apport improperly parses /proc/pid/status

Vulnerability

The get_pid_info() function in Apport (versions prior to the fix released on 2021-06-11) parses /proc/pid/status to extract the real UID and GID. It splits lines and takes the first numeric value after Uid: or Gid:. An attacker can create a process whose filename contains a carriage-return/newline sequence such as a\rUid: 0\rGid: 0, injecting these lines into the Name field of /proc/pid/status. When the process crashes, Apport reads the injected values, causing real_uid and real_gid to become 0 (root) and thus never properly dropping privileges in drop_privileges(). This affects default installations of Ubuntu 20.04 and 18.04 [1].

Exploitation

The attacker must be a local unprivileged user. They craft a binary (e.g., a shell script or ELF) whose filename contains the payload a\rUid: 0\rGid: 0 and execute it. The process is then made to crash (e.g., by a segmentation fault). Apport, running as root via crontab or systemd, calls get_pid_info() on the crashed process. The injected Uid: 0 is parsed as the real UID, and similarly for GID. Combined with other bypasses (e.g., get_process_starttime manipulation via space in filename and pid recycling to a SUID binary), the attacker can chain these to fully bypass privilege checks and write arbitrary core dumps with root privileges [1].

Impact

Successful exploitation gives the attacker a crafted core dump file owned by root, which can be used to achieve local privilege escalation to root. The attacker gains arbitrary code execution as root, compromising the confidentiality, integrity, and availability of the entire system [1].

Mitigation

Ubuntu released fixed Apport packages on 2021-06-11 (see USN-4989-1). Users should update apport to version 2.20.11-0ubuntu50.5 (for 20.04 LTS) or 2.20.9-0ubuntu7.27 (for 18.04 LTS). No workaround exists; the only mitigation is to apply the security update. This vulnerability is not known to be listed in CISA's KEV catalog [1].