A security researcher has discovered a vulnerability in Ubuntu’s
crash reporter that would allow remote code execution, making it possible for
an attacker to compromise a system using just a malicious file.
Donncha O'Cearbhaill writes that the security
bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked
into opening a malicious crash file that includes Python code executed on
launch.
“The vulnerable code was introduce on
2012-08-22 in Apport revision 2464. This code was first included in release
2.6.1. All Ubuntu Desktop versions 12.10 (Quantal) and later include this
vulnerable code by default,” the researcher notes.
A proof-of-concept shows that it’s possible
to compromise a system using this vulnerability with the help of a malicious
file, which allows for arbitrary code execution when clicked. In the demo, the
researcher launched Gnome calculator with a simple crash report file,
explaining that the code can be saved with the .crash extension or any other
extension that is not registered on Ubuntu.
“Apport typically reads a subset of the
fields in the crash file in order to prepare the GUI which prompts the user to
submit a bug report. The CrashDB field is not parsed and executed until after
the user agrees to submit the bug report. However when ProblemType: Bug is set
in the crash file, Apport-GTK will switch to the streamlined Bug GUI which
causes the CrashDB field to be parsed and executed without any further user
interaction,” he explains.
Flaw already patched
The good thing is that the flaw has already
been patched in Ubuntu on December 14, and the CrashDB code injection issue is
listed as CVE-2016-9949 and the path traversal bug is CVE-2016-9950.
O'Cearbhaill ends his research note with an
advice for security researchers to audit free and open-source software because
vulnerabilities like this can still exist, allowing attackers to take control
of unpatched systems.
He notes that researchers are often
approached to sell the vulnerabilities they find, and only in this case, he was
offered $10,000 to provide all the details of the crash reporting app bug.
O'Cearbhaill emphasizes that companies need to offer bigger incentives to
researchers for their work, explaining that Google and Microsoft are going in
the right direction with their bug bounty programs.
Donncha O'Cearbhaill Said
I would encourage all security researchers to audit free and open source software if they have time on their hands. Projects such as Tor, Tails, Debian and Ubuntu all need more eyes for audits which can improve the safety of the internet for everyone. There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.
Follow Link to watch the video Demonstration :