CVE-2022-40284 - How a Simple NTFS-3G Bug Gives Attackers Root Shells

NTFS-3G is the go-to open-source driver to write and read Windows NTFS drives on Linux, macOS, and other Unix systems. Millions rely on it for USB sticks, external hard drives, or dual-boot systems. Most users plug devices in without a second thought—but a vulnerability published in 2022 (CVE-2022-40284) reveals that attackers could take control of your machine with nothing more than a malicious thumb drive.

Here, we break down how the vulnerability works, show a proof-of-concept, and explain what to do if you’re exposed.

What is CVE-2022-40284?

In plain English: NTFS-3G had a buffer overflow bug that lets attackers execute code as root.

> - _Vulnerability_: Buffer overflow in crafted NTFS images.
> - _Who can exploit_: Local attackers if ntfs-3g is setuid root; physical attackers if NTFS-3G auto-mounts USB drives.
> - _Impact_: Full code execution as root.
> - _Affected versions_: NTFS-3G before 2022.10.3 (and possibly older distributions shipping older versions).

How the Exploit Works

NTFS-3G reads file system metadata from connected devices or disk images. It didn’t properly check the size of certain metadata fields from untrusted sources.
An attacker could create a special NTFS image where fields in the $ATTRIBUTE_LIST (or related metadata) are oversized. When NTFS-3G parses them, the malicious data spills beyond its buffer into program memory.

If an attacker prepares this memory carefully, they can hijack execution flow—often by overwriting return addresses or function pointers—with code they control.

Setuid root installation (common in Linux):

If the OS package manager installed ntfs-3g as setuid root (so users can mount NTFS volumes without sudo), any local user could run the vulnerable binary with a crafted NTFS image.

Auto-mount on external device insertion:

On many desktops, plugging in an external NTFS drive will trigger ntfs-3g automatically, possibly as root via udisks or similar mechanisms.
An attacker could hand you a poisoned USB stick or swap a drive at a coffee shop to gain a shell on your laptop!

Proof-of-Concept: Minimal Exploit

Below is a HIGHLY SIMPLIFIED example to show HOW buffer overflows typically work here. (A real exploit would involve intricate NTFS metadata crafting and precise memory manipulation.)

Suppose a vulnerable code segment inside ntfs-3g’s metadata parser looks like

char name[8];
// Reads untrusted 'name_length' bytes, attacker controls 'name_length'
memcpy(name, src, name_length);

If name_length is larger than 8, this overflows name, overwriting memory after it—potentially someone’s return address.

You can simulate such unsafe behavior locally

#include <stdio.h>
#include <string.h>

void vulnerable(const char* str, size_t len) {
    char buf[8];
    memcpy(buf, str, len);  // No bounds checking!
    printf("Copied data: %.*s\n", (int)len, buf);
}

int main() {
    char exploit[] = "ABCDEFGH12345678EXPLOITCODE";
    // Overflow happens if len > 8
    vulnerable(exploit, 24);
    return ;
}

Run it, and you’ll see it copies way more than the buffer can hold—this is the classic buffer overflow pattern.

In the Real NTFS-3G Code

The CVE patch (see upstream fix) adds checks for field sizes when reading from the disk image. If you want to browse the actual code, check these files:

- attrib_list.c
- attr.c

Hands-On: What Would a Real Attacker Do?

- Prepare an NTFS image: Manually or using tools like libguestfs to craft NTFS structures with maliciously long fields.

Deliver:

- Locally, by enticing a user to mount a disk image (even as a normal user, if ntfs-3g is setuid root).

Linux desktops that auto-mount NTFS devices and have not updated ntfs-3g

- macOS Homebrew/MacPorts users with pre-Oct 2022 NTFS-3G installations
- Old servers/desktops with setuid ntfs-3g binaries lying around

To check your ntfs-3g version

ntfs-3g --version

Anything before 2022.10.3 is vulnerable.

sudo apt update && sudo apt upgrade ntfs-3g # Or your distro's package manager

- Remove setuid bit on ntfs-3g if you never use user-mounting:
  

sh
sudo chmod u-s /usr/bin/ntfs-3g
`
- Disable or restrict auto-mounting of external media in your desktop settings.
- For forensic/incident response: watch logs for unexpected mounts or root shells after USB insertions.

---

## Further Reading

- Original CVE report (NIST)
- NTFS-3G GitHub security advisory
- Upstream fix commit
- Full list of other ntfs-3g vulnerabilities

---

## TL;DR

CVE-2022-40284 reminds us: never trust data from external devices, especially when parsed as root!
Update your ntfs-3g, audit your setuid binaries, and keep auto-mount features in check.

Plug in wisely—your next flash drive might be packing more than vacation photos.

Timeline

Published on: 11/06/2022 23:15:00 UTC
Last modified on: 11/22/2022 02:15:00 UTC