CVE-2007-5159

First published: Thu Sep 20 2007(Updated: )

Description of problem: Fuse in general and Fedora's way to let only members of the group fuse access and use fuse was discussed in <a href="https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.html">https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.html</a> and mails below in that thread. There we noticed that members of the group fuse can get access to devices which they normally should not have access to. See <a href="https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.html">https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00163.html</a> ; the relevant parts of it: $ ls -l /dev/sda3 brw-r----- 1 root disk 8, 3 14. Sep 16:10 /dev/sda3 $ groups thl fuse $ dd if=/dev/sda3 bs=512K count=1 | strings dd: opening `/dev/sda3': Permission denied $ mkdir ntfs $ /sbin/mount.ntfs-3g /dev/sda3 ntfs/ $ touch ntfs/foo $ ls -l ntfs/foo -rwxrwxrwx 1 thl thl 0 18. Sep 19:27 ntfs/foo ntfs-3g IMHO should fail, as the users should not get access to random devices he has no access to. Quoting Alexander Larsson from <a href="https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00171.html">https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00171.html</a> <span class="quote">&gt;Thats quite weird. The way I undestand fuse is that you run the &gt;filesystem as your user, and then that filesystem (via libfuse) spawns &gt;fusermount to open the fuse device and attach to the mountpoint. &gt;fusermount then passes the fd to the fuse device back the the filesystem &gt;process (via a socket) which then handles all the requests. </span> &gt; <span class="quote">&gt;Reading the data source for the filesystem (if there is any) is only &gt;done by the filesystem process, not by the setuid fusermount helper, so &gt;it should not be able to read /dev/sda3.</span> Further investigation showed that ntfs-3g gets installed SUID root: $ ls -l /sbin/mount.ntfs-3g -rwsr-xr-- 1 root fuse 40528 17. Sep 23:14 /sbin/mount.ntfs-3g That might be wrong as that afaics makes it possible for ntfs-3g to access devices which the user normally would not have access to. Quoting Alexander again, this time from <a href="https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00174.html">https://www.redhat.com/archives/fedora-desktop-list/2007-September/msg00174.html</a> <span class="quote">&gt;Oh. That seems like a bad idea to me. If this drops privs after opening &gt;the device I think you can attach to the process using e.g. gdb and call &gt;any read() operation on the device. If might even mean (with some &gt;creative exploits) that any fuse group user can read any block on any &gt;disk.</span> Version-Release number of selected component (if applicable): ntfs-3g-1.913-1.fc8 Please note that I as ex-maintainer of fuse stumbled into this by accident -- I don't care much about fuse and ntfs-3g these days, but I think the behavior of ntfs-3g is a security bug.

Credit: cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/references
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/weakness
• agent/author
• agent/severity
• agent/description
• agent/tags
• agent/event
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2007-5159
• agent/software-canonical-lookup
• vendor/redhat
• canonical/redhat fedora
• version/redhat fedora/7
• vendor/ntfs-3g
• canonical/ntfs-3g ntfs-3g
• version/ntfs-3g ntfs-3g/1.913-1.fc7
• vendor/ubuntu
• canonical/ubuntu ubuntu linux
• version/ubuntu ubuntu linux/7.10
• package-manager/redhat