A new serious bug in Ubuntu core has surfaced online that affects Ubuntu 12.10 and other Ubuntu flavours. This vulnerability makes it possible for attackers to inject malicious code into your system when you open a booby-tapped file.
Irish security researcher Donna O’Cearbhaill has discovered the remote execution bug in Ubuntu that gives a backdoor access through the default crash handler, Apport. The bug is capable of enabling root user access to the attacker.
Unknown files in Ubuntu are opened with Apport. A malicious program through the vulnerability could use this functionality to generate the crash file with .crash extension and magic byte sequence.
O’Cearbhaill details in a blog post how an attacker could create a simple file with magic bytes sequence that Apport can read. You might open a file without any extension. Once you click ‘Show Details’, the attacker gets access to your system.
The bogus report generated from the attacker side contains a hidden Python program that gets executed without any user interaction.
“In the case of Apport, both a file extension .crash and a magic byte sequence are specified. The desktop environment will try to match the file extension first before comparing magic byte,” O’Cearbhaill writes in the post.
Another bug from the infamous Path Traversal family leverages the same security hole to cause even more serious damage. This bug helps the attacker to run Python files on the system. Attackers can plant any .py file by creating bogus crash reports.
Ubuntu’s Apport uses Polkit to grant the user access to programs. If you give root privileges to certain malicious programs, you will grant the attacker ability to run commands as a root user on your system.
Canonical was quick enough to fix the newly discovered vulnerability in the latest Ubuntu release. It is recommended to update your system to protect yourself from potential attacks.