Vulnerabilities > CVE-2015-1862 - Race Condition vulnerability in Abrt Project Abrt
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description Fedora abrt Race Condition Exploit. CVE-2015-1862,CVE-2015-3315. Local exploit for linux platform file exploits/linux/local/36747.c id EDB-ID:36747 last seen 2016-02-04 modified 2015-04-14 platform linux port published 2015-04-14 reporter Tavis Ormandy source https://www.exploit-db.com/download/36747/ title Fedora abrt Race Condition Exploit type local description ABRT - raceabrt Privilege Escalation(Metasploit). CVE-2015-3315. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local file exploits/linux/local/44097.rb id EDB-ID:44097 last seen 2018-02-16 modified 2018-02-16 platform linux port published 2018-02-16 reporter Exploit-DB source https://www.exploit-db.com/download/44097/ title ABRT - raceabrt Privilege Escalation(Metasploit) type local description Apport/Abrt - Local Root Exploit. CVE-2015-1318,CVE-2015-1862. Local exploit for linux platform file exploits/linux/local/36746.c id EDB-ID:36746 last seen 2016-02-04 modified 2015-04-14 platform linux port published 2015-04-14 reporter Tavis Ormandy source https://www.exploit-db.com/download/36746/ title Apport/Abrt - Local Root Exploit type local
Metasploit
description | This module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64; abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64. |
id | MSF:EXPLOIT/LINUX/LOCAL/ABRT_RACEABRT_PRIV_ESC |
last seen | 2020-05-13 |
modified | 2020-01-16 |
published | 2018-01-16 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb |
title | ABRT raceabrt Privilege Escalation |
Packetstorm
data source https://packetstormsecurity.com/files/download/131422/fedoraabrt-racecondition.txt id PACKETSTORM:131422 last seen 2016-12-05 published 2015-04-15 reporter Tavis Ormandy source https://packetstormsecurity.com/files/131422/Fedora-abrt-Race-Condition.html title Fedora abrt Race Condition data source https://packetstormsecurity.com/files/download/131423/apportabrt-exec.txt id PACKETSTORM:131423 last seen 2016-12-05 published 2015-04-15 reporter Tavis Ormandy source https://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.html title Linux Apport/Abrt Local Root Exploit data source https://packetstormsecurity.com/files/download/131429/apportabrt-issues.txt id PACKETSTORM:131429 last seen 2016-12-05 published 2015-04-15 reporter Tavis Ormandy source https://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.html title Abrt / Apport Race Condition / Symlink data source https://packetstormsecurity.com/files/download/146411/abrt_raceabrt_priv_esc.rb.txt id PACKETSTORM:146411 last seen 2018-02-17 published 2018-02-15 reporter Tavis Ormandy source https://packetstormsecurity.com/files/146411/ABRT-raceabrt-Privilege-Escalation.html title ABRT raceabrt Privilege Escalation
References
- http://packetstormsecurity.com/files/131422/Fedora-abrt-Race-Condition.html
- http://packetstormsecurity.com/files/131422/Fedora-abrt-Race-Condition.html
- http://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.html
- http://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.html
- http://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.html
- http://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.html
- http://seclists.org/fulldisclosure/2015/Apr/34
- http://seclists.org/fulldisclosure/2015/Apr/34
- http://www.openwall.com/lists/oss-security/2015/04/14/4
- http://www.openwall.com/lists/oss-security/2015/04/14/4
- http://www.securityfocus.com/bid/74263
- http://www.securityfocus.com/bid/74263
- https://bugzilla.redhat.com/show_bug.cgi?id=1211223
- https://bugzilla.redhat.com/show_bug.cgi?id=1211223
- https://github.com/abrt/abrt/pull/810
- https://github.com/abrt/abrt/pull/810
- https://www.exploit-db.com/exploits/36746/
- https://www.exploit-db.com/exploits/36746/
- https://www.exploit-db.com/exploits/36747/
- https://www.exploit-db.com/exploits/36747/