REMOTE CODE EXECUTION BUG FOUND IN UBUNTU QUANTAL
December 18, 2016
Seid Yassin (370 articles)
Share

REMOTE CODE EXECUTION BUG FOUND IN UBUNTU QUANTAL

A remote code execution bug has been patched in the default installation of Ubuntu Desktop affecting all default installations of Quantal version 12.10 and later.

According to researcher Donncha O’Cearbhaill, the bug allows for code injection when a user opens a specially crafted malicious file. The flaw is tied to the default file handler used by Ubuntu that determines what programs open which file formats. O’Cearbhaill privately disclosed the vulnerability on Dec. 9 and a patch was made available Wednesday.
“Ubuntu stores a set of .desktop files for its default applications in the /usr/share/applications/ directory,” O’Cearbhaill wrote in a post explaining his research. “Typically the file extension will be used to determine the file type, however the desktop environment can fallback to matching a pattern (a set of magic bytes) in the file if the file extension is unrecognized.”

O’Cearbhaill said that when Ubuntu’s default file handler was called upon to launch Apport, the operating system’s default crash handler and reporting software, it handles those requests in a unique way that could create conditions exposing the OS to remote code execution.

“In the case of Apport both a file extension .crash and a magic byte sequence are specified,” he said. “The desktop environment will try to match the file extension first before comparing magic byte.”

Under those conditions, he said, the Apport crash file descriptor (or report fields) has a byte pattern that could be used to create an exploitable file. That’s because when an unknown file crashes, Apport parses the crash files and displays a pop-up message to users indicating a crash occurred with the option to “show details.” Within that context an attacker could plant malicious .crash files or .pyfile files on the OS that can trigger take advantage of the vulnerability.

Source | threatpost