Date: Tue, 07 Jun 2022 10:30:48 +0000 From: Roman Fiedler <roman.fiedler@...aralleled.eu> To: oss-security@...ts.openwall.com Subject: UNPAR-2022-0 Multiple Vulnerabilities in ntfs-3g NTFS Mount Tool On 20220526 Tuxera Inc. released patches and a security advisory  on multiple vulnerabilities in "ntfs-3g" SUID tool (CVE-2022-30783, CVE-2022-30785, CVE-2022-30787). As patches are out now for more than a week, the attached advisory  provides additional information regarding those vulnerabilities. To avoid sitting too long on already shared exploit code,  describes an exploitation strategy and provides PoC code. Exploitation is mostly done school book style, using the heap buffer underread to extract relevant addresses and break ASLR, also to calculate the offset to heap sprayed initial payload (with memory massaging upstream of the underread buffer), use the initial payload to perform single byte overwrites of a function pointer to call "dlopen" in the end. Only the overwrite technique is somehow creative as it leverages a crafted NTFS image so that the lowest byte of the inode number is used for overwriting - thus supporting also writes non-text encodable bytes, e.g null. While working on the vulnerability analysis and digging through the "ntfs-3g" heap memory , I was also digging through thrash heaps on stage in a theater production  on physical, emotional and digital trash, always with sustainablility in mind. Only a small number of thoughts on digital resource usage and sustainability could be included in the play, but there might be quite some interesting links between OSS IT security (or open source development in general) and sustainability, so I would like to share my thoughts and that to get feedback: 1) IT security has definitely environmental, economical and societal impact, thus being worth analyzed regarding sustainability according to definition of it. Secure software and good incident handling may improve sustainable productivity (avoid resource loss in incident handling, more units per ton CO2 produced), avoid societal damage (surveilance of regime critics using undisclosed vulnerabilites, unavailability or distrust in govermental or public health systems). But vulnerability disclosure or EOL of old/insecure/unmaintainable code may also speed up hardware obsolescence as older devices are less likely to see updates. 2) Software development and maintenance consumes lot of resources. This would be fine, as long as the output is worth it. Is maintaining redundant code, developing features nobody needs, fixing security issues that could be easily avoided therefore ethical? As in the vulnerabilities disclosed above, are there 3 different but partially overlapping SUID mount tools (/bin/mount, fusermount, ntfs-3g) needed, could modularization and reuse reduce the attack surface and therefore make those tools more sustainable? 3) If sustainability considerations would be part of ethical software development or ethical hacking, how to find out what would really improve the situation to define it as best practices? Apart from technicalities (do proposed measures really fix the problem) there might be also a lot of very controversial general ethical questions to be adressed. While open sorce explosive device construction might be seen as doing more harm than good (also true for Ukrain and other conflict areas?), what about providing insecure, unmaintainable, too complex software to users, more likely to hurt them by data loss/leakage or even cause collateral damage as trampoline for other attacks? 4) How are productivity of software use and amount of software features and thus attack surface linked? For business software at least articles indicate, that more features are likely to impair usability, user experience and in the end productivity. Would less be more in the end? Could simpler software both stop the ongoing rise in IT security damage cost and resource waste, make the software user more productive and reduce the load on the maintainer? Or would that just backfire by reducing creativity in software development and software use, hampering the development of e.g. more efficent production or consumption schemes, keep old and energy inefficient hardware longer on the market? This is only a small set of thoughts that came up to be cast into words. I am interested (maybe offlist) in more ideas on the topic, any feedback expanding my thoughts, references to previous work on the topic, ... For those near Graz, helpful feadback may win you a free theater ticket for the next season, if the play is resumed after summer :-) Regards, Roman Fiedler  https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58  https://unparalleled.eu/publications/2022/advisory-unpar-2022-0.txt  https://unparalleled.eu/blog/2022/20220607-help-to-heap-suid-privilege-escalation/  https://schauspielhaus-graz.buehnen-graz.com/play-detail/trashland/ | | DI Roman Fiedler | / roman.fiedler at unparalleled.eu Unparalleled IT Services e.U. / | +43 677 63 29 28 29 Felix-Dahn-Platz 4, 8010 Graz, AUT | | https://unparalleled.eu/ FN: 516074h VAT: ATU75050524 View attachment "advisory-unpar-2022-0.txt" of type "text/plain" (10675 bytes) View attachment "help-to-heap" of type "text/plain" (14642 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.