Race condition between reading current working directory and writing a core dump

Vulnerability

A time-of-check time-of-use (TOCTTOU) race condition exists in Apport during core dump creation. Sander Bos discovered that a local user could exploit this race to cause core files to be written in arbitrary directories rather than the intended location. This affects Apport versions prior to the fix provided in USN-4171-1 and USN-4171-2 [1][2].

Exploitation

A local attacker needs to trigger a race condition between the time Apport checks the intended path for the core dump and the time it actually writes the file. By manipulating the filesystem (e.g., via symlinks or renaming directories) during this window, the attacker can redirect the core dump to an arbitrary directory. No special privileges are required beyond local access to the system [1][2].

Impact

Successful exploitation allows the attacker to write core dump files to arbitrary directories on the system. This could result in information disclosure if the core file contains sensitive data from a privileged process, or potentially lead to a denial of service by filling a critical filesystem location. The attacker does not gain elevated privileges directly but can cause files to be placed in locations that may be readable by unprivileged users [1][2].

Mitigation

The vulnerability is fixed in Apport versions included in Ubuntu 14.04 ESM via USN-4171-2 (4 November 2019) and earlier Ubuntu releases via USN-4171-1 (30 October 2019). Users should upgrade the apport package to the patched version. No workarounds are documented; applying the update is the recommended remediation [1][2].