root escalation with fs.suid_dumpable=2
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Apport |
Fix Released
|
High
|
Martin Pitt | ||
| apport (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
| Precise |
Fix Released
|
Undecided
|
Unassigned | ||
| Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
| Utopic |
Fix Released
|
Undecided
|
Unassigned | ||
| Vivid |
Fix Released
|
Undecided
|
Unassigned | ||
| Wily |
Fix Released
|
High
|
Martin Pitt | ||
Bug Description
Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2.
Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
2- The root-owned coredump will then be written in the CWD, which in the PoC is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does
I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the publication of this issue.
I have assigned CVE-2015-1324 to this issue.
We can either:
1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location
----------------
Here is the original report from Sander Bos (now with the CVE number included):
OVERVIEW
--------
Date: 2015-05-05
Bug name: SCORE: Simple Coredump-Oriented Root Exploit
CVE: CVE-2015-1324
Author: Sander Bos
Author's e-mail address: sbos _at_ sbosnet _dot_ nl
SUMMARY
-------
I found a combination of vulnerabilities to lead to privilege escalation
(root exploitation) by local users in Ubuntu releases 12.04 up to and
including 15.04. Depending on configuration, remote exploitation might
be possible as well. Local exploitation can even be done as the local,
passwordless LightDM "Guest" account user on systems supporting it --
indeed: from anonymous guest user to root.
DESCRIPTION
-----------
The Apport package creates user core dumps in the crashed process'
CWD, and does so since Bazaar revision number 602 [1] / release 0.59.
This is okay, but not always: there is a flaw in the fact that Apport
also does this, as root, for tainted/protected binaries (setuid() and
friends, capabilities(7) enabled binaries, non-readable binaries) when
the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)).
This means that users can create core dumps as root, in arbitrary
directories which are otherwise write-protected for those users.
In short: Apport should _not_ create user core dumps in the CWD in dump
mode 2 for such tainted binaries; it should either not make user core
dumps at all then, or if possible use a designated and safe directory
for that.
All Ubuntu releases starting with 12.04 have the Apport service enabled by
default [2] (and Ubuntu has Apport installed by default for much longer).
All Ubuntu releases starting with 12.04 (or patched that way after
their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default,
through the Apport package; see bug #1194541, "Create core dumps for
setuid binaries", 2013-06-25 [3].
Along with solving that bug (that is, adding the "missing feature" of
setuid core dumps), the patch to that bug report actually created a root
exploit hole in the upcoming release 13.10, as well as being backported
into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04.
The exact Apport package versions (with their Ubuntu releases) that were
"patched" to have fs.suid_dumpable set to "2" are:
2.0.1-0ubuntu17.4 (Ubuntu 12.04)
2.6.1-0ubuntu12 (Ubuntu 12.10)
2.9.2-0ubuntu8.3 (Ubuntu 13.04)
The value fs.suid_dumpable=2 remained in Ubuntu ever since. The exception
to this is the systemd Apport script in Ubuntu 15.04: the option setting
fs.suid_dumpable to "2" was forgotten to be enabled here, although in the
Upstart script in Ubuntu 15.04 the option is still enabled. I recently
contacted the Apport package maintainer to make sure the systemd script
will not enable the option, as that would enable the root hole in 15.04
with systemd (which is the default init system) as well. Please note:
15.04 with systemd being safe regarding this vulnerabilty has nothing
to do with systemd itself.
Please note that even though Ubuntu has the value of fs.suid_dumpable set
to 2 in releases 12.04 and later, Apport itself has been creating user
coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04,
which has Apport package release 0.76/0.76.1. Any system since Ubuntu
7.04 that has had fs.suid_dumpable set to 2, even though it wasn't
Ubuntu's default, has been exploitable. Thus, the proof of concept
attached will and should essentially work on any Ubuntu release starting
with 7.04; it was in fact tested and found to be working on 7.04 itself,
but later releases until 12.04 were not tested.
VULNERABLE RELEASES
-------------------
The proof of concept attached should work out of the box on (and is in
fact tested to work on most of them) all of the following releases:
12.04 LTS
12.04.1 LTS
12.04.2 LTS
12.04.3 LTS
12.04.4 LTS
12.04.5 LTS
12.10 (EOL)
13.04 (EOL)
13.10 (EOL)
14.04 LTS
14.04.1 LTS
14.04.2 LTS
14.10
15.04 (only with Upstart, not systemd)
Of all of the above releases all of the Server, Desktop and, where
available, Alternate editions are affected.
In other words: anything Ubuntu from the past three years is vulnerable,
out of the box.
All releases older than 12.04, starting with 7.04, are vulnerable as well
in the sense that they have installed Apport by default or otherwise
provide it as an installable package, being an Apport package which
creates user core dumps (in CWD, also with fs.suid_
those releases do not have the Apport service enabled by default, nor
do they have fs.suid_dumpable set to "2" by default.
OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES
-------
Any OS / distribution with an Apport version creating a user core
dump (meaning, the core dump created apart from the Apport report in
/var/crash) in CWD is vulnerable. If fs.suid_dumpable=2 is the default,
the OS is exploitable by default.
This may or may not include Ubuntu derivatives, forks and Ubuntu based
distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio,
Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based
version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5].
(As a quick test, at least BackBox 3.13 was found to be exploitable
by default.)
Further investigation will need to reveil what OSes / distributions /
Ubuntu versions and derivatives are vulnerable, and which aren't.
WORKAROUND
----------
Disable the Apport service.
PROPOSED IMMEDIATE, TEMPORARY FIX
-------
Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0,
which is the kernel's default.
Thus, revert the damage done almost two years ago, e.g., by removing
the lines
echo 2 > /proc/sys/
and
echo 0 > /proc/sys/
from the debian/
Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd
scripts for Ubuntu until a proper solution is implemented.
PROPOSED LONG TERM FIX
-------
Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for
tainted/protected binaries (just like the kernel does not do this
anymore[4]). If creating a user core dump at all, Apport should dump
it to a safe, dedicated directory.
Apport should use the kernel's "%d" kernel.core_pattern template specifier
(see core(5)), which will present the dumpable state of the crashed
process ("0", "1" or "2"). Please note though that the "%d" template
is only available in (upstream) kernels >=3.7.
REFERENCES
----------
[1] <http://
[2] <https:/
[3] <https:/
[4] <https:/
[5] <https:/
CREDITS
-------
The issue was found, analyzed, and reported to Ubuntu by Sander Bos,
along with a detailed explanation of the problem, proposed workarounds
and fixes, and an exploit proof of concept.
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Martin Pitt (pitti) wrote | #2 |
| Changed in apport: | |
| status: | New → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → Martin Pitt (pitti) |
| Martin Pitt (pitti) wrote | #3 |
| Changed in apport (Ubuntu Wily): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| Martin Pitt (pitti) wrote | #4 |
| Martin Pitt (pitti) wrote | #5 |
| Marc Deslauriers (mdeslaur) wrote | #6 |
| Marc Deslauriers (mdeslaur) wrote | #7 |
| Martin Pitt (pitti) wrote | #8 |
| Martin Pitt (pitti) wrote | #9 |
| Martin Pitt (pitti) wrote | #10 |
| Martin Pitt (pitti) wrote | #11 |
| Martin Pitt (pitti) wrote | #12 |
| Marc Deslauriers (mdeslaur) wrote | #13 |
| description: | updated |
| Martin Pitt (pitti) wrote | #14 |
| Martin Pitt (pitti) wrote | #15 |
| Martin Pitt (pitti) wrote | #16 |
| Martin Pitt (pitti) wrote | #17 |
| Martin Pitt (pitti) wrote | #18 |
| Launchpad Janitor (janitor) wrote | #19 |
| Changed in apport (Ubuntu Utopic): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #20 |
| Changed in apport (Ubuntu Precise): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #21 |
| Changed in apport (Ubuntu Trusty): | |
| status: | New → Fix Released |
| Martin Pitt (pitti) wrote | #22 |
| Changed in apport (Ubuntu Wily): | |
| status: | In Progress → Fix Committed |
| Changed in apport: | |
| status: | In Progress → Fix Released |
| Changed in apport (Ubuntu Wily): | |
| assignee: | nobody → Martin Pitt (pitti) |
| Launchpad Janitor (janitor) wrote | #23 |
| Changed in apport (Ubuntu Vivid): | |
| status: | New → Fix Released |
| information type: | Private Security → Public Security |
| tags: | added: patch |
| Launchpad Janitor (janitor) wrote | #24 |
| Changed in apport (Ubuntu Wily): | |
| status: | Fix Committed → Fix Released |
| description: | updated |
| description: | updated |
| Carlos D. Gonzalez (cdgg-cali) wrote | #25 |
(The reporter has not confirmed my request for a CRD of 2015-05-12)