CLD-409 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-0358 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ntfs-3g_ntfsprogs
Deficiency Type SECURITY
Date Created 2018-05-21 11:15:21
Date Last Modified 2018-05-22 14:10:24

Version Specific Information:

Cucumber 1.0 i686not affected
Cucumber 1.0 x86_64not affected

Cucumber 1.1 i686 not affected
Cucumber 1.1 x86_64 not affected

Details:

=================================== Overview ===================================

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS
driver for FUSE, does not scrub the environment before executing modprobe with
elevated privileges. A local user can take advantage of this flaw for local
root privilege escalation. 

================================ Initial Report ================================

From http://www.openwall.com/lists/oss-security/2017/02/01/8:

Hi,

Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
NTFS driver for FUSE does not not scrub the environment before
executing modprobe to load the fuse module. This influence the behavior
of modprobe (MODPROBE_OPTIONS environment variable, --config and
--dirname options) potentially allowing for local root privilege
escalation if ntfs-3g is installed setuid. This is the case for Debian,
Ubuntu and probably Gentoo.

This problem is in the source since 2008, maybe before.
The fix is easy, use execle instead of execl and pass NULL as
environment variables.
-- cut --
--- ntfs-3g/src/lowntfs-3g.c.ref        2016-12-31 08:56:59.011749600 +0100
+++ ntfs-3g/src/lowntfs-3g.c    2017-01-05 14:41:52.041473700 +0100
@@ -4291,13 +4291,14 @@
        struct stat st;
        pid_t pid;
        const char *cmd = "/sbin/modprobe";
+       char *env = (char*)NULL;
        struct timespec req = { 0, 100000000 };   /* 100 msec */
        fuse_fstype fstype;

        if (!stat(cmd, &st) && !geteuid()) {
                pid = fork();
                if (!pid) {
-                       execl(cmd, cmd, "fuse", NULL);
+                       execle(cmd, cmd, "fuse", NULL, &env);
                        _exit(1);
                } else if (pid != -1)
                        waitpid(pid, NULL, 0);
--- ntfs-3g/src/ntfs-3g.c.ref   2016-12-31 08:56:59.022518700 +0100
+++ ntfs-3g/src/ntfs-3g.c       2017-01-05 15:45:45.912499400 +0100
@@ -3885,13 +3885,14 @@
        struct stat st;
        pid_t pid;
        const char *cmd = "/sbin/modprobe";
+       char *env = (char*)NULL;
        struct timespec req = { 0, 100000000 };   /* 100 msec */
        fuse_fstype fstype;

        if (!stat(cmd, &st) && !geteuid()) {
                pid = fork();
                if (!pid) {
-                       execl(cmd, cmd, "fuse", NULL);
+                       execle(cmd, cmd, "fuse", NULL, &env);
                        _exit(1);
                } else if (pid != -1)
                        waitpid(pid, NULL, 0);
-- cut --

CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso,
Debian Security Team.

Regards,
Laszlo/GCS

============================ Additional Information ============================

A Proof of Concept can be found at:
http://www.openwall.com/lists/oss-security/2017/02/04/1

================================= Our Analysis =================================

----- Affected Products -----
ntfs-3g is not installed as setuid on Cucumber Linux. Therefore, we are not
affected.

----- Scope and Impact of this Vulnerability -----
Allows for local privilege escalation to root.

----- Testing if you are Affected -----
You can test if you are vulnerable to this by running the Proof of Concept from:
http://www.openwall.com/lists/oss-security/2017/02/04/1

================================= Our Solution =================================

Not affected; no action necessary.