** Description changed: Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2. Here's a brief description of the issue: 1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r - 2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d + 2- The root-owned coredump will then be written in the CWD, which in the PoC is /etc/logrotate.d 3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the publication of this issue. I have assigned CVE-2015-1324 to this issue. We can either: 1- Disable fs.suid_dumpable=2 2- Stop creating core dump files when they are to be created as root 3- Create root-owned core dump files in a well-known location ---------------- Here is the original report from Sander Bos (now with the CVE number included): OVERVIEW -------- Date: 2015-05-05 Bug name: SCORE: Simple Coredump-Oriented Root Exploit CVE: CVE-2015-1324 Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl - SUMMARY ------- I found a combination of vulnerabilities to lead to privilege escalation (root exploitation) by local users in Ubuntu releases 12.04 up to and including 15.04. Depending on configuration, remote exploitation might be possible as well. Local exploitation can even be done as the local, passwordless LightDM "Guest" account user on systems supporting it -- indeed: from anonymous guest user to root. - DESCRIPTION ----------- The Apport package creates user core dumps in the crashed process' CWD, and does so since Bazaar revision number 602 [1] / release 0.59. This is okay, but not always: there is a flaw in the fact that Apport also does this, as root, for tainted/protected binaries (setuid() and friends, capabilities(7) enabled binaries, non-readable binaries) when the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)). This means that users can create core dumps as root, in arbitrary directories which are otherwise write-protected for those users. In short: Apport should _not_ create user core dumps in the CWD in dump mode 2 for such tainted binaries; it should either not make user core dumps at all then, or if possible use a designated and safe directory for that. All Ubuntu releases starting with 12.04 have the Apport service enabled by default [2] (and Ubuntu has Apport installed by default for much longer). All Ubuntu releases starting with 12.04 (or patched that way after their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default, through the Apport package; see bug #1194541, "Create core dumps for setuid binaries", 2013-06-25 [3]. Along with solving that bug (that is, adding the "missing feature" of setuid core dumps), the patch to that bug report actually created a root exploit hole in the upcoming release 13.10, as well as being backported into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04. The exact Apport package versions (with their Ubuntu releases) that were "patched" to have fs.suid_dumpable set to "2" are: 2.0.1-0ubuntu17.4 (Ubuntu 12.04) 2.6.1-0ubuntu12 (Ubuntu 12.10) 2.9.2-0ubuntu8.3 (Ubuntu 13.04) The value fs.suid_dumpable=2 remained in Ubuntu ever since. The exception to this is the systemd Apport script in Ubuntu 15.04: the option setting fs.suid_dumpable to "2" was forgotten to be enabled here, although in the Upstart script in Ubuntu 15.04 the option is still enabled. I recently contacted the Apport package maintainer to make sure the systemd script will not enable the option, as that would enable the root hole in 15.04 with systemd (which is the default init system) as well. Please note: 15.04 with systemd being safe regarding this vulnerabilty has nothing to do with systemd itself. Please note that even though Ubuntu has the value of fs.suid_dumpable set to 2 in releases 12.04 and later, Apport itself has been creating user coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04, which has Apport package release 0.76/0.76.1. Any system since Ubuntu 7.04 that has had fs.suid_dumpable set to 2, even though it wasn't Ubuntu's default, has been exploitable. Thus, the proof of concept attached will and should essentially work on any Ubuntu release starting with 7.04; it was in fact tested and found to be working on 7.04 itself, but later releases until 12.04 were not tested. - - VULNERABLE RELEASES ------------------- The proof of concept attached should work out of the box on (and is in fact tested to work on most of them) all of the following releases: 12.04 LTS 12.04.1 LTS 12.04.2 LTS 12.04.3 LTS 12.04.4 LTS 12.04.5 LTS 12.10 (EOL) 13.04 (EOL) 13.10 (EOL) 14.04 LTS 14.04.1 LTS 14.04.2 LTS 14.10 15.04 (only with Upstart, not systemd) Of all of the above releases all of the Server, Desktop and, where available, Alternate editions are affected. In other words: anything Ubuntu from the past three years is vulnerable, out of the box. All releases older than 12.04, starting with 7.04, are vulnerable as well in the sense that they have installed Apport by default or otherwise provide it as an installable package, being an Apport package which creates user core dumps (in CWD, also with fs.suid_dumpable=2); however, those releases do not have the Apport service enabled by default, nor do they have fs.suid_dumpable set to "2" by default. - OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES ---------------------------------------------------------- Any OS / distribution with an Apport version creating a user core dump (meaning, the core dump created apart from the Apport report in /var/crash) in CWD is vulnerable. If fs.suid_dumpable=2 is the default, the OS is exploitable by default. This may or may not include Ubuntu derivatives, forks and Ubuntu based distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio, Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5]. (As a quick test, at least BackBox 3.13 was found to be exploitable by default.) Further investigation will need to reveil what OSes / distributions / Ubuntu versions and derivatives are vulnerable, and which aren't. - WORKAROUND ---------- Disable the Apport service. - PROPOSED IMMEDIATE, TEMPORARY FIX --------------------------------- Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0, which is the kernel's default. Thus, revert the damage done almost two years ago, e.g., by removing the lines - echo 2 > /proc/sys/fs/suid_dumpable + echo 2 > /proc/sys/fs/suid_dumpable and - echo 0 > /proc/sys/fs/suid_dumpable + echo 0 > /proc/sys/fs/suid_dumpable from the debian/apport.upstart files. Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd scripts for Ubuntu until a proper solution is implemented. - PROPOSED LONG TERM FIX ---------------------- Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for tainted/protected binaries (just like the kernel does not do this anymore[4]). If creating a user core dump at all, Apport should dump it to a safe, dedicated directory. Apport should use the kernel's "%d" kernel.core_pattern template specifier (see core(5)), which will present the dumpable state of the crashed process ("0", "1" or "2"). Please note though that the "%d" template is only available in (upstream) kernels >=3.7. - REFERENCES ---------- [1] <http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/602> [2] <https://wiki.ubuntu.com/Apport#How_to_enable_apport> [3] <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1194541> [4] <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9520628e8ceb69fa9a4aee6b57f22675d9e1b709> [5] <https://en.wikipedia.org/wiki/List_of_Ubuntu-based_distributions#Ubuntu-based> - - CREDITS ------- The issue was found, analyzed, and reported to Ubuntu by Sander Bos, along with a detailed explanation of the problem, proposed workarounds and fixes, and an exploit proof of concept.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1452239 Title: root escalation with fs.suid_dumpable=2 Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Bug description: Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2. Here's a brief description of the issue: 1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r 2- The root-owned coredump will then be written in the CWD, which in the PoC is /etc/logrotate.d 3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the publication of this issue. I have assigned CVE-2015-1324 to this issue. We can either: 1- Disable fs.suid_dumpable=2 2- Stop creating core dump files when they are to be created as root 3- Create root-owned core dump files in a well-known location ---------------- Here is the original report from Sander Bos (now with the CVE number included): OVERVIEW -------- Date: 2015-05-05 Bug name: SCORE: Simple Coredump-Oriented Root Exploit CVE: CVE-2015-1324 Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl SUMMARY ------- I found a combination of vulnerabilities to lead to privilege escalation (root exploitation) by local users in Ubuntu releases 12.04 up to and including 15.04. Depending on configuration, remote exploitation might be possible as well. Local exploitation can even be done as the local, passwordless LightDM "Guest" account user on systems supporting it -- indeed: from anonymous guest user to root. DESCRIPTION ----------- The Apport package creates user core dumps in the crashed process' CWD, and does so since Bazaar revision number 602 [1] / release 0.59. This is okay, but not always: there is a flaw in the fact that Apport also does this, as root, for tainted/protected binaries (setuid() and friends, capabilities(7) enabled binaries, non-readable binaries) when the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)). This means that users can create core dumps as root, in arbitrary directories which are otherwise write-protected for those users. In short: Apport should _not_ create user core dumps in the CWD in dump mode 2 for such tainted binaries; it should either not make user core dumps at all then, or if possible use a designated and safe directory for that. All Ubuntu releases starting with 12.04 have the Apport service enabled by default [2] (and Ubuntu has Apport installed by default for much longer). All Ubuntu releases starting with 12.04 (or patched that way after their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default, through the Apport package; see bug #1194541, "Create core dumps for setuid binaries", 2013-06-25 [3]. Along with solving that bug (that is, adding the "missing feature" of setuid core dumps), the patch to that bug report actually created a root exploit hole in the upcoming release 13.10, as well as being backported into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04. The exact Apport package versions (with their Ubuntu releases) that were "patched" to have fs.suid_dumpable set to "2" are: 2.0.1-0ubuntu17.4 (Ubuntu 12.04) 2.6.1-0ubuntu12 (Ubuntu 12.10) 2.9.2-0ubuntu8.3 (Ubuntu 13.04) The value fs.suid_dumpable=2 remained in Ubuntu ever since. The exception to this is the systemd Apport script in Ubuntu 15.04: the option setting fs.suid_dumpable to "2" was forgotten to be enabled here, although in the Upstart script in Ubuntu 15.04 the option is still enabled. I recently contacted the Apport package maintainer to make sure the systemd script will not enable the option, as that would enable the root hole in 15.04 with systemd (which is the default init system) as well. Please note: 15.04 with systemd being safe regarding this vulnerabilty has nothing to do with systemd itself. Please note that even though Ubuntu has the value of fs.suid_dumpable set to 2 in releases 12.04 and later, Apport itself has been creating user coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04, which has Apport package release 0.76/0.76.1. Any system since Ubuntu 7.04 that has had fs.suid_dumpable set to 2, even though it wasn't Ubuntu's default, has been exploitable. Thus, the proof of concept attached will and should essentially work on any Ubuntu release starting with 7.04; it was in fact tested and found to be working on 7.04 itself, but later releases until 12.04 were not tested. VULNERABLE RELEASES ------------------- The proof of concept attached should work out of the box on (and is in fact tested to work on most of them) all of the following releases: 12.04 LTS 12.04.1 LTS 12.04.2 LTS 12.04.3 LTS 12.04.4 LTS 12.04.5 LTS 12.10 (EOL) 13.04 (EOL) 13.10 (EOL) 14.04 LTS 14.04.1 LTS 14.04.2 LTS 14.10 15.04 (only with Upstart, not systemd) Of all of the above releases all of the Server, Desktop and, where available, Alternate editions are affected. In other words: anything Ubuntu from the past three years is vulnerable, out of the box. All releases older than 12.04, starting with 7.04, are vulnerable as well in the sense that they have installed Apport by default or otherwise provide it as an installable package, being an Apport package which creates user core dumps (in CWD, also with fs.suid_dumpable=2); however, those releases do not have the Apport service enabled by default, nor do they have fs.suid_dumpable set to "2" by default. OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES ---------------------------------------------------------- Any OS / distribution with an Apport version creating a user core dump (meaning, the core dump created apart from the Apport report in /var/crash) in CWD is vulnerable. If fs.suid_dumpable=2 is the default, the OS is exploitable by default. This may or may not include Ubuntu derivatives, forks and Ubuntu based distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio, Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5]. (As a quick test, at least BackBox 3.13 was found to be exploitable by default.) Further investigation will need to reveil what OSes / distributions / Ubuntu versions and derivatives are vulnerable, and which aren't. WORKAROUND ---------- Disable the Apport service. PROPOSED IMMEDIATE, TEMPORARY FIX --------------------------------- Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0, which is the kernel's default. Thus, revert the damage done almost two years ago, e.g., by removing the lines echo 2 > /proc/sys/fs/suid_dumpable and echo 0 > /proc/sys/fs/suid_dumpable from the debian/apport.upstart files. Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd scripts for Ubuntu until a proper solution is implemented. PROPOSED LONG TERM FIX ---------------------- Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for tainted/protected binaries (just like the kernel does not do this anymore[4]). If creating a user core dump at all, Apport should dump it to a safe, dedicated directory. Apport should use the kernel's "%d" kernel.core_pattern template specifier (see core(5)), which will present the dumpable state of the crashed process ("0", "1" or "2"). Please note though that the "%d" template is only available in (upstream) kernels >=3.7. REFERENCES ---------- [1] <http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/602> [2] <https://wiki.ubuntu.com/Apport#How_to_enable_apport> [3] <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1194541> [4] <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9520628e8ceb69fa9a4aee6b57f22675d9e1b709> [5] <https://en.wikipedia.org/wiki/List_of_Ubuntu-based_distributions#Ubuntu-based> CREDITS ------- The issue was found, analyzed, and reported to Ubuntu by Sander Bos, along with a detailed explanation of the problem, proposed workarounds and fixes, and an exploit proof of concept. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp