touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #70058
[Bug 1438758] Re: User to root privilege escalation (ab)using the crash forwarding feature of apport
vivid update uploaded.
** Changed in: apport (Ubuntu Vivid)
Status: In Progress => Fix Committed
** Changed in: apport (Ubuntu Vivid)
Assignee: Martin Pitt (pitti) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1438758
Title:
User to root privilege escalation (ab)using the crash forwarding
feature of apport
Status in Apport crash detection/reporting:
Fix Released
Status in apport package in Ubuntu:
Fix Committed
Status in apport source package in Trusty:
Fix Released
Status in apport source package in Utopic:
Fix Released
Status in apport source package in Vivid:
Fix Committed
Status in apport package in Debian:
New
Bug description:
Back in Ubuntu 14.04, I introduced an apport feature that will have it
forward any crash to another apport running in the task's namespace
(in the case where the pid of the task in its namespace isn't equal to
that in the host namespace).
This feature simply checks for the presence of
/usr/share/apport/apport in the task's root directory. If it exists,
it will chroot and exec the script.
The problem is that as apport is a coredump handler triggered by the
kernel, it'll always run as real root, regardless of the crashed
task's owner and namespace.
This therefore allows an unprivileged user to craft a specific
filesystem structure, pivot_root to it, then crash a process inside
it, causing apport outside of the namespace to execute a script as
real root. By bind-mounting /proc from the host into that namespace,
the unprivileged user can then access any file on the host as real
root, causing the privilege escalation.
An exploit is attached to this bug. It's been confirmed to be runnable
as a nobody user on a regular Ubuntu system and to successfully read
any file on the host.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1438758/+subscriptions