[Desktop-packages] [Bug 1507480] Re: Privilege escalation through Python module imports
This bug was fixed in the package apport - 2.19.2-0ubuntu1 --- apport (2.19.2-0ubuntu1) xenial; urgency=medium * New upstream release. Changes since previous snapshot: - SECURITY FIX: When determining the path of a Python module for a program like "python -m module_name", avoid actually importing and running the module; this could lead to local root privilege escalation. Thanks to Gabriel Campana for discovering this and the fix! (CVE-2015-1341, LP: #1507480) - test_backend_apt_dpkg.py: Reset internal apt caches between tests. Avoids random test failures due to leaking paths from previous test cases. * debian/control: Adjust Vcs-Bzr: for xenial branch. * debian/control: Drop obsolete XS-Testsuite: header. -- Martin Pitt Tue, 27 Oct 2015 14:33:28 +0100 ** Changed in: apport (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1507480 Title: Privilege escalation through Python module imports Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Status in apport source package in Xenial: Fix Released Bug description: Gabriel Campana reported a security vulnerability in Apport: ummary === A privilege escalation was discovered in apport. Details === The command line of the process triggering the coredump is checked to determine if it's a script. If the interpreter is Python and the first argument is ``-m``, the method ``_python_module_path`` is called to find the path of the culprit module (``/usr/lib/python3/dist-packages/apport/report.py``):: @classmethod def _python_module_path(klass, module): '''Determine path of given Python module''' module = module.replace('/', '.') try: m = __import__(module) m except: return None [...] Any Python module in ``sys.path`` can be imported because the variable ``module`` is under control of the attacker. It should be noted that ``_python_module_path`` is called with euid=0, and apport relies on the process name to determine if the process is an interpreter. A crash of Python isn't required to reach this function: any process name starting with ``python`` and producing a core dump is enough. As an example, the following bash script triggers the bug:: #!/bin/bash cat < python.c int main(void) { *(int *)0 = 0; return 0; } EOF gcc -o python python.c ./python -m venv.__main__ and results in the creation of a "lightweight virtual Python environment" in the root directory:: $ ./lol.sh ./lol.sh: line 8: 7665 Segmentation fault (core dumped) $ ls -l / | head -4 total 100 drw-rw 5 root root 4096 Sep 29 16:09 7665 drwxr-xr-x 2 root root 4096 Sep 29 05:41 bin drwxr-xr-x 3 root root 4096 Sep 29 06:20 boot Criticity = Importing an arbitrary module is a security issue because a few standard modules rely on files in the home directory associated to the uid of the dumped process. A fully working exploit has been written (targetting Python2 and Python3), giving an instant root shell to the attacker. While the exploitation is straightforward for Python2, a bit more work was required to find a suitable module for Python3. The vulnerability seems to be limited to Ubuntu Dekstop because apport is disabled on Ubuntu Server. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1507480/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1507480] Re: Privilege escalation through Python module imports
Published new upstream release https://launchpad.net/apport/trunk/2.19.2 which includes the fix. ** Changed in: apport Status: In Progress => Fix Committed ** Changed in: apport Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1507480 Title: Privilege escalation through Python module imports Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Status in apport source package in Xenial: Fix Committed Bug description: Gabriel Campana reported a security vulnerability in Apport: ummary === A privilege escalation was discovered in apport. Details === The command line of the process triggering the coredump is checked to determine if it's a script. If the interpreter is Python and the first argument is ``-m``, the method ``_python_module_path`` is called to find the path of the culprit module (``/usr/lib/python3/dist-packages/apport/report.py``):: @classmethod def _python_module_path(klass, module): '''Determine path of given Python module''' module = module.replace('/', '.') try: m = __import__(module) m except: return None [...] Any Python module in ``sys.path`` can be imported because the variable ``module`` is under control of the attacker. It should be noted that ``_python_module_path`` is called with euid=0, and apport relies on the process name to determine if the process is an interpreter. A crash of Python isn't required to reach this function: any process name starting with ``python`` and producing a core dump is enough. As an example, the following bash script triggers the bug:: #!/bin/bash cat < python.c int main(void) { *(int *)0 = 0; return 0; } EOF gcc -o python python.c ./python -m venv.__main__ and results in the creation of a "lightweight virtual Python environment" in the root directory:: $ ./lol.sh ./lol.sh: line 8: 7665 Segmentation fault (core dumped) $ ls -l / | head -4 total 100 drw-rw 5 root root 4096 Sep 29 16:09 7665 drwxr-xr-x 2 root root 4096 Sep 29 05:41 bin drwxr-xr-x 3 root root 4096 Sep 29 06:20 boot Criticity = Importing an arbitrary module is a security issue because a few standard modules rely on files in the home directory associated to the uid of the dumped process. A fully working exploit has been written (targetting Python2 and Python3), giving an instant root shell to the attacker. While the exploitation is straightforward for Python2, a bit more work was required to find a suitable module for Python3. The vulnerability seems to be limited to Ubuntu Dekstop because apport is disabled on Ubuntu Server. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1507480/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1507480] Re: Privilege escalation through Python module imports
This bug was fixed in the package apport - 2.14.1-0ubuntu3.18 --- apport (2.14.1-0ubuntu3.18) trusty-security; urgency=medium * test_backend_apt_dpkg.py: Reset internal apt caches between tests. Avoids random test failures due to leaking paths from previous test cases. * SECURITY FIX: When determining the path of a Python module for a program like "python -m module_name", avoid actually importing and running the module; this could lead to local root privilege escalation. Thanks to Gabriel Campana for discovering this and the fix! (CVE-2015-1341, LP: #1507480) -- Martin Pitt Thu, 22 Oct 2015 15:15:37 +0200 ** Changed in: apport (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1507480 Title: Privilege escalation through Python module imports Status in Apport: In Progress Status in apport package in Ubuntu: In Progress Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Status in apport source package in Xenial: In Progress Bug description: Gabriel Campana reported a security vulnerability in Apport: ummary === A privilege escalation was discovered in apport. Details === The command line of the process triggering the coredump is checked to determine if it's a script. If the interpreter is Python and the first argument is ``-m``, the method ``_python_module_path`` is called to find the path of the culprit module (``/usr/lib/python3/dist-packages/apport/report.py``):: @classmethod def _python_module_path(klass, module): '''Determine path of given Python module''' module = module.replace('/', '.') try: m = __import__(module) m except: return None [...] Any Python module in ``sys.path`` can be imported because the variable ``module`` is under control of the attacker. It should be noted that ``_python_module_path`` is called with euid=0, and apport relies on the process name to determine if the process is an interpreter. A crash of Python isn't required to reach this function: any process name starting with ``python`` and producing a core dump is enough. As an example, the following bash script triggers the bug:: #!/bin/bash cat < python.c int main(void) { *(int *)0 = 0; return 0; } EOF gcc -o python python.c ./python -m venv.__main__ and results in the creation of a "lightweight virtual Python environment" in the root directory:: $ ./lol.sh ./lol.sh: line 8: 7665 Segmentation fault (core dumped) $ ls -l / | head -4 total 100 drw-rw 5 root root 4096 Sep 29 16:09 7665 drwxr-xr-x 2 root root 4096 Sep 29 05:41 bin drwxr-xr-x 3 root root 4096 Sep 29 06:20 boot Criticity = Importing an arbitrary module is a security issue because a few standard modules rely on files in the home directory associated to the uid of the dumped process. A fully working exploit has been written (targetting Python2 and Python3), giving an instant root shell to the attacker. While the exploitation is straightforward for Python2, a bit more work was required to find a suitable module for Python3. The vulnerability seems to be limited to Ubuntu Dekstop because apport is disabled on Ubuntu Server. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1507480/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp