Ubuntu Crash Report Tool Allows Remote Code Execution
A security researcher has discovered a critical vulnerability in Linux operating system that would allow an attacker to remotely compromise a target computer using a malicious file.
The vulnerability affects all default Linux installations versions 12.10 (Quantal) and later.
Researcher Donncha O’Cearbhaill discovered the security bug which actually resides in the Apport crash reporting tool on Ubuntu.
“The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary,” O’Cearbhaill explains.
“If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straightforward and reliable Python code execution.”
The flawed code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.
O’Cearbhaill has published the copy of his proof-of-concept (PoC) source code on GitHub.
Ubuntu Video Demonstration of the CrashDB Code Injection Attack
The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.
O’Cearbhaill launched Gnome calculator with a simple Apport crash report file and explained that the code could be saved with the .crash extension or with any other extension that’s not registered on Ubuntu.
The researcher reported the crash reporting app bug (listed as CVE-2016-9949 and a related path traversal bug as CVE-2016-9950) to the Ubuntu team, and the good news is that the team has already patched the flaw in Ubuntu on December 14 with O’Cearbhaill receiving $10,000 bounty.
Users and administrators of Ubuntu Linux desktops are strongly advised to patch their systems as soon as possible via the usual update mechanism.
Referenced and Published By The Hackers News (THN)