| 2020-06-05 04:31:29 |
Seong-Joong Kim |
bug |
|
|
added bug |
| 2020-06-05 04:31:29 |
Seong-Joong Kim |
attachment added |
|
unhandled_exception_poc.py https://bugs.launchpad.net/bugs/1882180/+attachment/5380526/+files/unhandled_exception_poc.py |
|
| 2020-06-19 06:17:35 |
Seong-Joong Kim |
description |
Hi,
I have found a security issue on whoopsie 0.2.69 and earlier.
## Vulnerability in whoopsie
- whoopsie 0.2.69 and earlier have a improper input validation vulnerability.
- A large amount of key-value pairs in crash report causes an exception of a type that was not handled properly in the parse_report() and leads an unexpected termination.
- An attacker can cause a denial of service (application crash) via a crafted .crash file.
## Basic
When a program has been crashed, Linux system tries to create a '.crash' file on '/var/crash/' directory with python script located in '/usr/share/apport/apport'.
The file contains a series of system crash information including core dump, syslog, stack trace, memory map info, etc.
A user is given read and write permission to the file.
After then, whoopsie parses key-value pairs in ‘.crash’ file and encodes it into binary json (bson) format.
Lastly, whoopsie forwards the data to a remotely connected Ubuntu error report system.
## Vulnerability
We have found an unhandled exception vulnerability when the amount of key-value pair(s) exceeds available memory space.
whoopsie measures the size of key and value respectively and allocates memory on the basis of the results directly.
Here, an allocator can fail to allocate the memory when it was a lack of space.
Unfortunately, whoopsie does not provide a proper error handling if it were above.
whoopsie can fail to trap exception on malformed crash file declaration and results in denial-of-service.
## Attack
1) Create a fake.crash file
unhandled_exception_poc.py script measures an available memory and generates a malicious crash file that contains a large amount of key-value pair that exceeds the available memory.
2) Trigger the whoopsie to read the fake.crash file
- Just create ‘fake.upload’ file by touch command.
3) Check the result
- It results in denial-of-service which allows all users to prevent crash handling.
Sincerely, |
Hi,
I have found a security issue on whoopsie 0.2.69 and earlier.
# Vulnerability description
In whoopsie 0.2.69 and earlier, there is a denial of service vulnerability in the parse_report function.
A crafted input, i.e., crash report located in '/var/crash/', will lead to a denial of service attack.
During the parsing of the crash report, the data length is not checked.
The value of data length can be directly controlled by an input file.
In the parse_report() function, the g_malloc or g_realloc is called based on data length.
If we set the value of data length close to the amount of system memory, it will cause the daemon process to terminate unexpectedly, hang the system, or trigger the OOM killer.
# PoC
Please check the below whoopsie_killer2.py
Sincerely, |
|
| 2020-06-19 06:19:41 |
Seong-Joong Kim |
attachment added |
|
whoopsie_killer2.py https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1882180/+attachment/5385201/+files/whoopsie_killer2.py |
|
| 2020-06-19 06:20:03 |
Seong-Joong Kim |
summary |
Denial of service due to uncaught exception on parse_report() |
DoS vulnerability: fail to allocate |
|
| 2020-07-06 15:14:43 |
Leonidas S. Barbosa |
whoopsie (Ubuntu): status |
New |
Confirmed |
|
| 2020-07-06 15:14:59 |
Leonidas S. Barbosa |
whoopsie (Ubuntu): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
bug task added |
|
whoopsie (Ubuntu Groovy) |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
nominated for series |
|
Ubuntu Bionic |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
bug task added |
|
whoopsie (Ubuntu Bionic) |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
nominated for series |
|
Ubuntu Xenial |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
bug task added |
|
whoopsie (Ubuntu Xenial) |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
nominated for series |
|
Ubuntu Focal |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
bug task added |
|
whoopsie (Ubuntu Focal) |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
nominated for series |
|
Ubuntu Eoan |
|
| 2020-07-06 15:15:41 |
Leonidas S. Barbosa |
bug task added |
|
whoopsie (Ubuntu Eoan) |
|
| 2020-07-06 15:15:49 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2020-07-06 15:15:59 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Xenial): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-07-06 15:16:07 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2020-07-06 15:16:19 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Bionic): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-07-06 15:29:13 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Focal): status |
New |
Confirmed |
|
| 2020-07-06 15:29:24 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Focal): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-07-06 15:37:25 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Eoan): status |
New |
Confirmed |
|
| 2020-07-06 15:37:38 |
Leonidas S. Barbosa |
whoopsie (Ubuntu Eoan): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-07-09 12:43:04 |
Marc Deslauriers |
whoopsie (Ubuntu Xenial): assignee |
Alex Murray (alexmurray) |
Marc Deslauriers (mdeslaur) |
|
| 2020-07-09 12:43:08 |
Marc Deslauriers |
whoopsie (Ubuntu Bionic): assignee |
Alex Murray (alexmurray) |
Marc Deslauriers (mdeslaur) |
|
| 2020-07-09 12:43:10 |
Marc Deslauriers |
whoopsie (Ubuntu Eoan): assignee |
Alex Murray (alexmurray) |
Marc Deslauriers (mdeslaur) |
|
| 2020-07-09 12:43:12 |
Marc Deslauriers |
whoopsie (Ubuntu Focal): assignee |
Alex Murray (alexmurray) |
Marc Deslauriers (mdeslaur) |
|
| 2020-07-09 12:43:14 |
Marc Deslauriers |
whoopsie (Ubuntu Groovy): assignee |
Alex Murray (alexmurray) |
Marc Deslauriers (mdeslaur) |
|
| 2020-07-09 12:46:59 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
| 2020-07-09 12:47:18 |
Marc Deslauriers |
cve linked |
|
2020-15570 |
|
| 2020-08-04 17:08:17 |
Launchpad Janitor |
whoopsie (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
| 2020-08-04 17:08:17 |
Launchpad Janitor |
cve linked |
|
2020-11937 |
|
| 2020-08-04 17:08:17 |
Launchpad Janitor |
cve linked |
|
2020-12135 |
|
| 2020-08-04 17:08:20 |
Launchpad Janitor |
whoopsie (Ubuntu Xenial): status |
Confirmed |
Fix Released |
|
| 2020-08-04 17:18:23 |
Launchpad Janitor |
whoopsie (Ubuntu Bionic): status |
Confirmed |
Fix Released |
|
| 2020-08-07 16:15:19 |
Launchpad Janitor |
whoopsie (Ubuntu Groovy): status |
Confirmed |
Fix Released |
|
| 2020-08-18 17:04:34 |
Brian Murray |
whoopsie (Ubuntu Eoan): status |
Confirmed |
Won't Fix |
|
| 2021-01-22 21:20:49 |
Launchpad Janitor |
branch linked |
|
lp:whoopsie |
|
