CLD-409 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
ntfs-3g_ntfsprogs |
Deficiency Type |
SECURITY |
Date Created |
2018-05-21 11:15:21 |
Date Last Modified |
2018-05-22 14:10:24 |
Version Specific Information:
Cucumber 1.0 i686 | not affected |
Cucumber 1.0 x86_64 | not affected |
Cucumber 1.1 i686 |
not affected |
Cucumber 1.1 x86_64 |
not affected |
Details:
=================================== Overview ===================================
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS
driver for FUSE, does not scrub the environment before executing modprobe with
elevated privileges. A local user can take advantage of this flaw for local
root privilege escalation.
================================ Initial Report ================================
From http://www.openwall.com/lists/oss-security/2017/02/01/8:
Hi,
Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
NTFS driver for FUSE does not not scrub the environment before
executing modprobe to load the fuse module. This influence the behavior
of modprobe (MODPROBE_OPTIONS environment variable, --config and
--dirname options) potentially allowing for local root privilege
escalation if ntfs-3g is installed setuid. This is the case for Debian,
Ubuntu and probably Gentoo.
This problem is in the source since 2008, maybe before.
The fix is easy, use execle instead of execl and pass NULL as
environment variables.
-- cut --
--- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100
+++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100
@@ -4291,13 +4291,14 @@
struct stat st;
pid_t pid;
const char *cmd = "/sbin/modprobe";
+ char *env = (char*)NULL;
struct timespec req = { 0, 100000000 }; /* 100 msec */
fuse_fstype fstype;
if (!stat(cmd, &st) && !geteuid()) {
pid = fork();
if (!pid) {
- execl(cmd, cmd, "fuse", NULL);
+ execle(cmd, cmd, "fuse", NULL, &env);
_exit(1);
} else if (pid != -1)
waitpid(pid, NULL, 0);
--- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100
+++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100
@@ -3885,13 +3885,14 @@
struct stat st;
pid_t pid;
const char *cmd = "/sbin/modprobe";
+ char *env = (char*)NULL;
struct timespec req = { 0, 100000000 }; /* 100 msec */
fuse_fstype fstype;
if (!stat(cmd, &st) && !geteuid()) {
pid = fork();
if (!pid) {
- execl(cmd, cmd, "fuse", NULL);
+ execle(cmd, cmd, "fuse", NULL, &env);
_exit(1);
} else if (pid != -1)
waitpid(pid, NULL, 0);
-- cut --
CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso,
Debian Security Team.
Regards,
Laszlo/GCS
============================ Additional Information ============================
A Proof of Concept can be found at:
http://www.openwall.com/lists/oss-security/2017/02/04/1
================================= Our Analysis =================================
----- Affected Products -----
ntfs-3g is not installed as setuid on Cucumber Linux. Therefore, we are not
affected.
----- Scope and Impact of this Vulnerability -----
Allows for local privilege escalation to root.
----- Testing if you are Affected -----
You can test if you are vulnerable to this by running the Proof of Concept from:
http://www.openwall.com/lists/oss-security/2017/02/04/1
================================= Our Solution =================================
Not affected; no action necessary.