The Hacker News Logo
Subscribe to Newsletter

Ubuntu’s Crash Report Tool Allows Remote Code Execution

ubuntu-hack
No software is immune to being Hacked! Not even Linux.

A security researcher has discovered a critical vulnerability in Ubuntu Linux operating system that would allow an attacker to remotely compromise a target computer using a malicious file.

The vulnerability affects all default Ubuntu Linux installations versions 12.10 (Quantal) and later.

Researcher Donncha O'Cearbhaill discovered the security bug which actually resides in the Apport crash reporting tool on Ubuntu.

A successful exploit of this CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on victim's machine. All an attacker needs is to trick the Ubuntu user into opening a maliciously booby-trapped crash file.

This would inject malicious code in Ubuntu OS's crash file handler, which when parsed, executes arbitrary Python code.
"The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary," O'Cearbhaill explains. 
"If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straightforward and reliable Python code execution."
The flawed code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.

O'Cearbhaill has published the copy of his proof-of-concept (PoC) source code on GitHub.

Video Demonstration of the CrashDB Code Injection Attack


The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.


O'Cearbhaill launched Gnome calculator with a simple Apport crash report file and explained that the code could be saved with the .crash extension or with any other extension that's not registered on Ubuntu.

The researcher reported the crash reporting app bug (listed as CVE-2016-9949 and a related path traversal bug as CVE-2016-9950) to the Ubuntu team, and the good news is that the team has already patched the flaw in Ubuntu on December 14 with O'Cearbhaill receiving $10,000 bounty.

Users and administrators of Ubuntu Linux desktops are strongly advised to patch their systems as soon as possible via the usual update mechanism.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.