Skip to content

Fix Path Traversal Vulnerabilities (CWE-23) in raw_write.py – Arbitrary file read/write as root #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rgfegegeegege wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix Path Traversal Vulnerabilities (CWE-23) in raw_write.py – Arbitrary file read/write as root #144

rgfegegeegege wants to merge 2 commits into from

Conversation

@rgfegegeegege
Copy link

@rgfegegeegege rgfegegeegege commented Jan 10, 2026

This PR fixes a critical path traversal vulnerability in raw_write.py that allowed arbitrary file read and device overwrite as root when using pkexec.

Vulnerabilities fixed:

  • Unsanitized --source (-s) allowed reading arbitrary files via open(source, 'rb')
  • Unsanitized --target (-t) allowed writing to arbitrary block devices/files
  • Potential command injection risk in mountutils.py (recommended to change to shell=False there too)

Changes:

  • Use os.path.realpath() to resolve path traversal
  • Validate source ends with common image extensions (.iso, .img, etc.)
  • Validate target is a real block device using stat.S_ISBLK
  • Use shutil.copyfileobj for efficient and clean file copy
  • Better error messages and logging

Full reproducible PoC (original vulnerable behavior):

  1. Create a dummy block device with size:
    truncate -s 1G big_dummy.img
    sudo losetup -f --show big_dummy.img
    ... Note the device, e.g. /dev/loop1

  2. Run the vulnerable write:
    pkexec python3 /usr/lib/mintstick/raw_write.py -s /etc/passwd -t /dev/loop1

  3. Expected result (vulnerable):

    • Script prints "1.0"
    • It reads the entire /etc/passwd as root
    • It writes the content of /etc/passwd to /dev/loop1

  4. Verify the content was written:
    sudo dd if=/dev/loop1 bs=4096 count=10 | strings | head -n 20
    → You will see the lines of /etc/passwd (root:x:0:0:root... etc.)

Cleanup:
sudo losetup -d /dev/loop1
rm big_dummy.img

With this PR applied: the command above will fail with a clear error message ("Invalid source file" or "Source path not allowed"), preventing the read and write.

Tested on Linux Mint with dummy.img and loop devices works as expected with valid .iso files, rejects invalid paths.

Thanks for reviewing

@rgfegegeegege
Copy link
Author

rgfegegeegege commented Jan 10, 2026

Additional commit: Mitigated potential command injection risk in mountutils.py by changing shell=True to shell=False with list argument.

While upstream validation in raw_write.py already prevents malicious target strings from reaching do_umount(), this change follows best practices and eliminates any potential risk (CWE-78).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rgfegegeegege