viewing an apport-cli crash with default pager could escalate privilege (CVE-2023-1326)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Critical
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
# Description
The apport-cli supports view a crash. These features invoke the default pager, which is likely to be less, other functions may apply.
It can be used to break out from restricted environments by spawning an interactive system shell. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
CVE-2023-1326 has been reserved for it.
# PoC
```
$ sudo apport-cli -c xxx.crash
!id
uid=0(root) gid=0(root) groups=0(root)
!done (press RETURN)
```
# Explanations
It’s a feature, not a bug/vulnerability? It’s a unexpected command execute behavior when users just want to view some information.
It’s PAGER’s duty to fix the bug? As you can see in the chapter "Fix Suggestion", there are some examples other application how to fix the bug.
# Fix Suggestion
There are some types of solutions and examples.
* Use LESSSECURE environment
* or do not use PAGER under root/sudo
# Reference
* https:/
* https:/
CVE References
Changed in apport: | |
milestone: | none → 2.26.1 |
importance: | Undecided → Critical |
Changed in apport (Ubuntu): | |
importance: | Undecided → Critical |
Changed in apport: | |
status: | New → In Progress |
summary: |
- CVE-2023-1326 + viewing an apport-cli crash with default pager could escalate privilege + (CVE-2023-1326) |
Changed in apport: | |
status: | In Progress → Fix Released |
Changed in apport (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in apport (Ubuntu Bionic): | |
status: | Fix Released → Fix Committed |
Changed in apport (Ubuntu Focal): | |
status: | Fix Released → Fix Committed |
Changed in apport (Ubuntu Jammy): | |
status: | Fix Released → Fix Committed |
Changed in apport (Ubuntu Kinetic): | |
status: | Fix Released → Fix Committed |
Changed in apport (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Changed in apport (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Changed in apport (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Changed in apport (Ubuntu Kinetic): | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
Attached apport 2.23.1-0ubuntu3.2 debdiff for kinetic-security.