Incorrect parsing of /proc/pid/stat in Apport

Aleph Research Advisory

Identifier

CVE-2021-25683

Severity

Low

Products

- Apport
- Ubuntu

Vulnerable Versions

- Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5
- Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16
- Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23
- Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30

Technical Details

Apport checks if the process was replaced after the crash by comparing between two variables, apport_start and process_start.

process_start gets the start time of the process by parsing the content of /proc/pid/stat file.

The start time is extracted from the 22 column of the /proc/pid/stat file.

def get_starttime(contents):
    '''Extracts the starttime from the contents of a stat file'''

    # 22nd field in a stat file is the time the process started after
    # system boot in clock ticks.
    return int(contents.split()[21])

We are able to bypass this check by recycle the pid with a process with “ “(space) in its filename, causing process_start to have the wrong value (which is smaller than apport_start).

Timeline

02-Feb-21
: Public disclosure.
02-Feb-21
: Patch available.
21-Jan-21
: CVE-2021-25683 assigned.
19-Jan-21
: Reported.

Posts

Exploiting crash handlers: LPE on Ubuntu
By Itai Greenhut,
16-Feb 2021

Credit

Itai Greenhut (@Gr33nh4t) of Aleph Research, HCL Technologies

External References

Privilege escalation to root with core file dump