Shell Command Injection in mintstick Volume Label
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux Mint |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
File :
/usr/lib/
Example Demo Exploid :
=======
If you run mintstick and you type in this text as a VOLUME LABEL :
$(ls>x.txt)
... a file x.txt will be created in the roots home folder as a proof of concept.
Reason is this the python script "raw_format.py" , line 53-59 :
# Format partition according to the fstype specified
if fstype == "fat32":
if fstype == "ntfs":
elif fstype == "ext4":
Here the volume label text "$(ls>x.txt)" gets into %s and will be injected and executed as a shell command.
so, please use subprocess.Popen() instead of os.system()
Thank you :-)
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in linuxmint: | |
status: | New → Fix Committed |
Bugfix : /github. com/GLolol/ mintstick/ commit/ 9c1f4ca
https:/