2021-10-22 04:07:21 |
hen |
bug |
|
|
added bug |
2021-10-22 04:07:21 |
hen |
attachment added |
|
PoC https://bugs.launchpad.net/bugs/1948376/+attachment/5535025/+files/apport.tar.gz |
|
2021-10-22 05:01:53 |
hen |
description |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Privilege Escalation. I found this bug
An attacker can use this vulnerability to get a root shell, if one of the following condition is satisfied:
1. If nobody is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
Because sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d.
A PoC of Condition 1 is attached. |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Privilege Escalation. I found this vurlnebiltiy together with neoni@Pangu Team.
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If nobody is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached. |
|
2021-10-22 19:52:20 |
Seth Arnold |
bug |
|
|
added subscriber Brian Murray |
2021-10-23 01:54:07 |
Seth Arnold |
cve linked |
|
2021-3899 |
|
2021-10-25 01:22:13 |
hen |
summary |
race condition in apport lead to Linux Privilege Escalation |
race condition in apport lead to Local Privilege Escalation |
|
2021-10-25 01:22:16 |
hen |
description |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Privilege Escalation. I found this vurlnebiltiy together with neoni@Pangu Team.
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If nobody is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached. |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Local Privilege Escalation. I found this vurlnebiltiy together with neoni
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If nobody is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached. |
|
2021-10-25 01:38:50 |
hen |
description |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Local Privilege Escalation. I found this vurlnebiltiy together with neoni
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If nobody is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached. |
Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report a vulnerability that lead to Local Privilege Escalation. I found this vurlnebiltiy together with neoni
An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
1. If an unprivilieged user ( e.g. nobody ) is allowed to run a command (e.g. ping) as root via sudo.
2. Or `sendmail` package is installed on system (It's may possible but I have not tested.)
Here is the detail:
Apport will check if pid is reused, by check if the start time of the process is later than apport self:
# /usr/share/apport/apport
594 apport_start = get_apport_starttime()
595 process_start = get_process_starttime()
596 if process_start > apport_start:
597 error_log('process was replaced after Apport started, ignoring')
598 sys.exit(0)
But an attacker could reused pid just after apport launched. In such case, get_apport_starttime() == get_process_starttime().
So, an attacker can get root shell under Condition 1, by following steps.
1. prepare a process X to crash, whose pid is A
2. repeating fork process, until current pid reaches A - 2
3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d
For Condtion 2:
Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.
PoC of Condition 1 is attached. |
|
2022-02-04 17:57:04 |
Marc Deslauriers |
attachment added |
|
debdiff of current progress https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1948376/+attachment/5559185/+files/apport_2.20.11-0ubuntu72~test1.debdiff |
|
2022-05-10 18:21:13 |
Steve Beattie |
apport (Ubuntu): status |
New |
In Progress |
|
2022-05-18 12:41:47 |
Marc Deslauriers |
apport (Ubuntu): status |
In Progress |
Fix Released |
|
2022-05-18 12:42:18 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2022-05-18 18:45:00 |
Benjamin Drung |
bug task added |
|
apport |
|
2022-05-18 18:45:05 |
Benjamin Drung |
apport: milestone |
|
2.21.0 |
|
2022-05-18 18:45:07 |
Benjamin Drung |
apport: status |
New |
Fix Committed |
|
2022-06-09 15:38:33 |
Benjamin Drung |
apport: status |
Fix Committed |
Fix Released |
|
2022-06-09 15:41:05 |
Benjamin Drung |
apport: importance |
Undecided |
Medium |
|
2022-06-09 15:42:34 |
Benjamin Drung |
apport: importance |
Medium |
Critical |
|
2023-04-12 15:02:20 |
Benjamin Drung |
apport (Ubuntu): importance |
Undecided |
Critical |
|