Ubuntu Crash Reports Allow Remote Code Execution

A serious security flaw has been discovered in the Ubuntu operating system that allows remote code execution using the Apport crash report tool. Security researcher Donncha O'Caerbhaill, who discovered the flaw, found that by parsing a specially crafted crash file, he could execute arbitrary Python code.

The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary. If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straight forward and reliable Python code execution.

This particular design flaw would allow an attacker to easily takeover a victim's box by convincing them to open a single text file that opens the crash reporter. O'Caerbhaill published a proof of concept to his Github page along with a video demonstrating the exploit, designated CVE-2016-9949, in action.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>