- Committer: Martin Pitt
- Date: 2015-05-13 09:12:29 UTC
- Revision ID: martin.pitt@canonical.com-20150513091229-d1f3cjq0o69h07es
SECURITY UPDATE: Fix local root privilege escalation through suid root exe core files
When /proc/sys/fs/suid_dumpable is enabled, crashing a program that is suid
root or not readable for the user would create root-owned core files in the
current directory of that program. Creating specially crafted core files in
/etc/logrotate.d or similar could then lead to arbitrary code execution with
root privileges.
Fix apport's drop_privileges() to actually drop privileges to the crashed
program's real ID. Before it was dropping to the owner of /proc/pid/stat, which
is root for suid root or unreadable executables.
This requires special-casing when writing .crash reports: We can't chmod the
written file to become readable as it needs to be owned by root and we already
dropped privileges; so create the reports with 0640 permissions right from the
start.
Don't write a core file for the kinds of executables above. Their
/proc/pid/stat is owned by root (or the user suid'ed to), only write core files
for processes whose real ID matches that ownership. (Note that comparing
against effective ID does not work as processes can drop their privileges.)
This is in accordance with the intention of core(5) and proc(5) whose intention
is to only allow suid_dumpable to pipes (i. e. apport) but not to core files in cwd.
Adjust signal_crashes.test_crash_setuid_{keep,drop} accordingly. Add tests for
running a suid root and an unreadable executable in a non-user-writable cwd.
These reproduce the original exploit.
Thanks to Sander Bos for discovering this issue!
CVE-2015-1324
LP: #1452239
When /proc/sys/fs/suid_dumpable is enabled, crashing a program that is suid
root or not readable for the user would create root-owned core files in the
current directory of that program. Creating specially crafted core files in
/etc/logrotate.d or similar could then lead to arbitrary code execution with
root privileges.
Fix apport's drop_privileges() to actually drop privileges to the crashed
program's real ID. Before it was dropping to the owner of /proc/pid/stat, which
is root for suid root or unreadable executables.
This requires special-casing when writing .crash reports: We can't chmod the
written file to become readable as it needs to be owned by root and we already
dropped privileges; so create the reports with 0640 permissions right from the
start.
Don't write a core file for the kinds of executables above. Their
/proc/pid/stat is owned by root (or the user suid'ed to), only write core files
for processes whose real ID matches that ownership. (Note that comparing
against effective ID does not work as processes can drop their privileges.)
This is in accordance with the intention of core(5) and proc(5) whose intention
is to only allow suid_dumpable to pipes (i. e. apport) but not to core files in cwd.
Adjust signal_crashes.test_crash_setuid_{keep,drop} accordingly. Add tests for
running a suid root and an unreadable executable in a non-user-writable cwd.
These reproduce the original exploit.
Thanks to Sander Bos for discovering this issue!
CVE-2015-1324
LP: #1452239
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 .. |
|||||||
apport
|
359 | 18 years ago | martin at piware | * Add apport/python_hook.py: Default exception han |
|
||
|
backends
|
427.1.2 | 18 years ago | martin at piware | add backends/dpkg.py: dpkg implementation of abstr |
|
||
|
bin
|
358 | 18 years ago | martin at piware | * Move scripts to bin/ in source package. |
|
||
|
data
|
1482 | 16 years ago | Martin Pitt | throw away complicated and incomplete build system |
|
||
|
doc
|
559 | 18 years ago | Martin Pitt | * Add doc/package-hooks.txt: Document per-package |
|
||
|
etc
|
1354 | 16 years ago | Martin Pitt | Move cron.daily, init script, and default file fro |
|
||
|
gtk
|
57 | 18 years ago | martin at piware | add initial GTK frontend bits: glade file, icon, s |
|
||
|
java
|
1742.1.1 | 15 years ago | Matt Zimmerman | Initial implementation of Java crash handling jav |
|
||
|
kde
|
1466.1.1 | 16 years ago | Richard A. Johnson | * Added apport-kde which is a PyKDE4 app that int |
|
||
|
man
|
250 | 18 years ago | martin at piware | * Add manpages for apport-retrace(1) and apport-un |
|
||
|
pm-utils
|
1647 | 15 years ago | Martin Pitt | Add pm-utils hook to record current operation, so |
|
||
|
po
|
68 | 18 years ago | martin at piware | gtk: i18ned |
|
||
|
test
|
1483 | 16 years ago | Martin Pitt | Move all test scripts into test/, to unclutter sou |
|
||
|
udev
|
2778 | 11 years ago | Martin Pitt | * Add KernelCrash reports when iwlwifi encounters |
|
||
|
xdg-mime
|
902 | 17 years ago | martin at piware | * Add xdg-mime/apport.xml: XDG MIME type definitio |
|
||
.bzrignore |
1976 | 13 years ago | Martin Pitt | add po/apport.pot, for LP imports | 85 bytes |
|
|
|
apport_python_hook.py |
2787 | 11 years ago | Martin Pitt | * Delay the import of the glob and re modules in t | 7.3 KB |
|
|
|
AUTHORS |
2055 | 13 years ago | Martin Pitt | README: Update command for one-time enablement. | 859 bytes |
|
|
|
COPYING |
427 | 18 years ago | martin at piware | * Add ./COPYING: GPL license. | 17.5 KB |
|
|
do-release |
2945 | 10 years ago | Martin Pitt | * do-release: Force UTC timezone for upstream chan | 877 bytes |
|
|
|
NEWS |
2957 | 10 years ago | Martin Pitt | SECURITY UPDATE: Fix local root privilege escalati | 111 KB |
|
|
|
problem_report.py |
2912 | 10 years ago | Martin Pitt | * ProblemReport: Set a timestamp of 0 in gzip comp | 25.3 KB |
|
|
|
README |
2172 | 13 years ago | Martin Pitt | README: Fix typo | 3 KB |
|
|
|
setup.cfg |
2906.1.1 | 10 years ago | Aron Xu | Set translation domain Without domain=apport in s | 27 bytes |
|
|
|
setup.py |
2904 | 10 years ago | Martin Pitt | * Don't install the test suite any more, to save 1 | 4.7 KB |
|
|
|
TODO |
2638 | 12 years ago | Martin Pitt | drop implemented TODO item | 464 bytes |
|
|
|
use-local |
2747 | 11 years ago | Martin Pitt | Add support for PID namespaces (Linux containers) | 365 bytes |
|
|