On Wed, Mar 23, 2016 at 05:43:51PM +0100, Michael Müller wrote:
Am 23.03.2016 um 17:18 schrieb Marcus Meissner:
Question is how to reach it... It is determined out of
mount_point = get_device_mount_point ( st.st_rdev )
and not user supplied, but read out of mtab or /proc/mounts .
Not sure if you can consider this a security risk since the windows application can execute arbitrary opcodes anyway, but constructing such a case is not difficult:
mkdir "a;xterm" mount ... "a;xterm"
You will get "/dev/loop0 /home/michael/test/a;xterm iso9660 ro,relatime 0 0" in /etc/mtab or /proc/mounts.
I just tried it out using this code (https://jon.limedaley.com/code/windows/eject/eject.c) and it will start xterm.
well, as you write ... if you can do such mounts or even execute windows binary code, then the system() call is harmless. ;)
Ciao, Marcus