Rapid7 Vulnerability & Exploit Database

ABRT sosreport Privilege Escalation

Back to Search

ABRT sosreport Privilege Escalation



This module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. `sosreport` uses an insecure temporary directory, allowing local users to write to arbitrary files (CVE-2015-5287). This module uses a symlink attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path in `/proc/sys/kernel/modprobe`, resulting in root privileges. Waiting for `sosreport` could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.


  • rebel
  • bcoles <bcoles@gmail.com>




x86, x64, armle, aarch64, ppc, mipsle, mipsbe


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/local/abrt_sosreport_priv_esc
msf exploit(abrt_sosreport_priv_esc) > show targets
msf exploit(abrt_sosreport_priv_esc) > set TARGET < target-id >
msf exploit(abrt_sosreport_priv_esc) > show options
    ...show and set options...
msf exploit(abrt_sosreport_priv_esc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security