Ubuntu apport TOCTOU security vulnerability (CVE-2019-7307)

In the second post of a series on Ubuntu's crash reporting system, Kevin Backhouse examines the apport CVE-2019-7307 vulnerability, a TOCTOU flaw that allows local attackers to include the contents of any file in a crash report by exploiting symlinks and timing. Apport's mechanism for temporarily dropping privileges creates a window where a symlink can redirect file reading to unauthorized files, bypassing permission checks. The exploit involves precise timing to replace a file with a symlink, manipulating locks, and using signals to crash apport in a way that includes sensitive file contents in a crash report. Although the exploit is reliable, the resulting crash report is owned by root, limiting access unless further vulnerabilities, such as those in the whoopsie daemon, are exploited. Backhouse provides a proof-of-concept exploit on GitHub and plans to explore related vulnerabilities in subsequent posts.