contents
2022/01/31readable setuid cores in desktop ubuntu
2014/01/24
tags: Ubuntu apport vulnerability CVE-2013-1067
summary
I observed that Desktop Ubuntu writes out core files from
setuid programs.
This is already bad since sensitive data is often contained in core dumps
(see previous post).
Worse, the files were written out with weak permissions, readable by
the originating user, even though that user might not otherwise have access to data
read by a setuid process. Finally, whoopsie/apport automatically ships
these files to Canonical (HTTPS) to aid with diagnostics. And
it's not as if anyone would use crash reports for anything
nefarious, right?
Canonical only agreed to fix the weak file permissions so if you are running Desktop Ubuntu you should follow the recommendations below (or stop running Desktop Ubuntu). If you have ever had a program crash whilst using Desktop Ubuntu and you clicked "OK" to the "Send in a crash report?" pop-up then you should consider that any information that it had access to has been compromised.
The Ubuntu Errors system
When a program run under Ubuntu crashes and attempts to dump core it hits the kernel
core pattern parameter. This invokes the apport utility via a "pipe handler" (see
kernel docs for suid_dumpable):
kernel.core_pattern = |/usr/share/apport/apport %p %s %c
apport writes to /var/log/apport.log and writes a crash dump under /var/crash.
A second package whoopsie acts as an inotify
listener on the /var/crash directory and sends the dumps to Canonical's
Errors system, errors.ubuntu.com.
Ubuntu wiki entries:
recommendations
- Disable core dumps for setuid programs by editing
/etc/sysctl.confor one of the files in/etc/sysctl.d(see/etc/sysctl.d/README):
root@ubuntu:~# echo 'fs.suid_dumpable = 0' >> /etc/sysctl.conf
- Similarly, set the kernel core pattern to something sane:
root@ubuntu:~# echo 'kernel.core_pattern = core' >> /etc/sysctl.conf
- Remove
apportandwhoopsie:
root@ubuntu:~# aptitude purge apport whoopsie \
apport-gtk apport-kde \
apport-retrace apport-symptoms \
dh-apport python-apport
- If you must run
apportthen apply the update from the USN (or better: enable automatic package updates).
timeline
- 2013/10/20 Reported to Ubuntu, bug 1242435
- 2013/10/23 CVE-2013-1067 assigned
- 2013/10/24 Fix released and USN 2007-1 published