Apport hook may expose sensitive information

OVERVIEW
--------

Author: Sander Bos
Author's e-mail address: sbos _at_ sbosnet _dot_ nl
Author's website: <https://www.sbosnet.nl/>
CVE identifier: requested
Date: 2019-04-19
Report version: 2

SUMMARY
-------

The Ubuntu "byobu" package contains a security vulnerability which may
lead to disclosure of private as well as sensitive information in case
a bug or crash report file gets created by the user or in case the
application crashes, with this report file then being uploaded to an
external crash report database, all through the Ubuntu "Apport" crash
report framework.

The vulnerability is specific to the Ubuntu (and Debian) byobu package
(and potentially derivate OS packages, for example Linux Mint), and not
present in the upstream application itself (although it is in fact part
of the upstream source code repository).

DESCRIPTION
-----------

"Byobu" [1, 2] is a text-based window manager, terminal multiplexer,
and integrated DevOps environment which can act as an enhancement to
the GNU Screen and tmux applications. It was initially developed for
Ubuntu, and is nowadays available in many GNU/Linux distributions as
well as macOS and some BSD operating systems.

The Ubuntu "byobu" package adds a file "debian/source_byobu.py" [3] to
the program. This file acts as a so-called "package hook" for the Ubuntu
"Apport" crash report framework [4]. When a Byobu process crashes,
or when the user manually creates a bug report file for the program,
a local crash or bug report file gets created. This report file may be
amended with additional information, as defined by the package hook file.
The resulting report file may then be uploaded to an external bug report
database like Launchpad [5] or the Ubuntu Error Tracker [6].

The vulnerability lies in the fact that the debian/source_byobu.py package
hook file includes the user's ~/.screenrc file (line numbers prepended):

 10 def add_info(report):
    [...]
 13 attach_file_if_exists(report, path.expanduser('~/.screenrc'), 'ScreenRC')

This file however is a user's private dot file, which should therefore
probably not be attached to the report at all to begin with. Specifically
though the file may contain actual sensitive information, including but
not limited to passwords, user names, and host names.

Thus, private and / or sensitive user information may end up in external
bug databases and (potentially public) bug reports. This applies
specifically in case the system on which the application crashed is
configured to automatically upload Apport crash reports without asking
the user's permission or requiring any user intervention at all.

The vulnerability is specific to the Ubuntu (and Debian) byobu package
(and potentially derivate OS packages, for example Linux Mint), and not
present in the upstream application itself.

VULNERABILITY IMPACT
--------------------

The general vulnerability impact type of this vulnerability is disclosure
of sensitive information potentially including but not limited to
passwords, user names, and host names.

The leakage of such sensitive information from the ~/.screenrc file is
the core of this security vulnerability. However, even when the file
does not (or would never) include sensitive information like passwords,
sending out a user dot file like ~/.screenrc could still be considered
a privacy infringement on itself.

The following are examples of GNU Screen commands which may be included
in ~/.screenrc files [7] and contain sensitive (or at least private)
information (this list should not be considered exhaustive):

- "password" (may contain passwords);
- "su" (may include user names and passwords);
- all "*acl*" options and "umask" (involve ACLs, contain user names,
  and may contain passwords);
- "screen" (may contain host name and connection information regarding
  TELNET connections to, for example, (administrative interfaces of)
  internal-only hosts on an internal network);
- "at", "command", "eval", "exec", "shell", "source", and other commands
  concerned with to be executed (shell) commands.

Even though Byobu can be used on many different GNU/Linux distributions
and other operating systems, the vulnerability only applies to the Ubuntu
and Debian packages (and potentially derivative package versions, for
example Linux Mint). In addition, for the vulnerability to be exploitable
the system needs to have the Apport framework installed and enabled.
This is the case by default on Ubuntu, and may be the case on at least
SUSE based systems as well as the Debian "experimental" distribution.

As additional requirement factors Byobu needs to crash for the
vulnerability to occur (or the user needs to manually create a bug
report), and the crash report needs to be uploaded to an external bug
database, either manually by the user or automatically by the Apport
framework. A crash could happen as a result of regular application usage,
but it may also be maliciously caused by a (local or remote) attacker
by means of additional exploitative factors (e.g., Byobu application or
terminal related bugs). If the connection to the external bug databases
is unencrypted, the information may also leak by means of captured
network traffic.

PROOF OF CONCEPT (PoC)
----------------------

The following example demonstrates the vulnerability on a default
installation of Ubuntu Server 16.04 LTS, showing the contents of the
user's ~/.screenrc file being included in the bug report file:

   $ echo "secret" > ~/.screenrc
   $ apport-cli --save /tmp/reportfile /usr/bin/byobu

   *** Collecting problem information

   The collected information can be sent to the developers to improve the
   application. This might take a few minutes.
   [...]
   $ grep "ScreenRC" /tmp/reportfile
   ScreenRC: secret

The above example manually creates a bug report file by directly calling
apport-cli(1) [8] on the Byobu binary. The bug report file may then get
uploaded to a remote bug reporting database, making the contents of the
~/.screenrc file end up in a (potentially public) bug report.

As an alternative PoC example an actual crash report could be generated
by manually crashing a Byobu process (using for example "kill -11")
and then running apport-cli(1) on the, initially limited, crash report
file in /var/crash/. The end result would however be equal.

VULNERABLE UBUNTU RELEASES / PACKAGE VERSIONS
---------------------------------------------

The vulnerability was introduced in the upstream Byobu source code
repository on 2009-07-09 as part of adding the Apport package hook file,
in Bazaar revision 648 [9].

The first Ubuntu package version containing the vulnerability was
2.20-0ubuntu1, released 2009-07-12 [10]. Assumably all Ubuntu and Debian
package versions from that version on have been vulnerable.

Currently, the following supported Ubuntu versions with their respective
byobu package versions are vulnerable [11]:

Ubuntu 19.04: 5.127-0ubuntu1
Ubuntu 18.10: 5.127-0ubuntu1
Ubuntu 18.04 LTS: 5.125-0ubuntu1
Ubuntu 16.04 LTS: 5.106-0ubuntu1
Ubuntu 14.04 LTS: 5.77-0ubuntu1.2
Ubuntu 12.04 ESM: 5.17-0ubuntu1

(Note: the package version listed for Ubuntu 12.04 ESM is actually the
version from Ubuntu 12.04 LTS; an unchecked assumption is made here that
the version in Ubuntu 12.04 ESM did not change after Ubuntu 12.04 LTS
transitioned to Ubuntu 12.04 ESM.)

It should be noted that the byobu package gets installed by default in
the Ubuntu Server editions of several Ubuntu releases.

Byobu is also available on many other GNU/Linux distributions as well as
macOS and some BSD systems, but the Apport hook will only get executed
on systems which have Apport installed and running. Aside from Ubuntu,
this might include SUSE based systems as well as the Debian "experimental"
distribution.

PROPOSED FIXES / WORKAROUNDS
----------------------------

An immediate workaround for Ubuntu users and administrators would be
to remove the byobu package Apport package hook file from the system,
being /usr/share/apport/package-hooks/source_byobu.py.

As a proposed source code / package fix, the byobu package Apport
hook should not include the complete user's ~/.screenrc file, but at
least filter out all sensitive information that the file may contain.
This includes for example the "password" option line and other commands
mentioned in the "VULNERABILITY IMPACT" section above.

As this may not be sufficient and still include information which should
not be sent out, a better approach might be to use a whitelist of lines
to include instead of a filter of lines to exclude.

Aside from actual sensitive information contained in the user's
~/.screenrc file however, which could be considered the core vulnerability
of this report, the file simply is a user's private dot file which
should probably not be uploaded to remote sites by Apport hooks at all.
This applies specifically since uploading of Apport reports could even
happen without the user's consent or even knowledge, for example when
automatic crash report uploads are configured on the system.

It should also be (re)considered whether or not any contents from a
~/.screenrc file could be responsible for a Byobu application crash to
begin with, or why this information would be helpful to developers in
resolving a crash (or allowed to be known by developers via this route
at all).

Thus, probably the safest and best solution would be to not include the
~/.screenrc file in crash reports at all.

If filtering out specific contents or using a while list approach while
still including the ~/.screenrc file on itself in reports is chosen as a
fix instead of not including the file at all, then an additional measure
of explicitly asking the user whether or not to include the file should
be implemented. This may be done by for example using the "ui.yesno()"
interactive user interface function from Apport [12] as also implemented
in Apport package hooks from several other packages, for example the
Apport package hook from the Ubuntu "openssh-client" package [13].

In addition, and generally speaking, Apport hooks from packages should
probably never attach private files from users (either dot files or
differently named files, either from user's home directories or other
private directories) since / in case this poses a (potential) privacy
infringement. At the least, such package hooks should always ask the
user's explicit permission. It should also always be investigated if
any potential security impact is involved, for example by potentially
including passwords or other sensitive information.

REPORT REVISION HISTORY
-----------------------

2019-04-10: Version 1: initial version sent to Ubuntu Security Team.
2019-04-19: Version 2: added Ubuntu 19.04 to vulnerable Ubuntu versions list,
                       added workaround information, added "ui.yesno()"
                       information to fix proposal, various minor improvements.

REFERENCES
----------

[1] <https://byobu.org/>
[2] <https://launchpad.net/byobu/>
[3] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/view/head:/debian/source_byobu.py>
[4] <https://wiki.ubuntu.com/Apport#Per-package_Apport_Hooks>
[5] <https://bugs.launchpad.net/>
[6] <https://wiki.ubuntu.com/ErrorTracker>
[7] <https://www.gnu.org/software/screen/manual/screen.html>
[8] <https://manpages.ubuntu.com/manpages/xenial/en/man1/apport-cli.1.html>
[9] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/revision/648>
[10] <https://bazaar.launchpad.net/~kirkland/byobu/trunk/view/head:/debian/changelog>
[11] <https://packages.ubuntu.com/search?keywords=byobu>
[12] <https://bazaar.launchpad.net/~apport-hackers/apport/trunk/view/head:/apport/ui.py>
[13] <https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/openssh-client.apport>

CREDIT
------

Sander Bos discovered, analysed, and reported the vulnerabilities
described in this report. Credits are welcomed in documentation
relating to these vulnerabilities including revision control system
commit messages, patches, release notes, and security advisories.