Security researchers found the Ubuntu crash reporting tool there is a remote code execution vulnerability, an attacker may only need a malicious file will be able to capture a system. The vulnerability affects all default installations of Ubuntu Linux 12.10 (Quantal)and later version of theoperating system. According to Donncha O’Cearbhaill of the study, this vulnerability when a user opens a specially crafted malicious file, allowing command execution. The vulnerability is with the Ubuntu default file format corresponding to the file processing programs. O'Cearbhaill privately in the 12 months to 9 November the disclosure of this vulnerability, the vulnerability patch has been in 14 days. Full exploit source code is available from GitHub(https://github.com/DonnchaC/ubuntu-apport-exploitation)download. This article is inspired by the Chris Evan's excellent work exploiting client-side file format parsing bugs in the gstreamer media library. We will be looking for Ubuntu on the other the default file handler to the possible presence of the exploit the vulnerability. I'm not one to like Chris as a binary development guru. So I can only find those that do not require the use of memory corruption of other vulnerabilities. Linux desktop environment in a file and the URL of the handler configuration Similar to GNOME or KDE as the desktop environment, containing a range of known file formats and the default handler. When we open a file, the desktop environment will first determine the format of this file, so open a compatible app. Ubuntu“/usr/share/applications/”folder. desktop file, stores the file handle of the default application list. We can see that for a particular file format, MIME type, which application will default to processing it and the file name as an incoming parameter. The list of a lot of software are those frequently used files viewing software, such as: image viewers, media players, LibreOffice, and Firefox. We do not study these commonly used software, we will be looking for in the list of those not commonly used default processing software to conduct research. GNOME open all the files with apport-gtk tool to match text/x-apport of the MIME type. Ubuntu will be based on/usr/share/mime/folder in the MIME Description to determine the file's MIME type. Usually the file extension is used to determine the file type. But when a file extension is not recognized, the desktop environment can be returned to match the mode of a set of magic bytes of the string to. In this case, the Apport program has two file extensions, one is. crash, and the other is a group of special magic byte string. In the match the magic bytes of the string before the desktop environment first try to match the file name extension. Because of the Apport program crashes the file descriptor has a byte pattern that is the file format to be certain, type in the WORD file before how many bytes what is the format, representing the What do we in the useless. crash file extension of the case, it may be possible to create an exploit file. A quick experiment showed that Ubuntu by apport-gtk can be opened with any don't know the file extension of the file, just need the file“ProblemType: ”start.
! Apport program looks to be a good research conditions, it is the default system will be installed, and it is a file handle to the default program. Let's look at the use of Apport can do anything. The Apport audit Ubuntu, the Apport crash processing software is installed by default to the desktop version. It contains a number of different components, used to capture a crash report, is displayed to the user, and the report is uploaded to the Ubuntu issue tracking Server. In the Ubuntu wiki provides these components is outlined. When the system detects a software crash occurs, it will call/usr/share/apport/apport program. In order to impact on the system performance to a minimum, in the event of a crash, Apport will only record a minimal set of information, such as program execution path and a core file of the mirrored storage. This minimal crash report is stored to the/var/crash/[executable_path]. [uid]. crash file. The GNOME in“update-notifier”daemon using inotify to keep the/var/crash folder monitoring. Once there is a new file, it will immediately invoke the/usr/share/apport/apport-checkreports, if you find this is a report of the files that apport-checkreports will call the/usr/share/apport/apport-gtk program will crash reports with a graphical interface displayed to the user. apport-gtk at the same time it is also. crash file on the desktop environment of the handler. apport-gtk will crash file to interpret and display to the user a minimal crash reports. Any use Ubunt desktop environment of the user, and may for this Apport report message are all familiar with.
! Apport crash report format Apport software crash reports have it custom file format, the Apport wiki page with this file format description. In this format, can be used to store the relevant crash information and current system status of the field a lot. In case of a crash, the smallest of the crash file will only store those important entries, such as the ProblemType, ExecutablePath and the CoreDump of the. To crash file injection pytho code Apport will be according to the different software generates different reports submitted to the different Ubuntu Launchpad project(Launchpad is a to provide maintenance, support, or contact the Ubuntu developer website, platform, by Ubuntu's parent company Canonical Ltd. the erection, the user can use the site's reporting mechanism to report software Bugs) in. Special hook script packages(from/usr/share/apport/package-hooks/folder to load)you can customize the contents of the file and crash report to send to the destination. The target project can also be made of crash reports in the CrashDB field specified. CrashDB configuration is stored in/etc/apport/crashdb. conf. d file. Crash in the file CrashDB field can be used from a specified folder, load this configuration file. Note that the code here there is a problem, some of the code can be directly from the CrashDB field load CrashDB configuration, rather than from a local file, what does it mean, note that the mean CrashDB field storage may not be the path to the file, but the configuration information itself. Here the code will first check CrashDB field is not“open”to start, if it is, it means that the stored here is a Python program segment, Apport will call Python's eval()built-in function to handle CrashDB field of information. eval()will be a field of information as the incoming parameter, as a python expression to process, which directly leads to reliable code execution. This vulnerable code is in 2012-08-22 introduction to Apport revision 2464. The first to have this vulnerability of the Apport is the 2.6.1 version, all ubuntu 12.10 and later versions contain this vulnerability.