analyze_suspend.py may allow shell code injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
File :
/usr/src/
The file "analyze_
This may lead to unwanted code execution.
For example when the script does a walk through /sys/devices ,
it could be possible that shell code in the "dirname" of the device will be executed by a shell ,
e.g. with a special crafted ( loop ? ) device with the name "/sys/devices/
So, please replace all the the os calls with subprocess.
---------------
Line : 2829-2842
def setUSBDevicesAu
global sysvals
rootCheck()
for dirname, dirnames, filenames in os.walk(
if(re.
'idVendor' in filenames and 'idProduct' in filenames):
os.system('echo auto > %s/power/control' % dirname)
name = dirname.
desc = os.popen('cat %s/product 2>/dev/null' % \
dirname)
ctrl = os.popen('cat %s/power/control 2>/dev/null' % \
dirname)
print('control is %s for %6s: %s' % (ctrl, name, desc))
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-headers-
ProcVersionSign
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
CurrentDesktop: Unity
Date: Sat Feb 27 09:03:53 2016
HibernationDevice: RESUME=
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
IwConfig:
enp5s0 no wireless extensions.
lo no wireless extensions.
PackageArchitec
ProcFB: 0 nouveaufb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.156
RfKill:
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/05/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080015
dmi.board.name: GeForce 8000 series
dmi.board.version: 1.0
dmi.chassis.type: 3
dmi.modalias: dmi:bvnAmerican
dmi.product.name: GeForce 8000 series
dmi.product.
information type: | Private Security → Public Security |
Thanks for this report Bernd; are any of these strings actually under the control of hardware makers? A quick scan through "find /sys/devices" on my system didn't show any strings that look like they come from hardware devices.
If the only source of strings is hardcoded in kernel drivers then I'm inclined to say this isn't a security issue.
Do you see any device-supplied strings in the directory listings here?
Thanks