Ubuntu
provd package

sprovd binary enables local privilege escalation

Bug #2071574 reported by James Henstridge
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
provd (Ubuntu)
Fix Released
High
Matthew Hagemann
Noble
Fix Released
High
Matthew Hagemann

Bug Description

The provd 0.1.2 package includes a setuid binary called sprovd that is executable by anyone:

    $ ls -l /usr/libexec/sprovd
    -rwsr-xr-x 1 root provd 2139560 Apr 11 13:48 /usr/libexec/sprovd

There are a few places where this binary executes subprocesses, looking up the executable via $PATH. For example:

    https://github.com/canonical/ubuntu-desktop-provision/blob/d4552766db6e210bd399d199930e2016bac1c7c0/provd/sprovd/sprovd.go#L62-L68

Unfortunately, it doesn't do anything to clean its environment. So the path is controlled by the caller and it can pick which executable gets run with elevated privileges.

The attached exploit script creates a fake "pro" executable that writes it's user/group information to a file.

    $ sh exploit.sh
    $ ls -l /tmp/called-from-sprovd.txt
    -rw-rw-r-- 1 root james 144 Jul 1 09:05 /tmp/called-from-sprovd.txt
    $ cat /tmp/called-from-sprovd.txt
    uid=0(root) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),121(lpadmin),132(lxd),133(sambashare),136(libvirt)

This shows that my executable was called as root and could do anything else that root can do.

See original description

CVE References

Revision history for this message
James Henstridge (jamesh) wrote :
description: updated
Revision history for this message
James Henstridge (jamesh) wrote :

The simplest mitigation for this would be to remove the world execute bit, so sprovd can only be run by members of the provd group. From what I can tell, this would work in the gnome-initial-setup user environment it is run in. The bug would still be present, but couldn't be exercised by regular users.

It'd be better to get rid of the need for a setuid binary all together though. A D-Bus system daemon using polkit auth might be a better approach, since the unprivileged caller won't be able to control the execution environment of the privileged helper.

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

Thanks James. The plan is to move the Ubuntu Pro attach step into the first login experience so that we can drop this altogether.

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

For 24.04, I'll provide a patch that removes the service this is associated with, dropping the vulnerability.

Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Hi from Security Engineering team!

Would you like us to assign a CVE identifier for this vulnerability? This will allow all of us to track it, as well for our team to send out a security notice once the fix is released.

Revision history for this message
Luci Stanescu (lucistanescu) wrote (last edit ):

Hi,

As confirmed with Matthew Hagemann earlier, please use CVE-2024-6714 to refer to this vulnerability, including in any private commit messages or release notes.

Additionally, we have assigned a CVSS of 8.8 (high) for this, with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Please let us know if you consider this incorrect.

Would I be right in thinking that the patch is going to land in the archive for both noble and oracular?

Finally, could you please give us a 48-72 hour heads-up before release, so that we can publish CVE details when the update lands?

Thank you!

Edited on 2024-07-19: refer to CVE-2024-6714, previously said CVE-2024-6713, which is incorrect.

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

Hi Luci

We can publish to Oracular, but will need the ubuntu-security team support to push a security upload to noble. We don't have upload rights to that pocket.

We will ping when we are 48-72 hours out to co-ordinate the upload.

Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Hi Matthew,

We have a private PPA that we use for this purpose and can give nominated people from your team temporary upload rights to it, during this vulnerability's coordination process. This will allow you to build and run autopkgtests for noble and the ubuntu-security team can then sponsor the upload by copying to the security pocket.

Do you have an estimated timeline for release at this point, by any chance?

Thanks!

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

Hi Luci,

Ah that's great! I've passed on a patched version to James Henstridge who is happy, so from a timeline perspective I'd say give me a day to poke someone on Desktop for a final sign off and we should be ready (I'll reply again when we are)

Changed in provd (Ubuntu):
assignee: nobody → Matthew Hagemann (matt-hagemann)
Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Thanks, Matthew! Could you please let me know who I should give upload rights to in the private PPA, so I can get this set up for you?

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

Hi Luci, Didier Roche-Tolomelli (didrocks).

Sebastien Bacher (seb128)
Changed in provd (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
Matthew Hagemann (matt-hagemann)
Changed in provd (Ubuntu Noble):
assignee: nobody → Matthew Hagemann (matt-hagemann)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Hi, Matthew!

Unfortunately we made a typo when referring to the CVE ID - it's CVE-2024-6714, NOT CVE-2024-6713. Have you used the identifier anywhere (release notes, changelog, etc.), by any chance?

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

Hi, Luci.

No not yet, currently only an internal / unreleased project within Desktop makes use of this package, so we haven't said anything public yet

Revision history for this message
Matthew Hagemann (matt-hagemann) wrote :

The changelogs point to this lp bug, which is linked to the cve (updated it now to CVE-2024-6714)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package provd - 0.1.5

---------------
provd (0.1.5) oracular; urgency=medium

  * Remove Ubuntu Pro and Chmod services (LP: #2071574)

provd (0.1.4) noble; urgency=medium

  * Gnome-keyring now unlocked for wifi password prompt to appear during setup.

provd (0.1.3) noble; urgency=medium

  * Fixed a flaky test that failed occasionally on arm64.

 -- Matthew Gary Hagemann <email address hidden> Mon, 1 Jul 2024 14:23:46 +0200

Changed in provd (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Hi, all.

We'll be publishing CVE details for this today.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package provd - 0.1.2+24.04

---------------
provd (0.1.2+24.04) noble; urgency=medium

  * Remove Ubuntu Pro and Chmod services (LP: #2071574)

 -- Matthew Gary Hagemann <email address hidden> Thu, 18 Jul 2024 12:31:09 +0200

Changed in provd (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Luci Stanescu (lucistanescu) wrote :

Hi all,

The USN was published. I'll make this bug report public 7 days from CVE detail publication.

Thanks!

Luci Stanescu (lucistanescu)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.