martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
Ubuntu unity lens for vim
2010/04/14
ckwtmpx

readable setuid cores in desktop ubuntu

2014/01/24

tags: Ubuntu apport vulnerability CVE-2013-1067

summary

I observed that Desktop Ubuntu writes out core files from setuid programs. This is already bad since sensitive data is often contained in core dumps (see previous post). Worse, the files were written out with weak permissions, readable by the originating user, even though that user might not otherwise have access to data read by a setuid process. Finally, whoopsie/apport automatically ships these files to Canonical (HTTPS) to aid with diagnostics. And it's not as if anyone would use crash reports for anything nefarious, right?

Canonical only agreed to fix the weak file permissions so if you are running Desktop Ubuntu you should follow the recommendations below (or stop running Desktop Ubuntu). If you have ever had a program crash whilst using Desktop Ubuntu and you clicked "OK" to the "Send in a crash report?" pop-up then you should consider that any information that it had access to has been compromised.

The Ubuntu Errors system

When a program run under Ubuntu crashes and attempts to dump core it hits the kernel core pattern parameter. This invokes the apport utility via a "pipe handler" (see kernel docs for suid_dumpable):

kernel.core_pattern = |/usr/share/apport/apport %p %s %c

apport writes to /var/log/apport.log and writes a crash dump under /var/crash. A second package whoopsie acts as an inotify listener on the /var/crash directory and sends the dumps to Canonical's Errors system, errors.ubuntu.com.

Ubuntu wiki entries:

recommendations

root@ubuntu:~# echo 'fs.suid_dumpable = 0' >> /etc/sysctl.conf
root@ubuntu:~# echo 'kernel.core_pattern = core' >> /etc/sysctl.conf
root@ubuntu:~# aptitude purge apport whoopsie \
                 apport-gtk apport-kde \
                 apport-retrace apport-symptoms \
                 dh-apport python-apport

timeline