Possible security bug with unmount
Michael Müller
michael at fds-team.de
Wed Mar 23 11:43:51 CDT 2016
Am 23.03.2016 um 17:18 schrieb Marcus Meissner:
> Question is how to reach it... It is determined out of
>
> mount_point = get_device_mount_point ( st.st_rdev )
>
> and not user supplied, but read out of mtab or /proc/mounts .
Not sure if you can consider this a security risk since the windows
application can execute arbitrary opcodes anyway, but constructing such
a case is not difficult:
mkdir "a;xterm"
mount ... "a;xterm"
You will get "/dev/loop0 /home/michael/test/a;xterm iso9660 ro,relatime
0 0" in /etc/mtab or /proc/mounts.
I just tried it out using this code
(https://jon.limedaley.com/code/windows/eject/eject.c) and it will start
xterm.
More information about the wine-devel
mailing list