A remote code execution bug has been patched in the default installation of Ubuntu Desktop affecting all default installations of Quantal version 12.10 and later. According to researcher Donncha O’Cearbhaill, the bug allows for code injection when a user opens a specially crafted malicious file. The flaw is tied to the default file handler used by Ubuntu that determines what programs open which file formats. O’Cearbhaill privately disclosed the vulnerability on Dec. 9 and a patch was made available Wednesday.
O’Cearbhaill said that when Ubuntu’s default file handler was called upon to launch Apport, the operating system’s default crash handler and reporting software, it handles those requests in a unique way that could create conditions exposing the OS to remote code execution. Under those conditions, he said, the Apport crash file descriptor (or report fields) has a byte pattern that could be used to create an exploitable file. That’s because when an unknown file crashes, Apport parses the crash files and displays a pop-up message to users indicating a crash occurred with the option to “show details.” Within that context an attacker could plant malicious crash files or .pyfile files on the OS that can trigger take advantage of the vulnerability.
Submitted by: Arnfried Walbrecht