Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pmount 0.9.23 Arbitrary Device Mount

🗓️ 13 Jul 2016 00:00:00Reported by Imre RadType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 34 Views

pmount 0.9.23 Arbitrary Device Mount allows local users to mount devices to arbitrary destinations and take over the system completely. Missing input validation allows mounting to /media even if it's not empty, leading to a Time of check time of use (TOCTOU) problem.

Code
`Summary:  
--------  
pmount is a wrapper around the standard mount program which permits  
normal users to mount removable devices without a matching /etc/fstab entry.  
Due to a missing input validation check local users could mount devices  
to arbitrary destinations and thus taking over the targeted system  
completely.  
  
Prerequisites:  
--------------  
Local user access to the target  
Pmount 0.9.23 or older to be installed (any version at time of writing  
this report)  
/media directory to be empty  
  
Description:  
------------  
pmount is a wrapper around the standard mount program which permits  
normal users to mount removable devices without a matching /etc/fstab entry.  
  
The default build of the pmount command mounts the specified device  
under /media/label where label is subdirectory of /media. Label can be  
specified as a command line parameter of pmount, and it is the basename  
of the device to be mounted if omitted.  
The pmount binary has setuid flag and owned by root.  
  
The pmount command as of version 0.9.23 misses a validation check of the  
label argument: single dot (.) as label is accepted by pmount.  
  
Pmount verifies whether the destination directory (normally  
/media/label) is empty and refuses to mount if it is not.  
Since the /media directory is usually populated with floppy and cdrom  
directories in popular Linux distributions, the exploitability of this  
vulnerability is probably low.  
  
If the media dir is empty one can specify a simple dot as label, the  
device is then mounted to /media then.  
This is possible because the make_mountpoint_name() function in pmount.c  
does not prevent this case.  
  
Once this mount succeeded, the contents of the /media directory is  
controlled by the attacker. Breaking out of /media restriction is then  
possible by further invocation of pmount.  
Although pmount verifies whether the specified destination path is empty  
or not, the execv call with the mount command is not executed atomically  
with the emptyness check. This is a Time of check time of use (TOCTOU)  
problem, and as contents of the /media directory is already controlled  
by the attacker, with appropriate timing  
this can be exploited to mount to arbitrary destinations. This is  
possible for example by replacing the empty directory of the label to a  
symbolic link.  
  
Status:  
-------  
The vulnerability is not addressed at the time of publishing this  
disclosure.  
  
Additional information:  
-----------------------  
Discovered by: Imre Rad  
Reported on: 2016-03-21  
Disclosure: 2016-07-13  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jul 2016 00:00Current
0.5Low risk
Vulners AI Score0.5
pmountdevice mountinput validationsystem takeovertoctou
34