Conference:  Black Hat Asia 2023

Authors: Chiachih Wu, Yuan-Tsung Lo

2023-05-12

In 1993, Microsoft introduced the proprietary NTFS with Windows NT 3.1. Over two decades later, the full-fledged NTFS native driver, dubbed NTFS3, contributed to the Linux 5.15 kernel in late 2021 by Paragon Software. As a new and complicated subsystem in the Linux kernel, NTFS3 is a good target for hackers and security researchers. Based on that, we started using system call fuzzers (e.g., syzkaller, Trinity, etc.) for identifying vulnerabilities in NTFS3. However, as shown in previous context-aware fuzzing efforts, we need a more efficient way to skip invaluable paths generated by the random mutation.We chose to leverage and improve the context-aware file system fuzzer, Janus, to fuzz NTFS3. Although Janus is an excellent fuzzing framework, there are still some challenges to applying it on NTFS3 and the latest Linux kernel. Specifically, we created a NTFS3 parser based on the incomplete NTFS spec to pre-check the fuzzer-generated file system images for efficiency. Besides, we ported the outdated Linux kernel library (LKL) to the latest Linux kernel, which is the key to shortening the target reboot time. In addition, we added KASAN support for LKL, which helped us to detect non-crash memory violations.As a result, we identified dozens of crashes/bugs/vulnerabilities with 9 patches currently in the v6.2 release candidate process and 3 patches accepted by the NTFS3 maintainer. In particular, one of the critical vulnerabilities we identified could be exploited to perform local privilege escalation attacks. Specifically, we crafted a malformed NTFS image to demonstrate that we could corrupt kernel memory chunks on the heap by mounting that image. With proper heap spray technique, we could further gain root privileges if we have the unprivileged mounting capability (e.g., auto-mounting).