14 DAY TRIAL // A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.
Donncha O'Cearbhaill writes that the security bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked into opening a malicious crash file that includes Python code executed on launch.
“The vulnerable code was introduced on 2012-08-22 in Apport revision 2464. This code was first included in release 2.6.1. All Ubuntu Desktop versions 12.10 (Quantal) and later include this vulnerable code by default,” the researcher notes.
A proof-of-concept shows that it’s possible to compromise a system using this vulnerability with the help of a malicious file, which allows for arbitrary code execution when clicked. In the demo, the researcher launched Gnome calculator with a simple crash report file, explaining that the code can be saved with the .crash extension or any other extension that is not registered on Ubuntu.
“Apport typically reads a subset of the fields in the crash file in order to prepare the GUI which prompts the user to submit a bug report. The CrashDB field is not parsed and executed until after the user agrees to submit the bug report. However when ProblemType: Bug is set in the crash file, Apport-GTK will switch to the streamlined Bug GUI which causes the CrashDB field to be parsed and executed without any further user interaction,” he explains.
Flaw already patched
The good thing is that the flaw has already been patched in Ubuntu on December 14, and the CrashDB code injection issue is listed as CVE-2016-9949 and the path traversal bug is CVE-2016-9950.
O'Cearbhaill ends his research note with a piece of advice for security researchers to audit free and open-source software because vulnerabilities like this can still exist, allowing attackers to take control of unpatched systems.
He notes that researchers are often approached to sell the vulnerabilities they find, and only in this case, he was offered $10,000 to provide all the details of the crash reporting app bug. O'Cearbhaill emphasizes that companies need to offer bigger incentives to researchers for their work, explaining that Google and Microsoft are going in the right direction with their bug bounty programs.