CVE-2018-10906

MEDIUM

fuse < 2.9.8 and 3.x < 3.2.5 - Privilege Escalation via fusermount SELinux Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-10906. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit bypasses fusermount's restrictions on the 'allow_other' mount option by leveraging SELinux context parsing flaws and option smuggling via backslashes. It demonstrates mounting a FUSE filesystem with elevated privileges without requiring 'user_allow_other' in /etc/fuse.conf.

Description

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdoslinux

https://www.exploit-db.com/exploits/45106

View Code ZIP pw:eip

This exploit bypasses fusermount's restrictions on the 'allow_other' mount option by leveraging SELinux context parsing flaws and option smuggling via backslashes. It demonstrates mounting a FUSE filesystem with elevated privileges without requiring 'user_allow_other' in /etc/fuse.conf.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: libfuse (versions before the fix in PR #268)

No auth needed

Prerequisites: SELinux enabled (permissive or enforcing) · Access to a system with FUSE support · Ability to compile and run custom code

MITRE ATT&CK