Skip to content

Add Apport Symlink Hijacking: CVE-2020-8831 #20037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

Add Apport Symlink Hijacking: CVE-2020-8831 #20037

wants to merge 21 commits into from

Conversation

gardnerapp
Copy link
Contributor

This pull request is a draft for CVE-2020-8831, I originally came across this vulnerability while reading From Day Zero to Zero Day, which I highly recommend. The long story short is that certain versions of apport will follow symbolic links when writing crash dumps. This file will have a mask of 777 and be owned by root. In this module I used the command ln -s /cron.d /var/lock/apport so that a /etc/cron.d/lock crontab file would be created. This crontab should execute a payload every minute which was located in the /tmp directory.

After scratching my head for several hours and combing through the log files I found that the crontab would not execute because it's file permissions were too excessive. We need to find another place for the symlink hijacking to occur. I have a few places in mind namely /etc/init.d/ or ~/.bashrc which would trigger the payload upon startup. I am submitting this because I am unsure of which route to go or if there are other places where the symlink hijacking should occur. Thank you !

@gardnerapp gardnerapp marked this pull request as draft April 13, 2025 18:54
@gardnerapp
Copy link
Contributor Author

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

@bcoles bcoles added the module label Apr 14, 2025
@bwatters-r7 bwatters-r7 self-assigned this Apr 15, 2025
@bwatters-r7
Copy link
Contributor

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

No problem; git is really awesome, but not always super intuitive.

It looks like the unwanted commits are all related to your previous game overlay module.
I can think of 3 ways to fix it (in order of what I would try first)

  1. Rebase and only bring in the changes for the new module
  2. Open a new branch current with master, check the file you want out to it, commit the changes, then force-push the new branch with just the new module to your existing branch
  3. Open a new branch that's current with master, then get merge --cherry-pick the changes you want.

Last, if you want, let me know and I am pretty sure I can fix it for you, but you might lose some commits. The only file you need here is modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb, right?

@gardnerapp
Copy link
Contributor Author

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

@bwatters-r7
Copy link
Contributor

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

Looks good! Let us know when you'd like us to review it.

bcoles
bcoles reviewed Apr 17, 2025
View reviewed changes
modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb Outdated
)
)
register_options [
OptString.new('WRITABLE_DIR', [true, 'A directory we can write to.', '/tmp']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For local exploit modules, this is usually registered as an advanced option:

    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]

gardnerapp and others added 10 commits April 20, 2025 15:04
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
689bfdb 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
6055625 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
68683c3 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
3868607 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
1bd3a4a 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
6d52e90 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp @bcoles
Update modules/exploits/linux/local/cve_2020_8831_apport_symlink_priv…
ec93425 
…esc.rb

Co-authored-by: bcoles <bcoles@gmail.com>
@gardnerapp
Add advanced options
2417f58
@gardnerapp
Resolve conflicts
631bdf6
@gardnerapp
Check existence of /var/lock/apport
31bfb04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@bwatters-r7 bwatters-r7

Labels
module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gardnerapp @bwatters-r7 @bcoles