** Description changed:
Sander Bos discovered that Apport enabled a user to perform a root
escalation since it now configures fs.suid_dumpable=2.
Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root
simply by doing chmod u-r
2- The root-owned coredump will them be written in the CWD, which in the PoC
is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and
will successfully run the parts it does
I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the
publication of this issue.
I have assigned CVE-2015-1324 to this issue.
We can either:
1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location
+
+ ----------------
+
+ Here is the original report from Sander Bos (now with the CVE number
+ included):
+
+ OVERVIEW
+ --------
+
+ Date: 2015-05-05
+ Bug name: SCORE: Simple Coredump-Oriented Root Exploit
+ CVE: CVE-2015-1324
+ Author: Sander Bos
+ Author's e-mail address: sbos _at_ sbosnet _dot_ nl
+
+
+ SUMMARY
+ -------
+
+ I found a combination of vulnerabilities to lead to privilege escalation
+ (root exploitation) by local users in Ubuntu releases 12.04 up to and
+ including 15.04. Depending on configuration, remote exploitation might
+ be possible as well. Local exploitation can even be done as the local,
+ passwordless LightDM "Guest" account user on systems supporting it --
+ indeed: from anonymous guest user to root.
+
+
+ DESCRIPTION
+ -----------
+
+ The Apport package creates user core dumps in the crashed process'
+ CWD, and does so since Bazaar revision number 602 [1] / release 0.59.
+ This is okay, but not always: there is a flaw in the fact that Apport
+ also does this, as root, for tainted/protected binaries (setuid() and
+ friends, capabilities(7) enabled binaries, non-readable binaries) when
+ the sysctl(8)'s fs.suid_dumpable variable is set to 2 (see core(5)).
+ This means that users can create core dumps as root, in arbitrary
+ directories which are otherwise write-protected for those users.
+
+ In short: Apport should _not_ create user core dumps in the CWD in dump
+ mode 2 for such tainted binaries; it should either not make user core
+ dumps at all then, or if possible use a designated and safe directory
+ for that.
+
+ All Ubuntu releases starting with 12.04 have the Apport service enabled by
+ default [2] (and Ubuntu has Apport installed by default for much longer).
+
+ All Ubuntu releases starting with 12.04 (or patched that way after
+ their release) have sysctl(8)'s fs.suid_dumpable set to 2 by default,
+ through the Apport package; see bug #1194541, "Create core dumps for
+ setuid binaries", 2013-06-25 [3].
+
+ Along with solving that bug (that is, adding the "missing feature" of
+ setuid core dumps), the patch to that bug report actually created a root
+ exploit hole in the upcoming release 13.10, as well as being backported
+ into the at that time supported Ubuntu releases 12.04, 12.10 and 13.04.
+
+ The exact Apport package versions (with their Ubuntu releases) that were
+ "patched" to have fs.suid_dumpable set to "2" are:
+
+ 2.0.1-0ubuntu17.4 (Ubuntu 12.04)
+ 2.6.1-0ubuntu12 (Ubuntu 12.10)
+ 2.9.2-0ubuntu8.3 (Ubuntu 13.04)
+
+ The value fs.suid_dumpable=2 remained in Ubuntu ever since. The exception
+ to this is the systemd Apport script in Ubuntu 15.04: the option setting
+ fs.suid_dumpable to "2" was forgotten to be enabled here, although in the
+ Upstart script in Ubuntu 15.04 the option is still enabled. I recently
+ contacted the Apport package maintainer to make sure the systemd script
+ will not enable the option, as that would enable the root hole in 15.04
+ with systemd (which is the default init system) as well. Please note:
+ 15.04 with systemd being safe regarding this vulnerabilty has nothing
+ to do with systemd itself.
+
+ Please note that even though Ubuntu has the value of fs.suid_dumpable set
+ to 2 in releases 12.04 and later, Apport itself has been creating user
+ coredumps (to CWD, and also with fs.suid_dumpable=2) since Ubuntu 7.04,
+ which has Apport package release 0.76/0.76.1. Any system since Ubuntu
+ 7.04 that has had fs.suid_dumpable set to 2, even though it wasn't
+ Ubuntu's default, has been exploitable. Thus, the proof of concept
+ attached will and should essentially work on any Ubuntu release starting
+ with 7.04; it was in fact tested and found to be working on 7.04 itself,
+ but later releases until 12.04 were not tested.
+
+
+
+ VULNERABLE RELEASES
+ -------------------
+
+ The proof of concept attached should work out of the box on (and is in
+ fact tested to work on most of them) all of the following releases:
+
+ 12.04 LTS
+ 12.04.1 LTS
+ 12.04.2 LTS
+ 12.04.3 LTS
+ 12.04.4 LTS
+ 12.04.5 LTS
+ 12.10 (EOL)
+ 13.04 (EOL)
+ 13.10 (EOL)
+ 14.04 LTS
+ 14.04.1 LTS
+ 14.04.2 LTS
+ 14.10
+ 15.04 (only with Upstart, not systemd)
+
+ Of all of the above releases all of the Server, Desktop and, where
+ available, Alternate editions are affected.
+
+ In other words: anything Ubuntu from the past three years is vulnerable,
+ out of the box.
+
+ All releases older than 12.04, starting with 7.04, are vulnerable as well
+ in the sense that they have installed Apport by default or otherwise
+ provide it as an installable package, being an Apport package which
+ creates user core dumps (in CWD, also with fs.suid_dumpable=2); however,
+ those releases do not have the Apport service enabled by default, nor
+ do they have fs.suid_dumpable set to "2" by default.
+
+
+ OTHER OSes / DISTRIBUTIONS / UBUNTU VERSIONS / DERIVATIVES
+ ----------------------------------------------------------
+
+ Any OS / distribution with an Apport version creating a user core
+ dump (meaning, the core dump created apart from the Apport report in
+ /var/crash) in CWD is vulnerable. If fs.suid_dumpable=2 is the default,
+ the OS is exploitable by default.
+
+ This may or may not include Ubuntu derivatives, forks and Ubuntu based
+ distributions like Ubuntu GNOME, Kubuntu, Ubuntu MATE, Ubuntu Studio,
+ Edubuntu, Lubuntu, Mythbuntu, Xubuntu, Linux Mint (the Ubuntu based
+ version), Peppermint, elementary OS, Bodhi Linux, BackBox, et cetera[5].
+ (As a quick test, at least BackBox 3.13 was found to be exploitable
+ by default.)
+
+ Further investigation will need to reveil what OSes / distributions /
+ Ubuntu versions and derivatives are vulnerable, and which aren't.
+
+
+ WORKAROUND
+ ----------
+
+ Disable the Apport service.
+
+
+ PROPOSED IMMEDIATE, TEMPORARY FIX
+ ---------------------------------
+
+ Disable suid_dumpable=2 in _all_ Ubuntu Apport packages; let it stay 0,
+ which is the kernel's default.
+
+ Thus, revert the damage done almost two years ago, e.g., by removing
+ the lines
+
+ echo 2 > /proc/sys/fs/suid_dumpable
+
+ and
+
+ echo 0 > /proc/sys/fs/suid_dumpable
+
+ from the debian/apport.upstart files.
+
+ Additionally, do _not_ enable fs.suid_dumpable=2 in the Apport systemd
+ scripts for Ubuntu until a proper solution is implemented.
+
+
+ PROPOSED LONG TERM FIX
+ ----------------------
+
+ Apport should _never_ dump core to CWD with fs.suid_dumpable=2 for
+ tainted/protected binaries (just like the kernel does not do this
+ anymore[4]). If creating a user core dump at all, Apport should dump
+ it to a safe, dedicated directory.
+
+ Apport should use the kernel's "%d" kernel.core_pattern template specifier
+ (see core(5)), which will present the dumpable state of the crashed
+ process ("0", "1" or "2"). Please note though that the "%d" template
+ is only available in (upstream) kernels >=3.7.
+
+
+ REFERENCES
+ ----------
+
+ [1] <http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/602>
+ [2] <https://wiki.ubuntu.com/Apport#How_to_enable_apport>
+ [3] <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1194541>
+ [4]
<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9520628e8ceb69fa9a4aee6b57f22675d9e1b709>
+ [5]
<https://en.wikipedia.org/wiki/List_of_Ubuntu-based_distributions#Ubuntu-based>
+
+
+
+ CREDITS
+ -------
+
+ The issue was found, analyzed, and reported to Ubuntu by Sander Bos,
+ along with a detailed explanation of the problem, proposed workarounds
+ and fixes, and an exploit proof of concept.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452239
Title:
root escalation with fs.suid_dumpable=2
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
