Headline
CVE-2023-1326: fix: Do not run sensible-pager as root if using sudo/pkexec · canonical/apport@e5f78cc
A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.
Permalink
Browse files
fix: Do not run sensible-pager as root if using sudo/pkexec
The apport-cli supports view a crash. These features invoke the default pager, which is likely to be less, other functions may apply.
It can be used to break out from restricted environments by spawning an interactive system shell. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
apport-cli should normally not be called with sudo or pkexec. In case it is called via sudo or pkexec execute `sensible-pager` as the original user to avoid privilege elevation.
Proof of concept:
``` $ sudo apport-cli -c /var/crash/xxx.crash […] Please choose (S/E/V/K/I/C): v !id uid=0(root) gid=0(root) groups=0(root) !done (press RETURN) ```
This fixes CVE-2023-1326.
Bug: https://launchpad.net/bugs/2016023 Signed-off-by: Benjamin Drung [email protected]
- Loading branch information
Related news
Ubuntu Security Notice 6018-1 - Chen Lu, Lei Wang, and YiQi Sun discovered a privilege escalation vulnerability in apport-cli when viewing crash reports and unprivileged users are allowed to run sudo less. A local attacker on a specially configured system could use this to escalate their privilege.