23 Mar
2016
23 Mar
'16
4:18 p.m.
On Wed, Mar 23, 2016 at 04:57:29PM +0100, Cédric Picard wrote:
Hi,
I find that DIR_unmount_device in wine/dlls/ntdll/directory.c (latest git) is looking like an unsafe use of system().
If a device was mounted to a point such as ";ls" I think it would be passed to system and cause a command injection.
I didn't open a bug because I wasn't able to really test it due to my lack of knowledge of wine and because I can't think of a real world attack based on this as it needs to mount a device first but I think it's worth at least a thorough check.
Question is how to reach it... It is determined out of mount_point = get_device_mount_point ( st.st_rdev ) and not user supplied, but read out of mtab or /proc/mounts . Ciao, Marcus