Ubuntu Apport Privilege Escalation Vulnerability via gdbus

A privilege escalation vulnerability has been identified in the Apport package of Ubuntu. This issue arises because Apport, the crash reporting tool, executes gdbus to check if a process ID is in a closing user session. While it correctly drops user privileges, it fails to drop group privileges, allowing unauthorized access to certain files owned by the root group. The vulnerability can be exploited by creating a file readable only by the root group, precisely 16 bytes in size, and using gdbus to access it.

Impact

Exploitation of this vulnerability allows for unauthorized access to files that are restricted to the root group, potentially leading to sensitive information disclosure.

Reproduction

The vulnerability can be reproduced by first creating a 16-byte file in the /tmp directory and changing its ownership to root with read permissions for the owner and group. After switching to a user account, gdbus can be used to access the file, bypassing the group permission restrictions.

Remediation

Users can upgrade to Apport versions 2.20.11-0ubuntu27.6 (Focal), 2.20.9-0ubuntu7.16 (Bionic), or 2.20.11-0ubuntu44 (Groovy) to address this vulnerability. For Ubuntu Xenial, the patched version is 2.20.11-0ubuntu27.6.