*** This bug is a security vulnerability *** Public security bug reported:
OVERVIEW -------- Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's website: <https://www.sbosnet.nl/> CVE identifier: requested Date: 2019-04-19 Report version: 2 SUMMARY ------- The Ubuntu "byobu" package contains a security vulnerability which may lead to disclosure of private as well as sensitive information in case a bug or crash report file gets created by the user or in case the application crashes, with this report file then being uploaded to an external crash report database, all through the Ubuntu "Apport" crash report framework. The vulnerability is specific to the Ubuntu (and Debian) byobu package (and potentially derivate OS packages, for example Linux Mint), and not present in the upstream application itself (although it is in fact part of the upstream source code repository). DESCRIPTION ----------- "Byobu" [1, 2] is a text-based window manager, terminal multiplexer, and integrated DevOps environment which can act as an enhancement to the GNU Screen and tmux applications. It was initially developed for Ubuntu, and is nowadays available in many GNU/Linux distributions as well as macOS and some BSD operating systems. The Ubuntu "byobu" package adds a file "debian/source_byobu.py" [3] to the program. This file acts as a so-called "package hook" for the Ubuntu "Apport" crash report framework [4]. When a Byobu process crashes, or when the user manually creates a bug report file for the program, a local crash or bug report file gets created. This report file may be amended with additional information, as defined by the package hook file. The resulting report file may then be uploaded to an external bug report database like Launchpad [5] or the Ubuntu Error Tracker [6]. The vulnerability lies in the fact that the debian/source_byobu.py package hook file includes the user's ~/.screenrc file (line numbers prepended): 10 def add_info(report): [...] 13 attach_file_if_exists(report, path.expanduser('~/.screenrc'), 'ScreenRC') This file however is a user's private dot file, which should therefore probably not be attached to the report at all to begin with. Specifically though the file may contain actual sensitive information, including but not limited to passwords, user names, and host names. Thus, private and / or sensitive user information may end up in external bug databases and (potentially public) bug reports. This applies specifically in case the system on which the application crashed is configured to automatically upload Apport crash reports without asking the user's permission or requiring any user intervention at all. The vulnerability is specific to the Ubuntu (and Debian) byobu package (and potentially derivate OS packages, for example Linux Mint), and not present in the upstream application itself. VULNERABILITY IMPACT -------------------- The general vulnerability impact type of this vulnerability is disclosure of sensitive information potentially including but not limited to passwords, user names, and host names. The leakage of such sensitive information from the ~/.screenrc file is the core of this security vulnerability. However, even when the file does not (or would never) include sensitive information like passwords, sending out a user dot file like ~/.screenrc could still be considered a privacy infringement on itself. The following are examples of GNU Screen commands which may be included in ~/.screenrc files [7] and contain sensitive (or at least private) information (this list should not be considered exhaustive): - "password" (may contain passwords); - "su" (may include user names and passwords); - all "*acl*" options and "umask" (involve ACLs, contain user names, and may contain passwords); - "screen" (may contain host name and connection information regarding TELNET connections to, for example, (administrative interfaces of) internal-only hosts on an internal network); - "at", "command", "eval", "exec", "shell", "source", and other commands concerned with to be executed (shell) commands. Even though Byobu can be used on many different GNU/Linux distributions and other operating systems, the vulnerability only applies to the Ubuntu and Debian packages (and potentially derivative package versions, for example Linux Mint). In addition, for the vulnerability to be exploitable the system needs to have the Apport framework installed and enabled. This is the case by default on Ubuntu, and may be the case on at least SUSE based systems as well as the Debian "experimental" distribution. As additional requirement factors Byobu needs to crash for the vulnerability to occur (or the user needs to manually create a bug report), and the crash report needs to be uploaded to an external bug database, either manually by the user or automatically by the Apport framework. A crash could happen as a result of regular application usage, but it may also be maliciously caused by a (local or remote) attacker by means of additional exploitative factors (e.g., Byobu application or terminal related bugs). If the connection to the external bug databases is unencrypted, the information may also leak by means of captured network traffic. PROOF OF CONCEPT (PoC) ---------------------- The following example demonstrates the vulnerability on a default installation of Ubuntu Server 16.04 LTS, showing the contents of the user's ~/.screenrc file being included in the bug report file: $ echo "secret" > ~/.screenrc $ apport-cli --save /tmp/reportfile /usr/bin/byobu *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. [...] $ grep "ScreenRC" /tmp/reportfile ScreenRC: secret The above example manually creates a bug report file by directly calling apport-cli(1) [8] on the Byobu binary. The bug report file may then get uploaded to a remote bug reporting database, making the contents of the ~/.screenrc file end up in a (potentially public) bug report. As an alternative PoC example an actual crash report could be generated by manually crashing a Byobu process (using for example "kill -11") and then running apport-cli(1) on the, initially limited, crash report file in /var/crash/. The end result would however be equal. VULNERABLE UBUNTU RELEASES / PACKAGE VERSIONS --------------------------------------------- The vulnerability was introduced in the upstream Byobu source code repository on 2009-07-09 as part of adding the Apport package hook file, in Bazaar revision 648 [9]. The first Ubuntu package version containing the vulnerability was 2.20-0ubuntu1, released 2009-07-12 [10]. Assumably all Ubuntu and Debian package versions from that version on have been vulnerable. Currently, the following supported Ubuntu versions with their respective byobu package versions are vulnerable [11]: Ubuntu 19.04: 5.127-0ubuntu1 Ubuntu 18.10: 5.127-0ubuntu1 Ubuntu 18.04 LTS: 5.125-0ubuntu1 Ubuntu 16.04 LTS: 5.106-0ubuntu1 Ubuntu 14.04 LTS: 5.77-0ubuntu1.2 Ubuntu 12.04 ESM: 5.17-0ubuntu1 (Note: the package version listed for Ubuntu 12.04 ESM is actually the version from Ubuntu 12.04 LTS; an unchecked assumption is made here that the version in Ubuntu 12.04 ESM did not change after Ubuntu 12.04 LTS transitioned to Ubuntu 12.04 ESM.) It should be noted that the byobu package gets installed by default in the Ubuntu Server editions of several Ubuntu releases. Byobu is also available on many other GNU/Linux distributions as well as macOS and some BSD systems, but the Apport hook will only get executed on systems which have Apport installed and running. Aside from Ubuntu, this might include SUSE based systems as well as the Debian "experimental" distribution. PROPOSED FIXES / WORKAROUNDS ---------------------------- An immediate workaround for Ubuntu users and administrators would be to remove the byobu package Apport package hook file from the system, being /usr/share/apport/package-hooks/source_byobu.py. As a proposed source code / package fix, the byobu package Apport hook should not include the complete user's ~/.screenrc file, but at least filter out all sensitive information that the file may contain. This includes for example the "password" option line and other commands mentioned in the "VULNERABILITY IMPACT" section above. As this may not be sufficient and still include information which should not be sent out, a better approach might be to use a whitelist of lines to include instead of a filter of lines to exclude. Aside from actual sensitive information contained in the user's ~/.screenrc file however, which could be considered the core vulnerability of this report, the file simply is a user's private dot file which should probably not be uploaded to remote sites by Apport hooks at all. This applies specifically since uploading of Apport reports could even happen without the user's consent or even knowledge, for example when automatic crash report uploads are configured on the system. It should also be (re)considered whether or not any contents from a ~/.screenrc file could be responsible for a Byobu application crash to begin with, or why this information would be helpful to developers in resolving a crash (or allowed to be known by developers via this route at all). Thus, probably the safest and best solution would be to not include the ~/.screenrc file in crash reports at all. If filtering out specific contents or using a while list approach while still including the ~/.screenrc file on itself in reports is chosen as a fix instead of not including the file at all, then an additional measure of explicitly asking the user whether or not to include the file should be implemented. This may be done by for example using the "ui.yesno()" interactive user interface function from Apport [12] as also implemented in Apport package hooks from several other packages, for example the Apport package hook from the Ubuntu "openssh-client" package [13]. In addition, and generally speaking, Apport hooks from packages should probably never attach private files from users (either dot files or differently named files, either from user's home directories or other private directories) since / in case this poses a (potential) privacy infringement. At the least, such package hooks should always ask the user's explicit permission. It should also always be investigated if any potential security impact is involved, for example by potentially including passwords or other sensitive information. REPORT REVISION HISTORY ----------------------- 2019-04-10: Version 1: initial version sent to Ubuntu Security Team. 2019-04-19: Version 2: added Ubuntu 19.04 to vulnerable Ubuntu versions list, added workaround information, added "ui.yesno()" information to fix proposal, various minor improvements. REFERENCES ---------- [1] <https://byobu.org/> [2] <https://launchpad.net/byobu/> [3] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/view/head:/debian/source_byobu.py> [4] <https://wiki.ubuntu.com/Apport#Per-package_Apport_Hooks> [5] <https://bugs.launchpad.net/> [6] <https://wiki.ubuntu.com/ErrorTracker> [7] <https://www.gnu.org/software/screen/manual/screen.html> [8] <https://manpages.ubuntu.com/manpages/xenial/en/man1/apport-cli.1.html> [9] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/revision/648> [10] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/view/head:/debian/changelog> [11] <https://packages.ubuntu.com/search?keywords=byobu> [12] <https://bazaar.launchpad.net/~apport-hackers/apport/trunk/view/head:/apport/ui.py> [13] <https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/openssh-client.apport> CREDIT ------ Sander Bos discovered, analysed, and reported the vulnerabilities described in this report. Credits are welcomed in documentation relating to these vulnerabilities including revision control system commit messages, patches, release notes, and security advisories. ** Affects: byobu (Ubuntu) Importance: Undecided Status: New ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7306 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827202 Title: Apport hook may expose sensitive information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/byobu/+bug/1827202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
