Wednesday, 15 April 2015

2015-CVE-1318 Leading To Privilege Escalation In Ubuntu Distros (Trusty, Utopic, Vivid)



Apport is a utility of Ubuntu which reports crash events of a user to bug track but who knew that a crash forwarding feature of this useful utility can lead to privilege escalation :D . I have confirmed this bug on Ubuntu Trusty (14.04) and i believe its worth sharing :)

Bug Explained:

A new feature was introduced in Ubuntu 14.04 which will forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace).

This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script.
The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace.
This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation.

Severity (High):

A nobody user on a regular Ubuntu system can be root after successful exploitation.

Affected Distros:

  1. Ubuntu Trusty (14.04)
  2. Ubuntu Utopic (14.10)
  3. Ubuntu Vivid (15.04)

POC:

http://www.exploit-db.com/exploits/36746/

References:

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1318.html