Shell Command Injection in mintstick Volume Label
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Linux Mint |
Fix Committed
|
Undecided
|
Unassigned | ||
Bug Description
File :
/usr/lib/
Example Demo Exploid :
=======
If you run mintstick and you type in this text as a VOLUME LABEL :
$(ls>x.txt)
... a file x.txt will be created in the roots home folder as a proof of concept.
Reason is this the python script "raw_format.py" , line 53-59 :
# Format partition according to the fstype specified
if fstype == "fat32":
if fstype == "ntfs":
elif fstype == "ext4":
Here the volume label text "$(ls>x.txt)" gets into %s and will be injected and executed as a shell command.
so, please use subprocess.Popen() instead of os.system()
Thank you :-)
| Bernd Dietzel (l-ubuntuone1104) wrote | #1 |
| information type: | Private Security → Public |
| information type: | Public → Public Security |
| Bernd Dietzel (l-ubuntuone1104) wrote | #2 |
| Changed in linuxmint: | |
| status: | New → Fix Committed |
| Bernd Dietzel (l-ubuntuone1104) wrote | #3 |
Bugfix :
https:/