Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Hacking Ubuntu Linux distro exploiting the CrashDB code injection issue

The exploitation of the CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on machines running Ubuntu Linux distro. New problems for Ubuntu Linux distribution, the security expert Donncha O’Cearbhaill discovered a critical vulnerability that could be exploited by a remote attacker to compromise a target computer using a malicious file. The vulnerability, a […]

Hacking Ubuntu Linux distro exploiting the CrashDB code injection issue

The exploitation of the CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on machines running Ubuntu Linux distro.

New problems for Ubuntu Linux distribution, the security expert Donncha O’Cearbhaill discovered a critical vulnerability that could be exploited by a remote attacker to compromise a target computer using a malicious file.

The vulnerability, a CrashDB code injection flaw, affects the Apport crash reporting tool on Ubuntu and is present in default Ubuntu Linux installations versions 12.10 (Quantal) and later. According to the expert, the vulnerable code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.

According to O’Cearbhaill, the CrashDB code injection flaw could allow an attacker to remotely execute arbitrary code on a system running on vulnerable Ubuntu Linux. In order to exploit the flaw, the attacker has to trick the Ubuntu user into opening a maliciously booby-trapped crash file.

Once the victim opens the file it will inject malicious code in Ubuntu crash file handler that parses the code and executes arbitrary Python code.

“Problematically there is also code which loads the CrashDB configuration directly from the CrashDB field and not from a local file. The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary. If found, Apport will call Python’s builtin eval()method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straight forward and reliable Python code execution.” wrote O’Cearbhaill in a blog post.

The researcher also published a proof-of-concept (PoC) exploit code on GitHub and a video PoC of the attack.

“Ubuntu ships the Apport crash handling software with all of its recent Desktop releases. This repo contains an exploit for a bug in the Apport crash report parser which can provide reliable code execution upon opening an Apport crash file. The parsing bug results in Python code injection in the Apport process. Exploiting this issue does not involve any memory corruption and it is extremely reliable.” states O’Cearbhaill.

The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.

In the video the expert opened the Gnome calculator with a simple Apport crash report file.

Below and example of a minimal crash report file which exploits the CrashDB vulnerability in order to gain arbitrary code execution and launch the Gnome calculator:

ProblemType: Bug
ExecutablePath: /usr/bin/file-roller
Stacktrace:
None
CrashDB: {‘impl’: ‘memory’, ‘crash_config’: exec(“””
import subprocess
payload_cmd = “pkill -9 apport; gnome-calculator”
subprocess.Popen(payload_cmd, shell=True)
“””, {}) }

The code could be saved with the .crash extension or with any other extension that’s not registered on Ubuntu.

“Both of these issues were reported to the Apport maintainers and a fix was released on 2016-12-14. The CrashDB code injection issue can be tracked with CVE-2016-9949 and the path traversal bug with CVE-2016-9950. An additional problem where arbitrary commands can be called with the “Relaunch” action is tracked by CVE-2016-9951.” added the expert.

The researcher reported the CrashDB vulnerability to Ubuntu that promptly patched the flaw in Ubuntu. O’Cearbhaill received a $10,000 bounty.

Ubuntu Linux users have to patch their systems asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CrashDB vulnerability, Ubuntu)