race condition in apport lead to Local Privilege Escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Critical
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Local Privilege Escalation. I found this vurlnebiltiy together with neoni
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If an unprivilieged user ( e.g. nobody ) is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's may possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/
594 apport_start = get_apport_
595 process_start = get_process_
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached.
CVE References
description: | updated |
summary: |
- race condition in apport lead to Linux Privilege Escalation + race condition in apport lead to Local Privilege Escalation |
description: | updated |
description: | updated |
Changed in apport (Ubuntu): | |
status: | New → In Progress |
Changed in apport: | |
milestone: | none → 2.21.0 |
status: | New → Fix Committed |
Changed in apport: | |
status: | Fix Committed → Fix Released |
importance: | Undecided → Medium |
importance: | Medium → Critical |
Changed in apport (Ubuntu): | |
importance: | Undecided → Critical |
Hello Muqing Liu, thanks for the report; we'll investigate and get back to you shortly.
Thanks