[Bug 1948376] Re: race condition in apport lead to Local Privilege Escalation

Marc Deslauriers 1948376 at bugs.launchpad.net
Wed May 18 12:41:41 UTC 2022 

This was published here:

https://ubuntu.com/security/notices/USN-5427-1

Thanks!

** Changed in: apport (Ubuntu)
       Status: In Progress => Fix Released

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1948376

Title:
  race condition in apport lead to Local Privilege Escalation

Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Hello. I'm Muqing Liu @Singurlar Security Lab. I would like to report
  a vulnerability that lead to Local Privilege Escalation. I found this
  vurlnebiltiy together with neoni

  An attacker can use this vulnerability to get a root shell, if one of the following conditions is satisfied:
  1. If an unprivilieged user ( e.g. nobody ) is allowed to run a command (e.g. ping) as root via sudo.
  2. Or `sendmail` package is installed on system (It's may possible but I have not tested.)

  Here is the detail:
  Apport will check if pid is reused, by check if the start time of the process is later than apport self:
    # /usr/share/apport/apport
    594     apport_start = get_apport_starttime()
    595     process_start = get_process_starttime()
    596     if process_start > apport_start:
    597         error_log('process was replaced after Apport started, ignoring')
    598         sys.exit(0)

  But an attacker could reused pid just after apport launched. In such
  case, get_apport_starttime() == get_process_starttime().

  So, an attacker can get root shell under Condition 1, by following steps.
  1. prepare a process X to crash, whose pid is A
  2. repeating fork process, until current pid reaches A - 2
  3. make process X crash, apport will be launched by kernel with pid A - 1. Then attacker kill process X, so pid A is now available.
  4. attacker run command `sudo ping 8.8.8.8` with current directory /etc/logrotate.d/. a process running under root:root will re-occupy pid A.
  5. Since the start time of sudo and apport are same, line 596 is by-passed. Apport then drop a core file of process X in /etc/logrotate.d

  For Condtion 2:
  Sudo will execute sendmail to send incident report if sendmail is installed. So arbitrary user can run sudo to trigger sendmail at /etc/logrotate.d. I have not tested this case, but I think it's possible to win the race.

  PoC of Condition 1 is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1948376/+subscriptions

More information about the foundations-bugs mailing list