[Bug 1839795] Re: PID recycling enables an unprivileged user to generate and read a crash report for a privileged process
Benjamin Drung
1839795 at bugs.launchpad.net
Mon Jun 27 10:27:22 UTC 2022
** Also affects: apport
Importance: Undecided
Status: New
** Changed in: apport
Status: New => Fix Released
** Changed in: apport
Importance: Undecided => Critical
** Changed in: apport
Milestone: None => 2.21.0
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1839795
Title:
PID recycling enables an unprivileged user to generate and read a
crash report for a privileged process
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Bug description:
Dear Ubuntu Security Team,
I would like to report a vulnerability in Apport, which enables an
unprivileged user to read important information about a privileged
process.
From an attacker's point of view, the main value of the vulnerability
is that it enables them to obtain the ASLR offsets for a privileged
process, provided that they have the ability to deliberately crash the
privileged process. This is very useful for an attacker if they have
discovered a memory corruption vulnerability in a privileged service.
It is often very difficult to obtain code execution from a memory
corruption vulnerability unless you have access to the ASLR offsets.
But it is usually very easy to trigger a crash by corrupting the
memory with random data. The vulnerability in Apport enables the
attacker to obtain the ASLR offsets for the service after it is has
restarted due to an attacker-controlled crash.
I have attached an exploit proof of concept which demonstrates the
vulnerability on the whoopsie process. As you know, whoopsie has a
memory corruption vulnerability which is currently still unfixed:
1830865. The vulnerability in whoopsie is very difficult to exploit
without knowing the ASLR offsets. But it is easy for an unprivileged
user to cause whoopsie to crash. The PoC uses this to deliberately
crash whoopsie and obtain ASLR offsets for the new whoopsie after it
has been restarted automatically by systemd.
To run the PoC:
gunzip Apport_PoC.tar.gz
tar -xf Apport_PoC.tar
cd Apport_PoC/
make
./restart_whoopsie init 10
The PoC is slightly non-deterministic, so it might take several tries
before it succeeds. (It will print messages to tell you what is going
on while it is running.) When it succeeds, Apport will create a file
named something like this:
/var/crash/_usr_bin_whoopsie.1001.crash
If you run apport-unpack on that crash report then you will see that
it contains the ProcMaps file for the currently running whoopsie.
The source of the problem is here:
https://git.launchpad.net/ubuntu/+source/apport/tree/data/apport?h=applied/ubuntu/bionic-
devel&id=20c98691144e843bf1ab8428603beedd34e993ad#n452
Apport determines which user the crashed process belongs to by reading
the contents of /proc/[pid]. But pids can get recycled. The exploit
works by pausing Apport while it is in the middle of generating a
crash report and then sending a SIGKILL to the crashed process so that
its pid gets recycled. When Apport resumes, it starts generating a
crash report for a new process which has been assigned the same pid as
the crashed process.
I am happy to help out if you would like to discuss what the best
solution is for this vulnerability. I have some ideas, but they might
be naive. This is a very tricky area of the code and I am sure that I
am not yet aware of all the subtle reasons why it is currently written
the way it is.
Please let me know when you have fixed the vulnerability, so that I
can coordinate my disclosure with yours. For reference, here is a link
to Semmle's vulnerability disclosure policy:
https://lgtm.com/security#disclosure_policy
Thank you,
Kevin Backhouse
Semmle Security Research Team
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1839795/+subscriptions
More information about the foundations-bugs
mailing list