Hacking Ubuntu Linux distro exploiting the CrashDB code injection issue

The exploitation of the CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on machines running Ubuntu Linux distro.

New problems for Ubuntu Linux distribution, the security expert Donncha O’Cearbhaill discovered a critical vulnerability that could be exploited by a remote attacker to compromise a target computer using a malicious file.

The vulnerability, a CrashDB code injection flaw, affects the Apport crash reporting tool on Ubuntu and is present in default Ubuntu Linux installations versions 12.10 (Quantal) and later. According to the expert, the vulnerable code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.

According to O’Cearbhaill, the CrashDB code injection flaw could allow an attacker to remotely execute arbitrary code on a system running on vulnerable Ubuntu Linux. In order to exploit the flaw, the attacker has to trick the Ubuntu user into opening a maliciously booby-trapped crash file.

Once the victim opens the file it will inject malicious code in Ubuntu crash file handler that parses the code and executes arbitrary Python code.

“Problematically there is also code which loads the CrashDB configuration directly from the CrashDB field and not from a local file. The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary. If found, Apport will call Python’s builtin eval()method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straight forward and reliable Python code execution.” wrote O’Cearbhaill in a blog post.

The researcher also published a proof-of-concept (PoC) exploit code on GitHub and a video PoC of the attack.

“Ubuntu ships the Apport crash handling software with all of its recent Desktop releases. This repo contains an exploit for a bug in the Apport crash report parser which can provide reliable code execution upon opening an Apport crash file. The parsing bug results in Python code injection in the Apport process. Exploiting this issue does not involve any memory corruption and it is extremely reliable.” states O’Cearbhaill.

The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.

In the video the expert opened the Gnome calculator with a simple Apport crash report file.

Below and example of a minimal crash report file which exploits the CrashDB vulnerability in order to gain arbitrary code execution and launch the Gnome calculator:

ProblemType: Bug
	ExecutablePath: /usr/bin/file-roller
	Stacktrace:
	None
	CrashDB: {‘impl’: ‘memory’, ‘crash_config’: exec(“””
	import subprocess
	payload_cmd = “pkill -9 apport; gnome-calculator”
	subprocess.Popen(payload_cmd, shell=True)
	“””, {}) }

The code could be saved with the .crash extension or with any other extension that’s not registered on Ubuntu.

“Both of these issues were reported to the Apport maintainers and a fix was released on 2016-12-14. The CrashDB code injection issue can be tracked with CVE-2016-9949 and the path traversal bug with CVE-2016-9950. An additional problem where arbitrary commands can be called with the “Relaunch” action is tracked by CVE-2016-9951.” added the expert.

The researcher reported the CrashDB vulnerability to Ubuntu that promptly patched the flaw in Ubuntu. O’Cearbhaill received a $10,000 bounty.

Ubuntu Linux users have to patch their systems asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CrashDB vulnerability, Ubuntu)