Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Local Privilege Escalation. I found this vurlnebiltiy together with neoni
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If an unprivilieged user ( e.g. nobody ) is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's may possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached.
Hello Muqing Liu, thanks for the report; we'll investigate and get back to you shortly.
Thanks