lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jul 2016 11:59:26 +0200
From: Imre RAD <>
Subject: [FD] missing input validation in pmount: arbitrary mount as non-root

pmount is a wrapper around the standard mount program which permits
normal users to mount removable devices without a matching /etc/fstab
Due to a missing input validation check local users could mount devices
to arbitrary destinations and thus taking over the targeted system

Local user access to the target
Pmount 0.9.23 or older to be installed (any version at time of writing
this report)
/media directory to be empty

pmount is a wrapper around the standard mount program which permits
normal users to mount removable devices without a matching /etc/fstab

The default build of the pmount command mounts the specified device
under /media/label where label is subdirectory of /media. Label can be
specified as a command line parameter of pmount, and it is the basename
of the device to be mounted if omitted.
The pmount binary has setuid flag and owned by root.

The pmount command as of version 0.9.23 misses a validation check of the
label argument: single dot (.) as label is accepted by pmount.

Pmount verifies whether the destination directory  (normally
/media/label) is empty and refuses to mount if it is not.
Since the /media directory is usually populated with floppy and cdrom
directories in popular Linux distributions, the exploitability of this
vulnerability is probably low.

If the media dir is empty one can specify a simple dot as label, the
device is then mounted to /media then.
This is possible because the make_mountpoint_name() function in pmount.c
does not prevent this case.

Once this mount succeeded, the contents of the /media directory is
controlled by the attacker. Breaking out of /media restriction is then
possible by further invocation of pmount.
Although pmount verifies whether the specified destination path is empty
or not, the execv call with the mount command is not executed atomically
with the emptyness check. This is a Time of check time of use (TOCTOU)
problem, and as contents of the /media directory is already controlled
by the attacker, with appropriate timing
this can be exploited to mount to arbitrary destinations. This is
possible for example by replacing the empty directory of the label to a
symbolic link.

The vulnerability is not addressed at the time of publishing this

Additional information:
Discovered by: Imre Rad
Reported on: 2016-03-21
Disclosure: 2016-07-13

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists