← Back to team overview

touch-packages team mailing list archive

[Bug 1452239] Re: root escalation with fs.suid_dumpable=2

 

** Description changed:

  Sander Bos discovered that Apport enabled a user to perform a root
  escalation since it now configures fs.suid_dumpable=2.
  
  Here's a brief description of the issue:
  1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
- 2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
+ 2- The root-owned coredump will then be written in the CWD, which in the PoC is /etc/logrotate.d
  3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does
  
  I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the
  publication of this issue.
  
  I have assigned CVE-2015-1324 to this issue.
  
  We can either:
  
  1- Disable fs.suid_dumpable=2
  2- Stop creating core dump files when they are to be created as root
  3- Create root-owned core dump files in a well-known location
  
  ----------------
  
  Here is the original report from Sander Bos (now with the CVE number
  included):
  
  OVERVIEW
  --------
  
  Date: 2015-05-05
  Bug name: SCORE: Simple Coredump-Oriented Root Exploit
  CVE: CVE-2015-1324
  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
- 
  
  SUMMARY
  -------
  
  I found a combination of vulnerabilities to lead to privilege escalation
  (root exploitation) by local users in Ubuntu releases 12.04 up to and
  including 15.04.  Depending on configuration, remote exploitation might
  be possible as well.  Local exploitation can even be done as the local,
  passwordless LightDM "Guest" account user on systems supporting it --
  indeed: from anonymous guest user to root.
- 
  
  DESCRIPTION
  -----------
  
  The Apport package creates user core dumps in the crashed process'
  CWD, and does so since Bazaar revision number 602 [1] / release 0.59.
  This is okay, but not always: there is a flaw in the fact that Apport
  also does this, as root, for tainted/protected binaries (setuid() and
  friends, capabilities(7) enabled binaries, non-readable binaries) when
  the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)).
  This means that users can create core dumps as root, in arbitrary
  directories which are otherwise write-protected for those users.
  
  In short: Apport should _not_ create user core dumps in the CWD in dump
  mode 2 for such tainted binaries; it should either not make user core
  dumps at all then, or if possible use a designated and safe directory
  for that.
  
  All Ubuntu releases starting with 12.04 have the Apport service enabled by
  default [2] (and Ubuntu has Apport installed by default for much longer).
  
  All Ubuntu releases starting with 12.04 (or patched that way after
  their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default,
  through the Apport package; see bug #1194541, "Create core dumps for
  setuid binaries", 2013-06-25 [3].
  
  Along with solving that bug (that is, adding the "missing feature" of
  setuid core dumps), the patch to that bug report actually created a root
  exploit hole in the upcoming release 13.10, as well as being backported
  into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04.
  
  The exact Apport package versions (with their Ubuntu releases) that were
  "patched" to have fs.suid_dumpable set to "2"  are:
  
  2.0.1-0ubuntu17.4 (Ubuntu 12.04)
  2.6.1-0ubuntu12   (Ubuntu 12.10)
  2.9.2-0ubuntu8.3  (Ubuntu 13.04)
  
  The value fs.suid_dumpable=2 remained in Ubuntu ever since.  The exception
  to this is the systemd Apport script in Ubuntu 15.04: the option setting
  fs.suid_dumpable to "2" was forgotten to be enabled here, although in the
  Upstart script in Ubuntu 15.04 the option is still enabled.  I recently
  contacted the Apport package maintainer to make sure the systemd script
  will not enable the option, as that would enable the root hole in 15.04
  with systemd (which is the default init system) as well.  Please note:
  15.04 with systemd being safe regarding this vulnerabilty has nothing
  to do with systemd itself.
  
  Please note that even though Ubuntu has the value of fs.suid_dumpable set
  to 2 in releases 12.04 and later, Apport itself has been creating user
  coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04,
  which has Apport package release 0.76/0.76.1.  Any system since Ubuntu
  7.04 that has had fs.suid_dumpable set to 2, even though it wasn't
  Ubuntu's default, has been exploitable.  Thus, the proof of concept
  attached will and should essentially work on any Ubuntu release starting
  with 7.04; it was in fact tested and found to be working on 7.04 itself,
  but later releases until 12.04 were not tested.
- 
- 
  
  VULNERABLE RELEASES
  -------------------
  
  The proof of concept attached should work out of the box on (and is in
  fact tested to work on most of them) all of the following releases:
  
  12.04   LTS
  12.04.1 LTS
  12.04.2 LTS
  12.04.3 LTS
  12.04.4 LTS
  12.04.5 LTS
  12.10       (EOL)
  13.04       (EOL)
  13.10       (EOL)
  14.04   LTS
  14.04.1 LTS
  14.04.2 LTS
  14.10
  15.04       (only with Upstart, not systemd)
  
  Of all of the above releases all of the Server, Desktop and, where
  available, Alternate editions are affected.
  
  In other words: anything Ubuntu from the past three years is vulnerable,
  out of the box.
  
  All releases older than 12.04, starting with 7.04, are vulnerable as well
  in the sense that they have installed Apport by default or otherwise
  provide it as an installable package, being an Apport package which
  creates user core dumps (in CWD, also with fs.suid_dumpable=2); however,
  those releases do not have the Apport service enabled by default, nor
  do they have fs.suid_dumpable set to "2" by default.
  
- 
  OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES
  ----------------------------------------------------------
  
  Any OS / distribution with an Apport version creating a user core
  dump (meaning, the core dump created apart from the Apport report in
  /var/crash) in CWD is vulnerable.  If fs.suid_dumpable=2 is the default,
  the OS is exploitable by default.
  
  This may or may not include Ubuntu derivatives, forks and Ubuntu based
  distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio,
  Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based
  version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5].
  (As a quick test, at least BackBox 3.13 was found to be exploitable
  by default.)
  
  Further investigation will need to reveil what OSes / distributions /
  Ubuntu versions and derivatives are vulnerable, and which aren't.
  
- 
  WORKAROUND
  ----------
  
  Disable the Apport service.
  
- 
  PROPOSED IMMEDIATE, TEMPORARY FIX
  ---------------------------------
  
  Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0,
  which is the kernel's default.
  
  Thus, revert the damage done almost two years ago, e.g., by removing
  the lines
  
-         echo 2 > /proc/sys/fs/suid_dumpable
+         echo 2 > /proc/sys/fs/suid_dumpable
  
  and
  
-         echo 0 > /proc/sys/fs/suid_dumpable
+         echo 0 > /proc/sys/fs/suid_dumpable
  
  from the debian/apport.upstart files.
  
  Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd
  scripts for Ubuntu until a proper solution is implemented.
- 
  
  PROPOSED LONG TERM FIX
  ----------------------
  
  Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for
  tainted/protected binaries (just like the kernel does not do this
  anymore[4]).  If creating a user core dump at all, Apport should dump
  it to a safe, dedicated directory.
  
  Apport should use the kernel's "%d" kernel.core_pattern template specifier
  (see core(5)), which will present the dumpable state of the crashed
  process ("0", "1" or "2").  Please note though that the "%d" template
  is only available in (upstream) kernels >=3.7.
- 
  
  REFERENCES
  ----------
  
  [1] <http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/602>
  [2] <https://wiki.ubuntu.com/Apport#How_to_enable_apport>
  [3] <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1194541>
  [4] <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9520628e8ceb69fa9a4aee6b57f22675d9e1b709>
  [5] <https://en.wikipedia.org/wiki/List_of_Ubuntu-based_distributions#Ubuntu-based>
  
- 
- 
  CREDITS
  -------
  
  The issue was found, analyzed, and reported to Ubuntu by Sander Bos,
  along with a detailed explanation of the problem, proposed workarounds
  and fixes, and an exploit proof of concept.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1452239

Title:
  root escalation with fs.suid_dumpable=2

Status in Apport crash detection/reporting:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Utopic:
  Fix Released
Status in apport source package in Vivid:
  Fix Released
Status in apport source package in Wily:
  Fix Released

Bug description:
  Sander Bos discovered that Apport enabled a user to perform a root
  escalation since it now configures fs.suid_dumpable=2.

  Here's a brief description of the issue:
  1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
  2- The root-owned coredump will then be written in the CWD, which in the PoC is /etc/logrotate.d
  3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does

  I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the
  publication of this issue.

  I have assigned CVE-2015-1324 to this issue.

  We can either:

  1- Disable fs.suid_dumpable=2
  2- Stop creating core dump files when they are to be created as root
  3- Create root-owned core dump files in a well-known location

  ----------------

  Here is the original report from Sander Bos (now with the CVE number
  included):

  OVERVIEW
  --------

  Date: 2015-05-05
  Bug name: SCORE: Simple Coredump-Oriented Root Exploit
  CVE: CVE-2015-1324
  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl

  SUMMARY
  -------

  I found a combination of vulnerabilities to lead to privilege escalation
  (root exploitation) by local users in Ubuntu releases 12.04 up to and
  including 15.04.  Depending on configuration, remote exploitation might
  be possible as well.  Local exploitation can even be done as the local,
  passwordless LightDM "Guest" account user on systems supporting it --
  indeed: from anonymous guest user to root.

  DESCRIPTION
  -----------

  The Apport package creates user core dumps in the crashed process'
  CWD, and does so since Bazaar revision number 602 [1] / release 0.59.
  This is okay, but not always: there is a flaw in the fact that Apport
  also does this, as root, for tainted/protected binaries (setuid() and
  friends, capabilities(7) enabled binaries, non-readable binaries) when
  the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)).
  This means that users can create core dumps as root, in arbitrary
  directories which are otherwise write-protected for those users.

  In short: Apport should _not_ create user core dumps in the CWD in dump
  mode 2 for such tainted binaries; it should either not make user core
  dumps at all then, or if possible use a designated and safe directory
  for that.

  All Ubuntu releases starting with 12.04 have the Apport service enabled by
  default [2] (and Ubuntu has Apport installed by default for much longer).

  All Ubuntu releases starting with 12.04 (or patched that way after
  their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default,
  through the Apport package; see bug #1194541, "Create core dumps for
  setuid binaries", 2013-06-25 [3].

  Along with solving that bug (that is, adding the "missing feature" of
  setuid core dumps), the patch to that bug report actually created a root
  exploit hole in the upcoming release 13.10, as well as being backported
  into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04.

  The exact Apport package versions (with their Ubuntu releases) that were
  "patched" to have fs.suid_dumpable set to "2"  are:

  2.0.1-0ubuntu17.4 (Ubuntu 12.04)
  2.6.1-0ubuntu12   (Ubuntu 12.10)
  2.9.2-0ubuntu8.3  (Ubuntu 13.04)

  The value fs.suid_dumpable=2 remained in Ubuntu ever since.  The exception
  to this is the systemd Apport script in Ubuntu 15.04: the option setting
  fs.suid_dumpable to "2" was forgotten to be enabled here, although in the
  Upstart script in Ubuntu 15.04 the option is still enabled.  I recently
  contacted the Apport package maintainer to make sure the systemd script
  will not enable the option, as that would enable the root hole in 15.04
  with systemd (which is the default init system) as well.  Please note:
  15.04 with systemd being safe regarding this vulnerabilty has nothing
  to do with systemd itself.

  Please note that even though Ubuntu has the value of fs.suid_dumpable set
  to 2 in releases 12.04 and later, Apport itself has been creating user
  coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04,
  which has Apport package release 0.76/0.76.1.  Any system since Ubuntu
  7.04 that has had fs.suid_dumpable set to 2, even though it wasn't
  Ubuntu's default, has been exploitable.  Thus, the proof of concept
  attached will and should essentially work on any Ubuntu release starting
  with 7.04; it was in fact tested and found to be working on 7.04 itself,
  but later releases until 12.04 were not tested.

  VULNERABLE RELEASES
  -------------------

  The proof of concept attached should work out of the box on (and is in
  fact tested to work on most of them) all of the following releases:

  12.04   LTS
  12.04.1 LTS
  12.04.2 LTS
  12.04.3 LTS
  12.04.4 LTS
  12.04.5 LTS
  12.10       (EOL)
  13.04       (EOL)
  13.10       (EOL)
  14.04   LTS
  14.04.1 LTS
  14.04.2 LTS
  14.10
  15.04       (only with Upstart, not systemd)

  Of all of the above releases all of the Server, Desktop and, where
  available, Alternate editions are affected.

  In other words: anything Ubuntu from the past three years is vulnerable,
  out of the box.

  All releases older than 12.04, starting with 7.04, are vulnerable as well
  in the sense that they have installed Apport by default or otherwise
  provide it as an installable package, being an Apport package which
  creates user core dumps (in CWD, also with fs.suid_dumpable=2); however,
  those releases do not have the Apport service enabled by default, nor
  do they have fs.suid_dumpable set to "2" by default.

  OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES
  ----------------------------------------------------------

  Any OS / distribution with an Apport version creating a user core
  dump (meaning, the core dump created apart from the Apport report in
  /var/crash) in CWD is vulnerable.  If fs.suid_dumpable=2 is the default,
  the OS is exploitable by default.

  This may or may not include Ubuntu derivatives, forks and Ubuntu based
  distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio,
  Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based
  version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5].
  (As a quick test, at least BackBox 3.13 was found to be exploitable
  by default.)

  Further investigation will need to reveil what OSes / distributions /
  Ubuntu versions and derivatives are vulnerable, and which aren't.

  WORKAROUND
  ----------

  Disable the Apport service.

  PROPOSED IMMEDIATE, TEMPORARY FIX
  ---------------------------------

  Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0,
  which is the kernel's default.

  Thus, revert the damage done almost two years ago, e.g., by removing
  the lines

          echo 2 > /proc/sys/fs/suid_dumpable

  and

          echo 0 > /proc/sys/fs/suid_dumpable

  from the debian/apport.upstart files.

  Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd
  scripts for Ubuntu until a proper solution is implemented.

  PROPOSED LONG TERM FIX
  ----------------------

  Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for
  tainted/protected binaries (just like the kernel does not do this
  anymore[4]).  If creating a user core dump at all, Apport should dump
  it to a safe, dedicated directory.

  Apport should use the kernel's "%d" kernel.core_pattern template specifier
  (see core(5)), which will present the dumpable state of the crashed
  process ("0", "1" or "2").  Please note though that the "%d" template
  is only available in (upstream) kernels >=3.7.

  REFERENCES
  ----------

  [1] <http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/602>
  [2] <https://wiki.ubuntu.com/Apport#How_to_enable_apport>
  [3] <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1194541>
  [4] <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9520628e8ceb69fa9a4aee6b57f22675d9e1b709>
  [5] <https://en.wikipedia.org/wiki/List_of_Ubuntu-based_distributions#Ubuntu-based>

  CREDITS
  -------

  The issue was found, analyzed, and reported to Ubuntu by Sander Bos,
  along with a detailed explanation of the problem, proposed workarounds
  and fixes, and an exploit proof of concept.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions