Donncha O’Cearbhaill, an Irish security researcher, found a remote execution bug in Ubuntu. This security hole, which first appeared in Ubuntu 12.10, makes it possible for malicious code to be injected into your system when you open a booby-trapped file. This can be used to crash your system or run malware. It does not — a small blessing — enable attackers to become the root user.
O’Cearbhaill found that Ubuntu will open any unknown file with Apport if it begins with “ProblemType: “. Apport is Ubuntu’s default crash handler and crash reporting program. So far, so good.
Apport in turn generates a crash file with the unusual “.crash” extension and a magic byte sequence. Magic bytes are the unique sequences meant to identify a file. For example, a PDF document without a PDF extension can still be identified as PDF by its hexadecimal magic byte sequence: “25 50 44 46.”
Magic bytes, of course, can be abused and that’s in part what’s happened here. When Ubuntu is presented with an unknown file it will first try to match its Multipurpose Internet Mail Extensions (MIME) extension. If that fails, it will fallback to matching the magic bytes.
So, an attacker can create a file with the Apport magic bytes indentification. Now you would not nomally open a file with the extension “.crash”, but you might open a file without an extension. If you do, Apport will open it and then displays a minimal crash report prompt. If you elect to “Show Details”, you’ve just opened yourself up for an attack.
That’s because within the bogus Apport crash file, a hacker can use the Apport Crash Report Format to hide a demand to run a Python program listed in the CrashDB field. This command will then be parsed and executed without any further user interaction.
In short, Apport doesn’t properly sanitize the Package and SourcePackage fields in crash files before processing them.
Adding insult to injury, another bug, of the Path Traversal family, enables an attacker to run Python files to cause even more trouble. In practice this means that: “An attacker could serve plant a malicious .py file and a crash file in the users Download directory to get code execution.”
Worse still, if the user has a user ID (UID) of 500 or less, Apport will use Polkit (formerly PolicyKit) to prompt the desktop user for root privileges with a generic “System program problem detected” message. If you do so, congratulations. You’ve just granted the attacker the ability to run commands as root.
The good news is that the problems have been patched. So, now that you’re almost done reading this, patch your system already.
Worst still, as O’Cearbhaill points out, “The computer security industry has a serious conflict of interest right now. There is major financial motivation for researchers to find and disclose vulnerability to exploit brokers. Many of the brokers are in the business of keeping problems unfixed. Code execution bugs are valuable. As a data point, I received an offer of more than 10,000 USD from an exploit vendor for these Apport bugs. These financial motivators are only increasing as software gets more secure and bugs become more difficult to find.”
The answer? Don’t simply hope programmers will work for the common good. Instead, O’Cearbhaill believes companies should support vulnerability reward programs such as The Internet Bug Bounty project.