Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 11 Jan 2018 21:33:02 +0000
From: halfdog <>
Subject: util-linux mount/unmount ASLR bypass via environment variable

Hello list,

Just FYI. The issue was not rated important, hence reported in
public mailing list, see [0]. Copy of message:

Cleaning up another issue, I noticed that I haven't reported this
one yet. Debugging of libmount can be activated, also in SUID
binaries, thus spilling out the heap addresses. Note that "CXT"
structure contains function pointers to overwrite.


LIBMOUNT_DEBUG=all /bin/umount /


2401: libmount:      CXT: [0x562d3abb0760]: ----> allocate [RESTRICTED]
2401: libmount:      CXT: [0x562d3abb0760]: umount: /
2401: libmount:      CXT: [0x562d3abb0760]: umount: lookup FS for '/'
2401: libmount:      CXT: [0x562d3abb0760]: checking for writable tab files
2401: libmount:    UTILS: utab: /run/mount/utab
2401: libmount:    CACHE: [0x562d3abb1950]: alloc
2401: libmount:    CACHE: [0x562d3abb1950]: canonicalize path /
2401: libmount:    CACHE: [0x562d3abb1950]: add entry [ 1] (path): /: /
2401: libmount:      CXT: [0x562d3abb0760]: tabfilter ENABLED!
2401: libmount:      TAB: [0x562d3abb35b0]: alloc

The output can easily be used by creating a local domain socket
with only 4k buffer size, filling it up until writes are blocking
and then start umount with that socket as stdout. This allows
race-free reading of the address output before umount accesses
other user-controlled resource. Thus any error during the downstream
procedure creating some kind of write-where vulnerability will
always find the correct target.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ