TOCTTOU ("time of check to time of use") "cwd" variable race condition

Bug #1839413 reported by Alex Murray on 2019-08-08
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
High
Unassigned
apport (Ubuntu)
High
Unassigned

Bug Description

Author: Sander Bos, <https://www.sbosnet.nl/>

Date: 2019-07-30

In data/apport, Apport reads out the current working directory of a
crashed process in get_pid_info() and puts it into the "cwd" variable:

     83 cwd = os.readlink('/proc/' + pid + '/cwd')

Later, this variable gets used in calls to write_user_coredump() for
writing the core dump file:

    181 core_path = os.path.join(cwd, 'core')

The time between setting the "cwd" variable and using the variable forms
a TOCTTOU issue, and can be abused by a user to create a core dump file
in a different directory than the actual current working directory of
the crashed process (being Apport's intended destination directory for
the core dump file). This can for example be abused replacing (any path
component of) the directory to which "cwd" points with a FUSE bindfs(1)
or similar file system mount point, or by a symbolic link to an arbitrary
(and potentially root owned) directory.

Moreover, when using FUSE, basically "anything" could be put behind the
"mount point" leading to various potential exploitation scenarios, e.g.,
an indefinite sleep() would lead to (some form of) DoS for Apport.

Proposed fix: if possible, use a file descriptor for handling "cwd".

Changed in apport (Ubuntu):
importance: Undecided → High
Changed in apport:
importance: Undecided → High
Alex Murray (alexmurray) wrote :

CVE-2019-11482 has been assigned for this issue.

Tiago Stürmer Daitx (tdaitx) wrote :

Alex and Seth, please review the proposed patch and let me know if it looks sane enough.

I believe the patch also fixes bug #1839414, but I'm no expert in this and I found few references to such issues - I would appreciate any pointers if the solution does not help bug #1839414.

The patch is for Eoan, if it is deemed correct I will upload further debdiffs for the other releases.

Tiago Stürmer Daitx (tdaitx) wrote :

Uploading debdiff for eoan with an improved changelog entry.

Changed in apport (Ubuntu):
assignee: nobody → Canonical Security Team (canonical-security)
Alex Murray (alexmurray) on 2019-09-19
Changed in apport (Ubuntu):
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)
Alex Murray (alexmurray) wrote :

Patch looks good from a security point-of-view and appears to resolve the vulnerability. I assume it has been tested to be functional and doesn't introduce any regressions.

Changed in apport (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody

Writing through cwd should be perfectly safe so long as the write is done
through the magiclink itself (/proc/PID/cwd) as that points to the process
cwd regardless of later changes to the mount table.

The problem which needs fixing is that apport is dereferencing that path
and then using the dereferenced path. That bypasses the magiclink and is
therefore susceptible to the attacks you described

Stéphane

On Sun., Sep. 29, 2019, 4:41 p.m. Launchpad Bug Tracker, <
<email address hidden>> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Alex Murray
> (alexmurray):
>
> Author: Sander Bos, <https://www.sbosnet.nl/>
>
> Date: 2019-07-30
>
>
> In data/apport, Apport reads out the current working directory of a
> crashed process in get_pid_info() and puts it into the "cwd" variable:
>
> 83 cwd = os.readlink('/proc/' + pid + '/cwd')
>
> Later, this variable gets used in calls to write_user_coredump() for
> writing the core dump file:
>
> 181 core_path = os.path.join(cwd, 'core')
>
> The time between setting the "cwd" variable and using the variable forms
> a TOCTTOU issue, and can be abused by a user to create a core dump file
> in a different directory than the actual current working directory of
> the crashed process (being Apport's intended destination directory for
> the core dump file). This can for example be abused replacing (any path
> component of) the directory to which "cwd" points with a FUSE bindfs(1)
> or similar file system mount point, or by a symbolic link to an arbitrary
> (and potentially root owned) directory.
>
> Moreover, when using FUSE, basically "anything" could be put behind the
> "mount point" leading to various potential exploitation scenarios, e.g.,
> an indefinite sleep() would lead to (some form of) DoS for Apport.
>
> Proposed fix: if possible, use a file descriptor for handling "cwd".
>
> ** Affects: apport
> Importance: High
> Status: New
>
> ** Affects: apport (Ubuntu)
> Importance: High
> Status: New
>
> --
> TOCTTOU ("time of check to time of use") "cwd" variable race condition
> https://bugs.launchpad.net/bugs/1839413
> You received this bug notification because you are subscribed to the bug
> report.
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=apport; status=New; importance=High; assignee=None;
> Launchpad-Bug: distribution=ubuntu; sourcepackage=apport; component=main;
> status=New; importance=High; assignee=None;
> Launchpad-Bug-Information-Type: Private Security
> Launchpad-Bug-Private: yes
> Launchpad-Bug-Security-Vulnerability: yes
> Launchpad-Bug-Commenters: alexmurray tdaitx
> Launchpad-Bug-Reporter: Alex Murray (alexmurray)
> Launchpad-Message-Rationale: Subscriber
> Launchpad-Message-For: stgraber
>

Alex Murray (alexmurray) wrote :

A CRD has been confirmed for this issue - Tuesday next week - 2019/10/29

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.1-0ubuntu2.20

---------------
apport (2.20.1-0ubuntu2.20) xenial-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000

Changed in apport (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray) on 2019-10-30
information type: Private Security → Public Security
tags: added: id-5d640ed806b8601dd0ea00ab
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers