** Changed in: apport Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830858
Title: TOCTOU vulnerability in _get_ignore_dom (report.py) Status in Apport: Fix Committed Status in apport package in Ubuntu: Fix Released Bug description: Dear Ubuntu Security Team, I would like to report a privilege escalation vulnerability in Apport. The vulnerability is a TOCTOU which enables me to trick Apport into reading any file on the system and including it in a crash report file. I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows: bunzip2 PoC.tar.bz2 tar -xf PoC.tar cd PoC make ./gencrashreport /etc/shadow At this point the following file has been created: /var/crash/_usr_share_apport_apport.0.crash You can use the apport-unpack tool to decompress this file. If you look at the contents of the CoreDump file then you will see that it contains the contents of /etc/shadow (or whichever other file you passed on the command line of gencrashreport). The bug has a couple of mitigations: 1. My PoC does not work if a file named /var/crash/.lock already exists and is owned by root. This file will only exist if Apport has previously generated a crash report. Based on an informal survey of my own 4 computers (yes - maybe I don't need that many), it usually does not exist (unless the computer is used for security research). 2. The generated crash report file, /var/crash/_usr_share_apport_apport.0.crash, is only readable by root and by the whoopsie user. It will be uploaded to daisy.ubuntu.com if you create a file named /var/crash/_usr_share_apport_apport.0.upload, but that is not a huge security concern because it wouldn't be of much benefit to an attacker. However, I have found some integer overflow vulnerabilities in whoopsie (which I will report separately). If those overflows can be exploited to gain code execution in whoopsie, then this will enable an attacker to read the contents of the crash report file. To improve the effectiveness of the first mitigation, I would recommend that you make sure that /var/crash/.lock is created (and owned by root) by the Ubuntu installer and/or whoopsie when it starts up. It does not fix the root cause though, which I will describe next. This is the source location of the TOCTOU vulnerability: https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu /bionic-devel&id=2fc8fb446c78e950d643bf49bb7d4a0dc3b05429#n962 Apport allows the user to place a file in their home directory named `~/.apport-ignore.xml`. The call to os.access() on line 962 is intended to check that this file belongs to the correct user. But on line 967, the file is read again using xml.dom.minidom.parse. This creates a window of opportunity for an attacker to replace the file with a symlink. The symlink does not need to point to a valid XML file, because there is a try-except around the call to the parser, so if the file is invalid then Apport just ignores it and continues. However, the contents of the file still ends up in Apport's heap. Here's a summary of how the PoC works: 1. Start a /bin/sleep and kill it with a SIGSEGV. 2. Apport starts up to generate a crash report for /bin/sleep 3. Replace ~/.apport-ignore.xml with a symlink at exactly the right moment, so that Apport loads a forbidden file into memory. 4. Wait until Apport drops privileges so that we can kill it with a SIGTRAP. 5. A second Apport starts up to generate a crash report for the first Apport. 6. The second Apport writes out a crash report for the first, containing a copy of the forbidden file in the core dump. Apport tries quite hard to not run recursively on itself, so I had to jump through a few hoops to make the PoC work: 1. Apport sets a lock on /var/crash/.lock, using lockf. But locks created by lockf are only "advisory". If I own the file, then I can replace it with a different file, thereby deactivating the lock. This is why my PoC only works if /var/crash/.lock doesn't already exist. I need to create it before Apport does, so that I can maintain ownership of it. 2. Apport has signal handlers for most of the core-generating signals, like SIGSEGV. But it doesn't have a handler for SIGTRAP, so that's what my PoC uses. 3. Apport is started with an RLIMIT_CORE value of 1, which is another recursion detection mechanism (see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/498525/comments/3). But it is possible for another process to change it to zero, using prlimit. As I mentioned earlier, I have also found a few other vulnerabilities in whoopsie and Apport. I will file them as separate bugs and include a link to this issue. Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy Thank you, Kevin Backhouse Semmle Security Research Team To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1830858/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp