Vulnerabilities > CVE-2015-1862 - Race Condition vulnerability in Abrt Project Abrt

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
abrt-project
CWE-362
exploit available
metasploit

Summary

The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.

Vulnerable Configurations

Part Description Count
Application
Abrt_Project
75

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

  • descriptionFedora abrt Race Condition Exploit. CVE-2015-1862,CVE-2015-3315. Local exploit for linux platform
    fileexploits/linux/local/36747.c
    idEDB-ID:36747
    last seen2016-02-04
    modified2015-04-14
    platformlinux
    port
    published2015-04-14
    reporterTavis Ormandy
    sourcehttps://www.exploit-db.com/download/36747/
    titleFedora abrt Race Condition Exploit
    typelocal
  • descriptionABRT - raceabrt Privilege Escalation(Metasploit). CVE-2015-3315. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local
    fileexploits/linux/local/44097.rb
    idEDB-ID:44097
    last seen2018-02-16
    modified2018-02-16
    platformlinux
    port
    published2018-02-16
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44097/
    titleABRT - raceabrt Privilege Escalation(Metasploit)
    typelocal
  • descriptionApport/Abrt - Local Root Exploit. CVE-2015-1318,CVE-2015-1862. Local exploit for linux platform
    fileexploits/linux/local/36746.c
    idEDB-ID:36746
    last seen2016-02-04
    modified2015-04-14
    platformlinux
    port
    published2015-04-14
    reporterTavis Ormandy
    sourcehttps://www.exploit-db.com/download/36746/
    titleApport/Abrt - Local Root Exploit
    typelocal

Metasploit

descriptionThis module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64; abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.
idMSF:EXPLOIT/LINUX/LOCAL/ABRT_RACEABRT_PRIV_ESC
last seen2020-05-13
modified2020-01-16
published2018-01-16
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
titleABRT raceabrt Privilege Escalation

Packetstorm