Possible security bug with unmount
Marcus Meissner
meissner at suse.de
Wed Mar 23 11:52:20 CDT 2016
On Wed, Mar 23, 2016 at 05:43:51PM +0100, Michael Müller wrote:
> Am 23.03.2016 um 17:18 schrieb Marcus Meissner:
> > Question is how to reach it... It is determined out of
> >
> > mount_point = get_device_mount_point ( st.st_rdev )
> >
> > and not user supplied, but read out of mtab or /proc/mounts .
>
> Not sure if you can consider this a security risk since the windows
> application can execute arbitrary opcodes anyway, but constructing such
> a case is not difficult:
>
> mkdir "a;xterm"
> mount ... "a;xterm"
>
> You will get "/dev/loop0 /home/michael/test/a;xterm iso9660 ro,relatime
> 0 0" in /etc/mtab or /proc/mounts.
>
> I just tried it out using this code
> (https://jon.limedaley.com/code/windows/eject/eject.c) and it will start
> xterm.
well, as you write ... if you can do such mounts or even execute windows binary code,
then the system() call is harmless. ;)
Ciao, Marcus
More information about the wine-devel
mailing list