[Desktop-packages] [Bug 1438758] Re: User to root privilege escalation (ab)using the crash forwarding feature of apport
This was fixed in the upload of apport 2.17.3-1 to Debian Experimental ** Changed in: apport (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1438758 Title: User to root privilege escalation (ab)using the crash forwarding feature of apport Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: Fix Released Status in apport package in Debian: Fix Released Bug description: Back in Ubuntu 14.04, I introduced an apport feature that will have it forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace). This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script. The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace. This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation. An exploit is attached to this bug. It's been confirmed to be runnable as a nobody user on a regular Ubuntu system and to successfully read any file on the host. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1438758/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1438758] Re: User to root privilege escalation (ab)using the crash forwarding feature of apport
This bug was fixed in the package apport - 2.17.1-0ubuntu1 --- apport (2.17.1-0ubuntu1) vivid; urgency=medium * New upstream bug fix release: - SECURITY UPDATE: Fix root privilege escalation through crash forwarding to containers. Version 2.13 introduced forwarding a crash to a container's apport. By crafting a specific file system structure, entering it as a namespace ("container"), and crashing something in it, a local user could access arbitrary files on the host system with root privileges. Thanks to Stéphane Graber for discovering and fixing this! (CVE-2015-1318, LP: #1438758) - apport-kde tests: Fix imports to make tests work again. - Fix UnicodeDecodeError on parsing non-ASCII environment variables. - apport: use the proper pid when calling apport in another PID namespace. Thanks Brian Murray. (LP: #1300235) -- Martin PittTue, 14 Apr 2015 09:10:17 -0500 ** Changed in: apport (Ubuntu Vivid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1438758 Title: User to root privilege escalation (ab)using the crash forwarding feature of apport Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: Fix Released Status in apport package in Debian: New Bug description: Back in Ubuntu 14.04, I introduced an apport feature that will have it forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace). This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script. The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace. This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation. An exploit is attached to this bug. It's been confirmed to be runnable as a nobody user on a regular Ubuntu system and to successfully read any file on the host. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1438758/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1438758] Re: User to root privilege escalation (ab)using the crash forwarding feature of apport
New upstream release containing this fix: https://launchpad.net/apport/trunk/2.17.1 Ritesh, you can go ahead with the Debian update now. ** Changed in: apport Status: Fix Committed => Fix Released ** Changed in: apport (Ubuntu Vivid) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Vivid) Assignee: (unassigned) => Martin Pitt (pitti) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1438758 Title: User to root privilege escalation (ab)using the crash forwarding feature of apport Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: In Progress Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: In Progress Status in apport package in Debian: New Bug description: Back in Ubuntu 14.04, I introduced an apport feature that will have it forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace). This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script. The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace. This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation. An exploit is attached to this bug. It's been confirmed to be runnable as a nobody user on a regular Ubuntu system and to successfully read any file on the host. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1438758/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1438758] Re: User to root privilege escalation (ab)using the crash forwarding feature of apport
** Changed in: apport (Ubuntu Trusty) Status: Triaged => Fix Released ** Changed in: apport (Ubuntu Utopic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1438758 Title: User to root privilege escalation (ab)using the crash forwarding feature of apport Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: In Progress Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: In Progress Status in apport package in Debian: New Bug description: Back in Ubuntu 14.04, I introduced an apport feature that will have it forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace). This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script. The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace. This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation. An exploit is attached to this bug. It's been confirmed to be runnable as a nobody user on a regular Ubuntu system and to successfully read any file on the host. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1438758/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp