Users of the Ubuntu Linux distributions and its derivatives should update their systems as a new security issue has been identified in the Apport bug and crash reporting utility.
Ubuntu’s Apport is Vulnerable for Exploits
Ubuntu administrators and end-users should immediately patch their systems a a critical bug was discovered in the Apport utility which is used for crash and bug reports. The issue was privately reported to Ubuntu by the computer researcher Donncha O’Cearbhaill. All derivative distributions are also affected as they most likely use the tool as well.
The problem lies in the way Apport operates. The way desktop environments and window managers work is that they use a predefined list of known file types and default applications. When a file is launched the working environment determines the file type and launches the corresponding application. Ubuntu and its distributions store the configuration files (using the .desktop extension) in the /usr/share/applications directory.
The researcher has discovered that Apport can open all file types that match the MIME text/x-apport type using the graphical (apport-gtk tool).The MIME type of the relevant file is determined in the /usr/share/mime/ directory.
The bug reporting tool will open any unknown file if it begins with a variable named “ProblemType: “.
As it turns out the Apport tool reads and writes crash reports in its own plaintext format . During the code load in the crash report it is very possible to issue a Python call using a CrashDB method. This allows for reliable Python arbitrary code execution attacks. The vulnerable code has been included ever since release 2.6.1 back in 2010! All Ubuntu desktop versions since 12.10 (Quantal) and later including any derivatives are vulnerable by default. These security flaws are identified in the CVE-2016-9949 advisory which is not yet public.
It has been identified that Apport ships with a number of CrashDB implementations. In additional to the above mentioned vulnerability a path traversal issue has also been identified. The related issue is tracked with the CVE-2016-9950 identifier.
Hackers can also opt to use hook injection bugs via privilege escalation attacks with some basic interaction. The Apport packages have been updated to resolve the security vulnerabilities.
The researcher has posted some proof-of-concept code on GitHub as well as a video demonstration. For more information you can also read his detailed blog post on the topic.