Apport reads arbitrary files if ~/.config/apport/settings is a symlink

Thanks for reporting this issue, and for the great description and reproducer. We will investigate it shortly and will assign a CVE number. Thanks!

Apport uses the Python ConfigParser (called configparser in Python 3) module to read this configuration file, so I wonder if this would be better reported upstream there instead? I personally feel this is not a vulnerability in Apport but perhaps it could be argued that it is one in Python instead?

Hi Alex,

Just to confirm that I have understood correctly: this bug is in code that
is not maintained by Ubuntu/Canonical. So would it be better if I report it
to them, or would you prefer to do it yourself? If I report it to them, are
you happy for me to share the poc that affects Apport?

Thanks,

Kev

On Fri, May 31, 2019, 07:11 Alex Murray <email address hidden> wrote:

> Apport uses the Python ConfigParser (called configparser in Python 3)
> module to read this configuration file, so I wonder if this would be
> better reported upstream there instead? I personally feel this is not a
> vulnerability in Apport but perhaps it could be argued that it is one in
> Python instead?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830862
>
> Title:
> Apport reads arbitrary files if ~/.config/apport/settings is a symlink
>
> Status in apport package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report a local denial of service vulnerability in
> Apport. This issue is a variant of issue 1830858, but I believe it is
> less severe because I was only able to use it to trigger a denial of
> service. To trigger the bug:
>
> mkdir -p ~/.config/apport
> ln -s /dev/zero ~/.config/apport/settings
> gcc segv.c -o segv
> ./segv
>
> (I have tested these steps on an up-to-date Ubuntu 18.04.)
>
> Apport will happily follow the symlink, even if it points to a file
> that requires root privileges to read. The reason why it is more
> difficult to exploit than issue 1830858 is that Apport will error out
> if the file is not formatted correctly. But if the symlink points to
> /dev/zero then Apport will keep reading until it uses all the system's
> memory, thereby DOS-ing the machine.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1830862/+subscriptions
>

If you can report it to the Python project directly I think that would make most sense - regarding the poc, I assume this is not really apport specific - you could craft one for a trivial python program which tries to open a file via ConfigParser (which is actually a symlink to /dev/zero) to demonstrate the same issue?

Hi Alex,

I reported it to <email address hidden>. To be honest though, I don't think it's going to look like a vulnerability to them. I have attached the poc that I sent them. It uses configparser to parse /dev/zero. Let's see what they say, but I think it's just going to be: "that's not a bug".

I also don't think we can blame configparser for following the symlink. I imagine it's quite common for config files to be symlinks to other locations.

I would recommend changing the code to use `read_file`, rather than `read`:

https://docs.python.org/3/library/configparser.html#configparser.ConfigParser.read_file

That will enable you to do validation on the file before you pass it to configparser.

Thanks,

Kev

Hi Kev, out of curiosity, did you receive any feedback from Python?

Hi Eduardo,

Their response was: "I'm not sure of your Security Threat Model. Why does the attacker have control over the filesystem, especially on the application configuration?".

So their perspective is that this is not a vulnerability in the Python library, and I agree with them.

My main concern is that you can get Apport to read an arbitrary file by replacing ~/.config/apport/settings with a symlink. I haven't been able to think of an interesting way to exploit that, but I think it would be better if it wasn't possible. So I would recommend dropping privileges before you open the file, like you have done here:

https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu/bionic-devel&id=20c98691144e843bf1ab8428603beedd34e993ad#n964

I notice that I forgot to send you a source location in my original report. Sorry about that. This is the source location where I think it would be a good idea to temporarily drop privileges:

https://git.launchpad.net/ubuntu/+source/apport/tree/apport/fileutils.py?h=applied/ubuntu/bionic-devel&id=20c98691144e843bf1ab8428603beedd34e993ad#n331

Thanks,

Kev

Thanks Kev,

I've assigned CVE-2019-11481 for this issue. (There may be a case for splitting this to two CVEs, one for reading the config with root privileges, and one for reading an unbounded amount of data, but that feels like busywork. We can assign a second one later if we decide it will help address the issue.)

Brian -- is the apport configuration support used anywhere? This bug report was the first I heard of the feature. Do we need to keep it?

Thanks

Since this now has a CVE, and as per Kevin's original description, Semmle have a 90-day disclosure timeframe, we need to assign a CRD for this issue - we are now 77 days into this 90 day period - as such I propose the CRD to be at the 90-day deadline which would be 2019-08-27 - unless Semmle are happy to extend it further. Kevin can you confirm if this works for you? Also do you have a preferred time-of-day for the CRD?

Hi Alex,

I am happy to extend the deadline. It's a low-severity issue.

Thanks,

Kev

Hi Alex (and Brian),

To answer the question that you asked Brian: the apport configuration support does look useful to me, so I wouldn't get rid it. It is useful for a developer who wants to get crash reports for a new application that they are developing. By default, Apport only generates crash reports for executables that live in an official directory, like /usr/bin/. But if the crashing application was started from a non-standard directory, like the user's home directory, then Apport doesn't create a report. But you can override that behavior by creating a file named ~/.config/apport/settings and putting the following contents in it:

[main]
unpackaged=1

Thanks,

Kev

On Wed, Aug 14, 2019 at 06:03:54PM -0000, kev wrote:
> Hi Alex (and Brian),
>
> To answer the question that you asked Brian: the apport configuration
> support does look useful to me, so I wouldn't get rid it. It is useful
> for a developer who wants to get crash reports for a new application
> that they are developing. By default, Apport only generates crash
> reports for executables that live in an official directory, like
> /usr/bin/. But if the crashing application was started from a non-
> standard directory, like the user's home directory, then Apport doesn't
> create a report. But you can override that behavior by creating a file
> named ~/.config/apport/settings and putting the following contents in
> it:
>
> [main]
> unpackaged=1

That is correct, even though the feature is not well advertised it may
still be useful for someone developing on Ubuntu.

--
Brian Murray

Hi Kevin - apologies for dropping this - this is now past the original CRD - would you prefer to extend it at this time?

Hi Alex,

That's no problem. This is a low-severity bug.

Kev

Thanks Kev - Brian would you like to propose a new CRD?

Kevin - a quick update - we are planning to try and fix this issue along with the other issues you reported for Apport and so will plan to have a single CRD for all.

A single CRD sounds good, thanks.

Is this bug going to be fixed on 2019-10-29, at the same time as the other two?

This bug was fixed in the package apport - 2.20.11-0ubuntu8.1

---------------
apport (2.20.11-0ubuntu8.1) eoan-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000

This bug was fixed in the package apport - 2.20.1-0ubuntu2.20

---------------
apport (2.20.1-0ubuntu2.20) xenial-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000

This bug was fixed in the package apport - 2.20.9-0ubuntu7.8

---------------
apport (2.20.9-0ubuntu7.8) bionic-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000