Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2.
Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does
I've requested a CRD of 2015-05-12 for the publication of this issue.
I have assigned CVE-2015-1324 to this issue.
We can either:
1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location
Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2.
Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does
I've requested a CRD of 2015-05-12 for the publication of this issue.
I have assigned CVE-2015-1324 to this issue.
We can either:
1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location