apport improperly parses /proc/pid/stat

Vulnerability

The get_starttime() function in Apport (affected versions prior to 2.20.11.post1 on Ubuntu 18.04 and 2.20.1.post1 on Ubuntu 20.04) improperly parses the /proc/pid/stat file. When a process name contains a space ( ), the column indexing is disrupted, allowing an attacker to supply a manipulated starttime value. This bug, reported as issue 2 in the advisory [1], can be chained with other weaknesses to escape privilege controls.

Exploitation

An unprivileged attacker must first create a process whose file name includes a carriage-return/newline sequence (\r and \n) to inject crafted Uid: 0 and Gid: 0 lines into /proc/pid/status, bypassing drop_privileges() (issue 1). Then, by crashing a process whose name contains a space, the attacker can cause get_starttime() to return an artificially low value. By delaying Apport's get_pid_info() call (e.g., via a symlink or race condition, issue 3) and recycling the PID to a setuid-root binary, the attacker can make Apport believe the crashed process is the privileged binary and write a core dump as root [1].

Impact

Successful exploitation grants an unprivileged local user full root privileges. By writing a malicious core dump in a location controlled by the attacker, the attacker can achieve arbitrary code execution as root, leading to complete compromise of the system [1].

Mitigation

Ubuntu released fixed Apport packages on 2021-02-08: version 2.20.11.post1 for Ubuntu 18.04 LTS and version 2.20.1.post1 for Ubuntu 20.04 LTS. Users should update Apport immediately via apt update && apt upgrade. No workaround is available; systems running unpatched versions remain vulnerable [1]. This issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.