Bug description: At least on ubuntu lucid the fusermount tool contains a timerace mounting a user filesystem and updating mtab using the standard mount command. Since the mount command is called using exec, the window of opportunity is rather large. The mount command will also normalize the target path so that moving the real fuse mountpoint and replacing it with a symlink will make mount update mtab using the path where the symlink points to, e.g. /proc. The result is, that the real mount entry and mtab entry differ, which makes the fuse-mounted filesystem non-unmountable by an unprivileged user. Crafted mtab entries can then be used to trick fusermount to believe that some part of the filesystem is a user space filesystem and the program will unmount them normally.

POC:

• FuseMinimal.c: Minimal fuse implementation, just needed to make mount work.
• DirModifyInotify.c: Simple inotify listener to move directory and add symlink instead
• Test.sh: Example script, how to put things together

References:

• Fuse sourceforge project: http://fuse.sourceforge.net/
• POC via PacketStorm: http://packetstormsecurity.org/filedesc/fusermount-racecondition-tgz.html
• Redhat bug 651183 and request CVE-2010-3879: https://bugzilla.redhat.com/show_bug.cgi?id=651183
• Debian bugreport: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333
• Ubuntu bugreport: https://bugs.launchpad.net/ubuntu/+source/fuse/+bug/670622
• Ubuntu security advisories: USN-1045-1, USN-1045-2
• Novell/Suse report: https://bugzilla.novell.com/show_bug.cgi?id=651598
• CVE Request: http://seclists.org/oss-sec/2010/q4/115
• CVE Entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3879
• OSVDB: http://osvdb.org/70520
• Vigil@ance vulerability VIGILANCE-VUL-10104 en, fr
• IBM Internet Security System Xforce 62986: http://xforce.iss.net/xforce/xfdb/62986
• US-CERT Cyber Security Bulletin 24. Jan 2011: http://www.us-cert.gov/cas/bulletins/SB11-031.html