Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 07 Jun 2022 10:30:48 +0000
From: Roman Fiedler <roman.fiedler@...aralleled.eu>
To: oss-security@...ts.openwall.com
Subject: UNPAR-2022-0 Multiple Vulnerabilities in ntfs-3g NTFS Mount Tool

On 20220526 Tuxera Inc. released patches and a security advisory [1]
on multiple vulnerabilities in "ntfs-3g" SUID tool (CVE-2022-30783,
CVE-2022-30785, CVE-2022-30787). As patches are out now for more
than a week, the attached advisory [2] provides additional information
regarding those vulnerabilities. To avoid sitting too long on
already shared exploit code, [3] describes an exploitation strategy
and provides PoC code.

Exploitation is mostly done school book style, using the heap
buffer underread to extract relevant addresses and break ASLR,
also to calculate the offset to heap sprayed initial payload
(with memory massaging upstream of the underread buffer), use
the initial payload to perform single byte overwrites of a function
pointer to call "dlopen" in the end. Only the overwrite technique
is somehow creative as it leverages a crafted NTFS image so that
the lowest byte of the inode number is used for overwriting -
thus supporting also writes non-text encodable bytes, e.g null.


While working on the vulnerability analysis and digging through
the "ntfs-3g" heap memory [3], I was also digging through thrash
heaps on stage in a theater production [4] on physical, emotional
and digital trash, always with sustainablility in mind. Only
a small number of thoughts on digital resource usage and sustainability
could be included in the play, but there might be quite some
interesting links between OSS IT security (or open source development
in general) and sustainability, so I would like to share my thoughts
and that to get feedback:

1) IT security has definitely environmental, economical and societal
impact, thus being worth analyzed regarding sustainability according
to definition of it. Secure software and good incident handling
may improve sustainable productivity (avoid resource loss in
incident handling, more units per ton CO2 produced), avoid
societal damage (surveilance of regime critics using undisclosed
vulnerabilites, unavailability or distrust in govermental or
public health systems). But vulnerability disclosure or EOL of
old/insecure/unmaintainable code may also speed up hardware obsolescence
as older devices are less likely to see updates.

2) Software development and maintenance consumes lot of resources.
This would be fine, as long as the output is worth it. Is maintaining
redundant code, developing features nobody needs, fixing security
issues that could be easily avoided therefore ethical? As in
the vulnerabilities disclosed above, are there 3 different but
partially overlapping SUID mount tools (/bin/mount, fusermount,
ntfs-3g) needed, could modularization and reuse reduce the attack
surface and therefore make those tools more sustainable?

3) If sustainability considerations would be part of ethical
software development or ethical hacking, how to find out what
would really improve the situation to define it as best practices?
Apart from technicalities (do proposed measures really fix the
problem) there might be also a lot of very controversial general
ethical questions to be adressed. While open sorce explosive
device construction might be seen as doing more harm than good
(also true for Ukrain and other conflict areas?), what about
providing insecure, unmaintainable, too complex software to
users, more likely to hurt them by data loss/leakage or even
cause collateral damage as trampoline for other attacks?

4) How are productivity of software use and amount of software
features and thus attack surface linked? For business software
at least articles indicate, that more features are likely to
impair usability, user experience and in the end productivity.
Would less be more in the end? Could simpler software both
stop the ongoing rise in IT security damage cost and resource
waste, make the software user more productive and reduce the
load on the maintainer? Or would that just backfire by reducing
creativity in software development and software use, hampering
the development of e.g. more efficent production or consumption
schemes, keep old and energy inefficient hardware longer on the
market?

This is only a small set of thoughts that came up to be cast
into words. I am interested (maybe offlist) in more ideas on
the topic, any feedback expanding my thoughts, references to
previous work on the topic, ... For those near Graz, helpful
feadback may win you a free theater ticket for the next season,
if the play is resumed after summer :-)

Regards,
Roman Fiedler

[1] https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58
[2] https://unparalleled.eu/publications/2022/advisory-unpar-2022-0.txt
[3] https://unparalleled.eu/blog/2022/20220607-help-to-heap-suid-privilege-escalation/
[4] https://schauspielhaus-graz.buehnen-graz.com/play-detail/trashland/


| |  DI Roman Fiedler
| /  roman.fiedler at unparalleled.eu  Unparalleled IT Services e.U.
/ |  +43 677 63 29 28 29               Felix-Dahn-Platz 4, 8010 Graz, AUT
| |  https://unparalleled.eu/          FN: 516074h       VAT: ATU75050524

View attachment "advisory-unpar-2022-0.txt" of type "text/plain" (10675 bytes)

View attachment "help-to-heap" of type "text/plain" (14642 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.