Desktop setuid cores readable by non-privileged user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
High
|
Martin Pitt | ||
apport (Arch Linux) |
New
|
Undecided
|
Unassigned | ||
apport (Debian) |
Fix Released
|
Unknown
|
|||
apport (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt | ||
Lucid |
Invalid
|
Low
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Quantal |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Raring |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Saucy |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Elsewhere I have been working on a sensitive information leak via core dump generated by gcore(1).
The sensitive information in question is read by a stock setuid root binary executed by a non-privileged user. On Ubuntu Desktop fs.suid_dumpable=2. Referencing https:/
2 - (suidsafe) - any binary which normally would not be dumped is dumped
anyway, but only if the "core_pattern" kernel sysctl is set to
either a pipe handler or a fully qualified path. (For more details
on this limitation, see CVE-2006-2451.) This mode is appropriate
when administrators are attempting to debug problems in a normal
environment, and either have a core dump pipe handler that knows
to treat privileged core dumps with care, or specific directory
defined for catching core dumps. If a core dump happens without
a pipe handler or fully qualifid path, a message will be emitted
to syslog warning about the lack of a correct setting.
NB "treat privileged core dumps with care".
On a stock Desktop 12.04 LTS install:
kernel.
apport dutifully dumps the core and this is readable (0660, user:user) by the invoking user, whereas it should be something like 0440, root:root. I believe this to be a bug in apport.
TRUNK FIX: http://
Backports for older releases available as attachments here.
CVE References
information type: | Private Security → Public Security |
tags: | added: patch |
Changed in apport (Ubuntu Trusty): | |
status: | Triaged → Fix Committed |
Changed in apport (Debian): | |
status: | Unknown → Confirmed |
Changed in apport (Debian): | |
status: | Confirmed → Fix Released |
Changed in apport: | |
assignee: | Martin Pitt (pitti) → kitty sanders (towncutie2233) |
Changed in apport: | |
assignee: | kitty sanders (towncutie2233) → Martin Pitt (pitti) |
information type: | Public Security → Public |
information type: | Public → Public Security |
Please find a minimal test case below (replaces ping(1) with a call to abort(3)). I've tried this on 3 desktops now and got different results each time (core perms combinations of martin: martin/ root:martin/ 640/660) but in all cases core was readable by the non-privileged user.
I also wanted to explicitly state that this is not a problem on Ubuntu Server 12.04, where fs.suid_dumpable=0.
martin@ desktop: ~/apport$ cat > foo.c
#include <stdlib.h>
int main(int argc, char *argv[]) desktop: ~/apport$ make foo desktop: ~/apport$ aptitude search iputils-ping desktop: ~/apport$ sudo mv /bin/ping /bin/ping.org desktop: ~/apport$ sudo cp ./foo /bin/ping desktop: ~/apport$ sudo chown root:root /bin/ping desktop: ~/apport$ sudo chmod 4755 /bin/ping desktop: ~/apport$ ls -l /bin/ping.org /bin/ping desktop: ~/apport$ ulimit -c unlimited desktop: ~/apport$ ./foo desktop: ~/apport$ ls -l core desktop: ~/apport$
{
abort();
}
^D
martin@
cc foo.c -o foo
martin@
i iputils-ping - Tools to test the reachability of network hosts
p iputils-ping:i386 - Tools to test the reachability of network hosts
martin@
martin@
martin@
martin@
martin@
-rwsr-xr-x. 1 root root 8376 Oct 21 10:13 /bin/ping
-rwsr-xr-x. 1 root root 35712 Nov 8 2011 /bin/ping.org
martin@
martin@
Aborted (core dumped)
martin@
-rw-r-----. 1 martin martin 233472 Oct 21 10:14 core
martin@