A remote code execution bug has been patched in the default installation of Ubuntu Desktop affecting all default installations of Quantal version 12.10 and later.
According to researcher Donncha O’Cearbhaill, the bug allows for code injection when a user opens a specially crafted malicious file. The flaw is tied to the default file handler used by Ubuntu that determines what programs open which file formats. O’Cearbhaill privately disclosed the vulnerability on Dec. 9 and a patch was made available Wednesday.
“Ubuntu stores a set of .desktop files for its default applications in the /usr/share/applications/ directory,” O’Cearbhaill wrote in a post explaining his research. “Typically the file extension will be used to determine the file type, however the desktop environment can fallback to matching a pattern (a set of magic bytes) in the file if the file extension is unrecognized.”
O’Cearbhaill said that when Ubuntu’s default file handler was called upon to launch Apport, the operating system’s default crash handler and reporting software, it handles those requests in a unique way that could create conditions exposing the OS to remote code execution.
“In the case of Apport both a file extension .crash and a magic byte sequence are specified,” he said. “The desktop environment will try to match the file extension first before comparing magic byte.”
Under those conditions, he said, the Apport crash file descriptor (or report fields) has a byte pattern that could be used to create an exploitable file. That’s because when an unknown file crashes, Apport parses the crash files and displays a pop-up message to users indicating a crash occurred with the option to “show details.” Within that context an attacker could plant malicious .crash files or .pyfile files on the OS that can trigger take advantage of the vulnerability.
“The Apport software reads and writes crash reports in its custom crash report format (plaintext),” he wrote. The Apport software gathers and reports data that can be leveraged by the attacker who can modify the contents of the report and the destination directories it is sent to.
According the research, package-specific hook scripts (loaded from /usr/share/apport/package-hooks/) can customize the contents and destination of the crash reports. One of those crash report fields is CrashDB. The CrashDB field can also be used to load a specific config files from.
“Problematically there is also code which loads the CrashDB configuration directly from the CrashDB field and not from a local file,” O’Cearbhaill writes. “The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary. If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straight forward and reliable Python code execution.”
Simply put, O’Cearbhaill said an attacker could plant a malicious .pyfile and a crash file in the users Download directory to get code execution. “This scenario is made much easier by Chromium which automatically downloads files without prompting.”
In one example, O’Cearbhaill demonstrated in a video how a crash report file exploits the CrashDB vulnerability and gains arbitrary code execution to open the Gnome calculator.
In O’Cearbhaill’s report he outlines in detail the precise complex conditions that need to be met to take advantage of the code injection bug. In a nutshell, he said, the bug allows a low-privileged application to cross privilege boundaries. “For example a SQL injection bug could be used to write a crash file to the world-writable /var/crash directory by using the “INTO OUTFILE” clause. This crash file would then be automatically executed when a desktop user logs in,” he wrote.
According to the researcher the vulnerable version of Apport was introduced in August 2012 and first released in version 2.6.1. “All Ubuntu Desktop versions 12.10 (Quantal) and later include this vulnerable code by default,” according to the report.
Ultimately, the research points to two documented bugs in Quantal including CVE-2016-9949 (CrashDB) and CVE-2016-9950 (traversal bug) that were addressed with a fix this week.