module
ABRT raceabrt Privilege Escalation
| Disclosed | Created |
|---|---|
| 2015-04-14 | 2018-06-14 |
Disclosed
2015-04-14
Created
2018-06-14
Description
This module attempts to gain root privileges on Linux systems with
a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
as the crash handler.
A race condition allows local users to change ownership of arbitrary
files (CVE-2015-3315). This module uses a symlink attack on
`/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,
then adds a new user with UID=0 GID=0 to gain root privileges.
Winning the race could take a few minutes.
This module has been tested successfully on:
abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;
abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;
abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;
abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;
abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.
a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
as the crash handler.
A race condition allows local users to change ownership of arbitrary
files (CVE-2015-3315). This module uses a symlink attack on
`/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,
then adds a new user with UID=0 GID=0 to gain root privileges.
Winning the race could take a few minutes.
This module has been tested successfully on:
abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;
abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;
abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;
abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;
abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.
Authors
Tavis Ormandy
bcoles bcoles@gmail.com
bcoles bcoles@gmail.com
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.