Reliably Exploiting Apport in Ubuntu

[Donncha O’Cearbhaill] has successfully exploited two flaws in Apport, the crash report mechanism in Ubuntu. Apport is installed by default in all Ubuntu Desktop installations >= 12.10 (Quantal). Inspired by [Chris Evan] work on exploiting 6502 processor opcodes on the NES, [Donncha] describes the whole process of finding and exploiting a 0-day on a modern linux system.

One of the flaws, tracked as CVE-2016-9949, relies on a python code injection in the crash file. Apport blindly uses the python eval() function on an unsanitized field (CrashDB) inside the .crash file. This leads directly to arbitrary python code execution. The other flaw, tracked as CVE-2016-9950, takes advantage of a path traversal attack and the execution of arbitrary Python scripts outside the system hook_dirs. The problem arises when another field (Package) from the crash report file is used without sanitizing when building a path to the package hook files.

CVE-2016-9949 is easily exploitable, if an attacker can trick a user into opening a specially crafted file (apport .crash file), the attacker can execute the python code of his/her choice. Two details make it a very interesting exploit.

The first thing to note is the exploit’s reliability. Given that it is pure python code execution, an attacker doesn’t have to worry about ASLR, Non-Exec Memory, Stack Canaries and other security features that Ubuntu ships by default. As the author notes:

“There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.”

Another interesting detail is that the exploit file doesn’t need to have the .crash extension, as long as its content starts with the string “ProblemType: ” and the file extension is not associated already with other software, Ubuntu considers it being of mime-type type=”text/x-apport” (for example, .ZlP or .0DF). This significantly improves the chances of an unsuspecting user being fooled into open the file.

[via HackerNews]

17 thoughts on “Reliably Exploiting Apport in Ubuntu

    1. Why, coders are not taught any security practices. Coders (and anyone else) can’t be expected to test their code reliably. Human nature means we are bad at checking what we do.

      The systems and processes are at fault for not finding this.

  1. Between this and shellshock and good old-fashioned SQL injection I’ve been noticing a general pattern that any tool that can process it’s own commands at runtime is a whole trojan horse of additional unnecessary capability. There should be standard accepted ways to send these things data that’s considered forever only data rather than use text manipulation to build scripts on the fly. JDBC does this for SQL via PreparedStatements everything else should do something similar as a best practice.

  2. “if an attacker can trick a user into opening a specially crafted file” is not an exploit. It is user stupidity. If I send you a bash script, and you run it, there is nothing wrong with bash.

    1. The exploit is not getting them to open it….the exploit doesn’t execute until the file has been opened/loaded.

      An exploit is taking advantage of a flaw in the system to accomplish some goal.

      1. Granted the user should check the contents of the file (in this case….verify that it is a zip file) before loading it.

        $ file Zip archive data, at least v1.0 to extract

        It also might be useful to secure the system by not allowing the system to open files based on their content or mime-type.
        In fact it would probably be better to force users to manually open the files directly with the application (in the case of a zip file: open them directly through the archive program)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s