Ubuntu
linux package

analyze_suspend.py may allow shell code injection

Bug #1550676 reported by Bernd Dietzel
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

File :
/usr/src/linux-headers-4.4.0-7/scripts/analyze_suspend.py

The file "analyze_suspend.py" uses depreached and insecure python calls like os.popen and os.system.
This may lead to unwanted code execution.

For example when the script does a walk through /sys/devices ,
it could be possible that shell code in the "dirname" of the device will be executed by a shell ,
e.g. with a special crafted ( loop ? ) device with the name "/sys/devices/...some path.../;shell command here;/.../usb9/" and puts 2 files 'idVendor' and 'idProduct' into that folder.

So, please replace all the the os calls with subprocess.

---------------

Line : 2829-2842

def setUSBDevicesAuto():
 global sysvals

 rootCheck()
 for dirname, dirnames, filenames in os.walk('/sys/devices'):
  if(re.match('.*/usb[0-9]*.*', dirname) and
   'idVendor' in filenames and 'idProduct' in filenames):
   os.system('echo auto > %s/power/control' % dirname)
   name = dirname.split('/')[-1]
   desc = os.popen('cat %s/product 2>/dev/null' % \
    dirname).read().replace('\n', '')
   ctrl = os.popen('cat %s/power/control 2>/dev/null' % \
    dirname).read().replace('\n', '')
   print('control is %s for %6s: %s' % (ctrl, name, desc))

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-headers-4.4.0-7 4.4.0-7.22
ProcVersionSignature: Ubuntu 4.4.0-7.22-generic 4.4.2
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: theregrunner 1929 F.... pulseaudio
 /dev/snd/controlC1: theregrunner 1929 F.... pulseaudio
CurrentDesktop: Unity
Date: Sat Feb 27 09:03:53 2016
HibernationDevice: RESUME=UUID=fcbb15dc-294e-4d63-8dd4-7df9864e02c2
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
IwConfig:
 enp5s0 no wireless extensions.

 lo no wireless extensions.
PackageArchitecture: all
ProcFB: 0 nouveaufb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-7-generic root=UUID=9879fcc8-079a-4975-82d8-d3aff297191d ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-7-generic N/A
 linux-backports-modules-4.4.0-7-generic N/A
 linux-firmware 1.156
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/05/2009
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080015
dmi.board.name: GeForce 8000 series
dmi.board.version: 1.0
dmi.chassis.type: 3
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd11/05/2009:svn:pnGeForce8000series:pvr1.0:rvn:rnGeForce8000series:rvr1.0:cvn:ct3:cvr:
dmi.product.name: GeForce 8000 series
dmi.product.version: 1.0

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for this report Bernd; are any of these strings actually under the control of hardware makers? A quick scan through "find /sys/devices" on my system didn't show any strings that look like they come from hardware devices.

If the only source of strings is hardcoded in kernel drivers then I'm inclined to say this isn't a security issue.

Do you see any device-supplied strings in the directory listings here?

Thanks

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

I am not smart enough to add a device with a manipulated pathname, so i can not make an exploit demo.

But seems to be possible by using some software when i read this :
https://www.kernel.org/doc/Documentation/devices.txt

"
201 block Veritas VxVM dynamic multipathing driver
    0 = /dev/vx/dmp/* First multipath device
    1 = /dev/vx/dmp/* Second multipath device
      ...

  The namespace in these directories is maintained by
  the user space VxVM software.
"

Bernd Dietzel (l-ubuntuone1104)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.