Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ntfs-3g | Tuxera | * | 2016.2.22 (including) |
| Ntfs-3g | Ubuntu | esm-infra/xenial | * |
| Ntfs-3g | Ubuntu | upstream | * |
| Ntfs-3g | Ubuntu | xenial | * |
| Ntfs-3g | Ubuntu | yakkety | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- http://www.openwall.com/lists/oss-security/2017/02/04/1
- http://www.securityfocus.com/bid/95987
- https://marc.info/?l=oss-security\u0026m=148594671929354\u0026w=2
- https://security.gentoo.org/glsa/201702-10
- https://www.debian.org/security/2017/dsa-3780
- https://www.exploit-db.com/exploits/41240/
- https://www.exploit-db.com/exploits/41356/
- http://www.openwall.com/lists/oss-security/2017/02/04/1
- http://www.securityfocus.com/bid/95987
- https://marc.info/?l=oss-security\u0026m=148594671929354\u0026w=2
- https://security.gentoo.org/glsa/201702-10
- https://www.debian.org/security/2017/dsa-3780
- https://www.exploit-db.com/exploits/41240/
- https://www.exploit-db.com/exploits/41356/