I am learning about linux security and struggling to understand why a USB stick with a character device on it is potentially dangerous.
If I have a USB stick with a bash executable that has setuid root on it, the danger is obvious: Anybody with such a USB stick can gain root privileges on my computer if I have an entry like
/dev/sdb1 /media/usbstick auto defaults 0 0
in my /etc/fstab because defaults includes suid.
But what about character devices? How can I use a character device to gain root privileges or break stuff if a USB stick with a character device on it gets mounted with dev or defaults?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Because access to the underlying device is controlled only by file permissions by default, so if your USB stick contains a POSIX filesystem with a world-writable device node corresponding to a real device in the system, you can use that device node to access the corresponding device as a “plain” user. Imagine a device corresponding to one of the audio devices, your webcam, /dev/sda (which is a block device rather than a character device, but the argument is the same)…
Here’s an example to make things clearer. Say you want to access /dev/sda (then you can pretty much do anything you want with the contents of the disk, including planting a program which would allow you to become root; this is a block device but the problem is the same with character devices). On your target system, ls -l /dev/sda shows
brw-rw---- 1 root disk 8, 0 Sep 8 11:25 sda
This means /dev/sda is a block device (the b at the beginning of the line), with major number 8 and minor number 0 (the 8, 0 in the middle of the line). The device is only accessible to root (read/write) and members of the disk group (also read/write).
Now imagine on this system you can’t become root but for some reason you can mount USB sticks as a user without nodev. On another system, where you are root, you can create a corresponding special file on your USB key:
mknod -m 666 usersda b 8 0
This will create a special file called usersda, readable and writable by everyone.
Mount the key on your target system and hey presto, you can use the usersda device in the same way as /dev/sda, but with no access restriction…
(This will work even with encrypted file systems, as long as you are able to access the decrypted mapper device: create device which matches the appropriate /dev/mapper entry.)
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0