"mount" decodes newlines from /etc/mtab which may confuse 3rd party scripts

Bug #591972 reported by Dan Rosenberg
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

fusermount fails to sanitize the names of user-provided filesystems when writing to /etc/mtab, allowing unprivileged users to insert newline characters into /etc/mtab and, subsequently, insert or modify mount options for other devices, leading to denial of service conditions, the ability to unmount arbitrary filesystems, or potentially escalate privileges.

As an example, a typical mtab entry for the "hello" example filesystem provided with the fuse-utils package looks like this:

drosenbe@Dan:~/fuse$ ./hello mount/
drosenbe@Dan:~/fuse$ mount
...
hello on /home/drosenbe/fuse/mount type fuse.hello (rw,nosuid,nodev,user=drosenbe)

If I simply rename this filesystem to "hello\nthese are my new evil mount options\nhello" and mount it, /etc/mtab looks like:

drosenbe@Dan:~/fuse$ './hello
these are my new evil mount options
hello' mount/
drosenbe@Dan:~/fuse$ mount
...
hello
these are my new evil mount options
hello on /home/drosenbe/fuse/fuse-2.8.1/util/folder/mount type fuse.hello
these are my new evil mount options
hello (rw,nosuid,nodev,user=drosenbe)

You may experience some weird behavior with newlines depending on your terminal, so I recommend writing a quick C wrapper and calling rename() to make sure the filename is correct.

Note that this is similar to CVE-2005-3531, but differs in that the old issue allowed corruption via newlines in the mount point names (and was subsequently fixed), but this new issue allows corruption via newlines in filesystem names.

On a related note, it might be a good idea to make fusermount only executable by those in the fuse group - on my stock Lucid install, it's 4755.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report. I can confirm this.

I think fuse is available to all by default because of gvfs, but we will check into it.

Changed in fuse (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Kees Cook (kees) wrote :

Based on IRC discussion, this seems to be specifically an issue with "mount" decode the /etc/mtab escapes. It looks like mtab and /proc/mounts are fine.

affects: fuse (Ubuntu) → util-linux (Ubuntu)
Changed in util-linux (Ubuntu):
importance: High → Low
Kees Cook (kees)
summary: - fuse allows mtab corruption via crafted filesystem name
+ "mount" decodes newlines from /etc/mtab which may confuse 3rd party
+ scripts
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

What is the status of this? Is there an upstream bug report or patch available?

Changed in util-linux (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Per Dan, this was not yet reported upstream.

Changed in util-linux (Ubuntu):
status: Incomplete → Confirmed
Changed in util-linux (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.