Shell Command Injection in mintstick Volume Label

Bug #1460775 reported by Bernd Dietzel on 2015-06-01
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux Mint
Fix Committed
Undecided
Unassigned

Bug Description

File :
/usr/lib/minstick/raw_format.py

Example Demo Exploid :
=====================
If you run mintstick and you type in this text as a VOLUME LABEL :

$(ls>x.txt)

... a file x.txt will be created in the roots home folder as a proof of concept.

Reason is this the python script "raw_format.py" , line 53-59 :

        # Format partition according to the fstype specified
        if fstype == "fat32":
            os.system("mkdosfs -F 32 -n \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path))
        if fstype == "ntfs":
            os.system("mkntfs -f -L \"%s\" %s >/dev/null 2>&1" % (volume_label, partition.path))
        elif fstype == "ext4":
            os.system("mkfs.ext4 -E root_owner=%s:%s -L \"%s\" %s >/dev/null 2>&1" % (uid, gid, volume_label, partition.path))

Here the volume label text "$(ls>x.txt)" gets into %s and will be injected and executed as a shell command.

so, please use subprocess.Popen() instead of os.system()

Thank you :-)

Bernd Dietzel (l-ubuntuone1104) wrote :
information type: Private Security → Public
information type: Public → Public Security
Changed in linuxmint:
status: New → Fix Committed
Bernd Dietzel (l-ubuntuone1104) wrote :

@Clement
Same issues with os.system() in MintNanny and MintBackup

https://bugs.launchpad.net/linuxmint/+bug/1460835
https://bugs.launchpad.net/linuxmint/+bug/1462313

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers