Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2025-5054 PoC — Race Condition in Canonical Apport

Source
https://github.com/daryllundy/cve-2025-5054
Associated Vulnerability
Title:Race Condition in Canonical Apport (CVE-2025-5054)
Description:Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).
Readme
# CVE-2025-5054 Vulnerability Detection Tool

A Python tool to check if your Ubuntu system is vulnerable to [CVE-2025-5054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5054), a race condition in Apport that allows local information disclosure. This tool performs a series of checks to determine your system's status and provides recommendations if you are affected.

---

## Features

- Detects if the system is running Ubuntu and extracts version information
- Checks if Apport is installed and determines its version
- Determines if the installed Apport version is vulnerable (≤ 2.32.0)
- Checks if Apport is configured as the core dump handler
- Verifies mitigation settings (e.g., suid_dumpable)
- Looks for common attack vectors (e.g., SUID/SGID unix_chkpwd)
- Provides a clear summary and actionable recommendations

---

## Requirements

- Python 3.12 or higher
- No external dependencies

---

## Installation

1. **Clone the repository:**

   ```bash
   git clone https://github.com/daryllundy/cve-2025-5054
   cd cve-2025-5054
   ```
2. **Create and activate a virtual environment using [uv](https://github.com/astral-sh/uv):**

   ```bash
   uv venv
   source .venv/bin/activate
   ```
---

## Usage

> **For best results, run as root (sudo) to allow all checks to complete.**

```bash
uv run cve_2025_5054_detector.py
```

Sample output:

```
============================================================
CVE-2025-5054 Vulnerability Detection Tool
============================================================

[*] Checking operating system...
[*] Checking if Apport is installed...
[*] Checking Apport version...
[*] Checking core dump configuration...
[*] Checking suid_dumpable setting...
[*] Checking for unix_chkpwd...

============================================================
DETECTION RESULTS
============================================================
[OS Check] INFO: Ubuntu 22.04 detected
[Apport Check] INFO: Apport version 2.32.0 installed
[Version Check] VULNERABLE: Version 2.32.0 is vulnerable
[Core Pattern] INFO: Apport is configured as core dump handler
[Mitigation] WARNING: suid_dumpable=1 (default, vulnerable)
[Attack Vector] INFO: unix_chkpwd found at /usr/sbin/unix_chkpwd (not SUID/SGID)

============================================================
SUMMARY
============================================================
[!] YOUR SYSTEM APPEARS TO BE VULNERABLE TO CVE-2025-5054

Recommended actions:
1. Update Apport to the latest version:
   sudo apt update && sudo apt upgrade apport

2. As a temporary mitigation, disable SUID core dumps:
   sudo sysctl fs.suid_dumpable=0
   echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.conf

3. Consider disabling Apport temporarily if updates are not available:
   sudo systemctl stop apport.service
   sudo systemctl disable apport.service
```

---

## License

This project is licensed under the [MIT License](LICENSE).

---

## Credits

Developed by Daryl Lundy
File Snapshot

 [4.0K]  /data/pocs/ccdf878061046dfb50f8e8eb191b524a2869933a
├── [ 11K]  cve_2025_5054_detector.py
├── [1.0K]  LICENSE
└── [2.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →