Apport

Bug #1839413
Comment #5

Comment 5 for bug 1839413

Revision history for this message

Stéphane Graber (stgraber) wrote on 2019-09-29: Re: [Bug 1839413] [NEW] TOCTTOU ("time of check to time of use") "cwd" variable race condition

Writing through cwd should be perfectly safe so long as the write is done
through the magiclink itself (/proc/PID/cwd) as that points to the process
cwd regardless of later changes to the mount table.

The problem which needs fixing is that apport is dereferencing that path
and then using the dereferenced path. That bypasses the magiclink and is
therefore susceptible to the attacks you described

Stéphane

On Sun., Sep. 29, 2019, 4:41 p.m. Launchpad Bug Tracker, <
<email address hidden>> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Alex Murray
> (alexmurray):
>
> Author: Sander Bos, <https://www.sbosnet.nl/>
>
> Date: 2019-07-30
>
>
> In data/apport, Apport reads out the current working directory of a
> crashed process in get_pid_info() and puts it into the "cwd" variable:
>
> 83 cwd = os.readlink('/proc/' + pid + '/cwd')
>
> Later, this variable gets used in calls to write_user_coredump() for
> writing the core dump file:
>
> 181 core_path = os.path.join(cwd, 'core')
>
> The time between setting the "cwd" variable and using the variable forms
> a TOCTTOU issue, and can be abused by a user to create a core dump file
> in a different directory than the actual current working directory of
> the crashed process (being Apport's intended destination directory for
> the core dump file). This can for example be abused replacing (any path
> component of) the directory to which "cwd" points with a FUSE bindfs(1)
> or similar file system mount point, or by a symbolic link to an arbitrary
> (and potentially root owned) directory.
>
> Moreover, when using FUSE, basically "anything" could be put behind the
> "mount point" leading to various potential exploitation scenarios, e.g.,
> an indefinite sleep() would lead to (some form of) DoS for Apport.
>
> Proposed fix: if possible, use a file descriptor for handling "cwd".
>
> ** Affects: apport
> Importance: High
> Status: New
>
> ** Affects: apport (Ubuntu)
> Importance: High
> Status: New
>
> --
> TOCTTOU ("time of check to time of use") "cwd" variable race condition
> https://bugs.launchpad.net/bugs/1839413
> You received this bug notification because you are subscribed to the bug
> report.
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=apport; status=New; importance=High; assignee=None;
> Launchpad-Bug: distribution=ubuntu; sourcepackage=apport; component=main;
> status=New; importance=High; assignee=None;
> Launchpad-Bug-Information-Type: Private Security
> Launchpad-Bug-Private: yes
> Launchpad-Bug-Security-Vulnerability: yes
> Launchpad-Bug-Commenters: alexmurray tdaitx
> Launchpad-Bug-Reporter: Alex Murray (alexmurray)
> Launchpad-Message-Rationale: Subscriber
> Launchpad-Message-For: stgraber
>

The problem which needs fixing is that apport is dereferencing that path
and then using the dereferenced path. That bypasses the magiclink and is
therefore susceptible to the attacks you described

Stéphane

On Sun., Sep. 29, 2019, 4:41 p.m. Launchpad Bug Tracker, <
1839413@bugs.launchpad.net> wrote:

> *** This bug is a security vulnerability ***
>
> You have been subscribed to a private security bug by Alex Murray
> (alexmurray):
>
> Author: Sander Bos, <https://www.sbosnet.nl/>
>
> Date: 2019-07-30
>
>
> In data/apport, Apport reads out the current working directory of a
> crashed process in get_pid_info() and puts it into the "cwd" variable:
>
>      83     cwd = os.readlink('/proc/' + pid + '/cwd')
>
> Later, this variable gets used in calls to write_user_coredump() for
> writing the core dump file:
>
>     181     core_path = os.path.join(cwd, 'core')
>
> The time between setting the "cwd" variable and using the variable forms
> a TOCTTOU issue, and can be abused by a user to create a core dump file
> in a different directory than the actual current working directory of
> the crashed process (being Apport's intended destination directory for
> the core dump file).  This can for example be abused replacing (any path
> component of) the directory to which "cwd" points with a FUSE bindfs(1)
> or similar file system mount point, or by a symbolic link to an arbitrary
> (and potentially root owned) directory.
>
> Moreover, when using FUSE, basically "anything" could be put behind the
> "mount point" leading to various potential exploitation scenarios, e.g.,
> an indefinite sleep() would lead to (some form of) DoS for Apport.
>
> Proposed fix: if possible, use a file descriptor for handling "cwd".
>
> ** Affects: apport
>      Importance: High
>          Status: New
>
> ** Affects: apport (Ubuntu)
>      Importance: High
>          Status: New
>
> --
> TOCTTOU ("time of check to time of use") "cwd" variable race condition
> https://bugs.launchpad.net/bugs/1839413
> You received this bug notification because you are subscribed to the bug
> report.
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=apport; status=New; importance=High; assignee=None;
> Launchpad-Bug: distribution=ubuntu; sourcepackage=apport; component=main;
> status=New; importance=High; assignee=None;
> Launchpad-Bug-Information-Type: Private Security
> Launchpad-Bug-Private: yes
> Launchpad-Bug-Security-Vulnerability: yes
> Launchpad-Bug-Commenters: alexmurray tdaitx
> Launchpad-Bug-Reporter: Alex Murray (alexmurray)
> Launchpad-Message-Rationale: Subscriber
> Launchpad-Message-For: stgraber
>