Skip to content

Apport_TOCTOU_get_ignore_dom_CVE-2019-7307

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

Apport_TOCTOU_get_ignore_dom_CVE-2019-7307

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
memory_dumps
memory_dumps
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
README_CVE-2019-11476.md
README_CVE-2019-11476.md
 
 
README_CVE-2019-11481.md
README_CVE-2019-11481.md
 
 
README_CVE-2019-11484.md
README_CVE-2019-11484.md
 
 
README_CVE-2019-15790.md
README_CVE-2019-15790.md
 
 
README_CVE-2019-7307.md
README_CVE-2019-7307.md
 
 
encoding.c
encoding.c
 
 
encoding.h
encoding.h
 
 
gencrashreport.cpp
gencrashreport.cpp
 
 
killwhoopsie1.cpp
killwhoopsie1.cpp
 
 
killwhoopsie2.cpp
killwhoopsie2.cpp
 
 
load_crash_report.cpp
load_crash_report.cpp
 
 
load_crash_report.hpp
load_crash_report.hpp
 
 
restart_whoopsie.cpp
restart_whoopsie.cpp
 
 
segv.c
segv.c
 
 
utils.cpp
utils.cpp
 
 
utils.hpp
utils.hpp
 
 
whoopsie_exploit.cpp
whoopsie_exploit.cpp
 
 
whoopsie_exploit.hpp
whoopsie_exploit.hpp
 
 

README.md

Vulnerabilities in Ubuntu's apport and whoopsie components (CVE-2019-7307, CVE-2019-11476, CVE-2019-11481, CVE-2019-11484, CVE-2019-15790)

This directory contains proof-of-concept exploits for five vulnerabilities in the apport and whoopsie components of Ubuntu's crash reporting system:

  • CVE-2019-7307 is a time-of-check to time-of-use (TOCTOU) vulnerability in apport, which enables an unprivileged local user to trick apport into including the contents of an arbitrary file in a crash report. See README_CVE-2019-7307.
  • CVE-2019-11476 is a local denial of service vulnerability in whoopsie. An integer overflow when reading large crash reports (> 4GB) leads to a heap buffer overflow. I do not believe it is possible to exploit this heap buffer overflow to achieve code execution, so I have classified this bug as a denial of service. See README_CVE-2019-11476.
  • CVE-2019-11481 is a local denial of service vulnerability in apport. If ~/.config/apport/settings is a symlink, then apport will read the target file, even if it requires root privileges to read. Apport usually errors out immediately after reading the file, though, so I do not believe it is possible to exploit this vulnerability in an interesting way. See README_CVE-2019-11481.
  • CVE-2019-11484 is a local privilege escalation vulnerability in whoopsie. An integer overflow when reading large crash reports (> 2GB) leads to a heap buffer overflow. I have written a simple PoC for this (see README_CVE-2019-11484), which just causes whoopsie to crash with a segmentation fault, and also a more sophisicated one which gains code execution as the whoopsie user by chaining CVE-2019-11484 with CVE-2019-15790 (see README_CVE-2019-15790).
  • CVE-2019-15790 is an information disclosure vulnerability in apport. PID recycling enables an unprivileged user to generate and read a crash report for a privileged process. See README_CVE-2019-15790.

A lot of code is shared between the 5 PoCs, so I have put them all in this directory rather than creating a separate sub-directory for each PoC. But each PoC has its own README file, with instructions on how to build and run it.