than Debian :-)
Statement: This issue did not affect the versions of util-linux as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for umount autocompletion.