apport process_report() arbitrary file write

Vulnerability

A symlink-following vulnerability exists in the process_report() function in data/whoopsie-upload-all of apport (versions prior to the fix). When processing crash reports, the function does not safely handle symbolic links, allowing a local attacker to trick the tool into writing data to arbitrary files on the system. The vulnerability is documented in [1].

Exploitation

An attacker must have local access to the system and be able to create a symlink pointing to a target file (e.g., /etc/passwd). The attacker then triggers the crash reporting mechanism (e.g., by causing a program to crash) so that apport processes the report and writes content into the location indicated by the symlink. The default Ubuntu kernel setting fs.protected_symlinks may mitigate exploitation on default installations, but not all configurations are protected [1].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files with data controlled by the attacker. This can lead to privilege escalation (e.g., by overwriting system configuration files) or denial of service (by corrupting critical files). The vulnerability is rated as a local arbitrary file write [1].

Mitigation

Ubuntu has released a fix for this vulnerability in apport version 2.20.11-0ubuntu65.1 (for Ubuntu 21.04) and equivalent updates for other supported releases. Users should update their apport package to the patched version. Enabling fs.protected_symlinks (set to 1) provides additional mitigation against symlink-based attacks on Ubuntu systems [1].