touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #113860
[Bug 1492570] Re: /usr/share/apport/kernel_crashdump accesses files in insecure manner
** Changed in: apport (Ubuntu Precise)
Importance: Undecided => High
** Changed in: apport (Ubuntu Trusty)
Importance: Undecided => High
** Changed in: apport (Ubuntu Vivid)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1492570
Title:
/usr/share/apport/kernel_crashdump accesses files in insecure manner
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Status in apport source package in Precise:
Fix Released
Status in apport source package in Trusty:
Fix Released
Status in apport source package in Vivid:
Fix Released
Status in apport source package in Wily:
Fix Released
Bug description:
On Ubuntu Vivid Linux distribution upstart or SysV init invokes the
program /usr/share/apport/kernel_crashdump at boot to prepare crash
dump files for sending. This action is performed with root privileges.
As the crash dump directory /var/crash/ is world writable and
kernel_crashdump performs file access in unsafe manner, any local user
may trigger a denial of service or escalate to root privileges. If
symlink and hardlink protection is enabled (which should be the
default for any modern system), only denial of service is possible.
Problematic syscall in kernel_crashdump is:
open("/var/crash/linux-image-3.19.0-18-generic.0.crash", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0666) = 30
...
open("/var/crash/vmcore.log", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 31
Thus the output file is opened unconditionally and without O_EXCL or
O_NOFOLLOW. Also opening of input file does not care about links.
By sym- or hardlinking from the predictable dump file name to the
vmcore.log, kernel_crashdump will recursively include its own dump as
logfile, thus filling the disk. This also works with symlink and
hardlink protection turned on.
By symlinking to other files (with symlink protection off), arbitrary
files can be overwritten to gain root privileges.
# lsb_release -rd
Description: Ubuntu 15.04
Release: 15.04
# apt-cache policy apport
apport:
Installed: 2.17.2-0ubuntu1.3
Candidate: 2.17.2-0ubuntu1.3
Version table:
*** 2.17.2-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ vivid-updates/main i386 Packages
100 /var/lib/dpkg/status
2.17.2-0ubuntu1.1 0
500 http://archive.ubuntu.com/ubuntu/ vivid-security/main i386 Packages
2.17.2-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages
See http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ for more information and follow the link on the bottom if you know what you are doing (user: InvitedOnly, pass: w0f63smR).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anyone helping to fix, analyze, mitigate, the security issue at
http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/
to improve security is allowed to view and use this resource. It
may be passed on (including password) to other security engineers
under the same conditions at your own risk. Free circulation
of that resource is allowed as soon as password protection was
removed or when stated on the page itself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlXqzOcACgkQxFmThv7tq+7GTwCgiwCkUqsB0qiwGIktUMIPqgXY
9bYAni2R8hAZVWWrtPZ+xsDgHGgWq2gL
=Y4E5
-----END PGP SIGNATURE-----
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1492570/+subscriptions