Elsewhere I have been working on a sensitive information leak via core dump generated by gcore(1).
The sensitive information in question is read by a stock setuid root binary executed by a non-privileged user. On Ubuntu Desktop fs.suid_dumpable=2. Referencing https://www.kernel.org/doc/Documentation/sysctl/fs.txt:
2 - (suidsafe) - any binary which normally would not be dumped is dumped
anyway, but only if the "core_pattern" kernel sysctl is set to
either a pipe handler or a fully qualified path. (For more details
on this limitation, see CVE-2006-2451.) This mode is appropriate
when administrators are attempting to debug problems in a normal
environment, and either have a core dump pipe handler that knows
to treat privileged core dumps with care, or specific directory
defined for catching core dumps. If a core dump happens without
a pipe handler or fully qualifid path, a message will be emitted
to syslog warning about the lack of a correct setting.
apport dutifully dumps the core and this is readable (0660, user:user) by the invoking user, whereas it should be something like 0440, root:root. I believe this to be a bug in apport.
Elsewhere I have been working on a sensitive information leak via core dump generated by gcore(1).
The sensitive information in question is read by a stock setuid root binary executed by a non-privileged user. On Ubuntu Desktop fs.suid_dumpable=2. Referencing https:/ /www.kernel. org/doc/ Documentation/ sysctl/ fs.txt:
2 - (suidsafe) - any binary which normally would not be dumped is dumped
anyway, but only if the "core_pattern" kernel sysctl is set to
either a pipe handler or a fully qualified path. (For more details
on this limitation, see CVE-2006-2451.) This mode is appropriate
when administrators are attempting to debug problems in a normal
environment, and either have a core dump pipe handler that knows
to treat privileged core dumps with care, or specific directory
defined for catching core dumps. If a core dump happens without
a pipe handler or fully qualifid path, a message will be emitted
to syslog warning about the lack of a correct setting.
NB "treat privileged core dumps with care".
On a stock Desktop 12.04 LTS install:
kernel. core_pattern = |/usr/share/ apport/ apport %p %s %c
apport dutifully dumps the core and this is readable (0660, user:user) by the invoking user, whereas it should be something like 0440, root:root. I believe this to be a bug in apport.