Bug 1552641 (CVE-2018-7738) - CVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed mount point names
Summary: CVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-7738
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1552642 1555306
Blocks: 1552647
TreeView+ depends on / blocked
 
Reported: 2018-03-07 13:24 UTC by Pedro Sampaio
Modified: 2021-06-10 15:07 UTC (History)
6 users (show)

Fixed In Version: util-linux 2.32-rc1
Doc Type: If docs needed, set a value
Doc Text:
A command injection flaw was found in the way util-linux implements umount autocompletion in Bash. An attacker with the ability to mount a filesystem with custom mount points may execute arbitrary commands on behalf of the user who triggers the umount autocompletion.
Clone Of:
Environment:
Last Closed: 2018-03-15 08:47:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2018-03-07 13:24:06 UTC
In util-linux before 2.32-rc1, bash-completion/umount does not correctly escape
special characters embedded in mountpoint names, which may allow an attacker to
execute arbitrary shell commands on behalf of the victim user by mounting
filesystems in specially crafted mountpoints. For the vulnerability to be
triggered, the victim user has to use autocompletion while running the
umount command.

An attacker may be able to mount filesystems with custom mountpoints by
connecting a USB device with a crafted Volume name, by using UDisks2, FUSE or
with the help of desktop environments.

Upstream issue:

https://github.com/karelzak/util-linux/issues/539

Upstream patch:

https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179

Comment 1 Pedro Sampaio 2018-03-07 13:24:35 UTC
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1552642]

Comment 2 Karel Zak 2018-03-08 09:23:25 UTC
Well, it's pretty poor design if we have system component (udisks?) which is able to blindly create a mountpoint according to request from unprivileged user.

This is impossible without udisk, because standard way is to specify mountpoint in fstab and system admin has full control on mountpoint name.

Comment 3 Riccardo Schirone 2018-03-08 14:55:18 UTC
I wasn't able to reproduce the issue on Fedora/RHEL as specified in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179, because udisks2 uses polkit for authorization checks and, on Fedora 27 and RHEL 7.4, the polkit action for "org.freedesktop.udisks2.filesystem-mount-system" requires admin authentication.

I'm still investigating if there are other ways to have the same result, but for sure udisks2 is used when you insert an USB device and in that case it does not require any authentication to mount the filesystem.

Comment 4 Karel Zak 2018-03-09 12:53:22 UTC
I didn't try to reproduce this issue -- I read the Debian report only.

The problem is not authentication, but core of the problem is mountpoint (directory) name. It's bad if unprivileged user has full control on this.

From my point of view it's strange report. The core of the problem is something else that the bash-completion script. Unfortunately, nobody has talked about it with upstream before CVE allocation...

The bash-completion script is fixed now, are fixed also all another (3rd-party) scripts? I don't think so...

Thanks for investigation, let's hope we're better than Debian :-)

Comment 7 Riccardo Schirone 2018-03-15 08:46:45 UTC
Statement:

This issue did not affect the versions of util-linux as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for umount autocompletion.


Note You need to log in before you can comment on or make changes to this bug.