module

Apport / ABRT chroot Privilege Escalation

Try Surface Command
Back to search
Disclosed
2015-03-31
Created
2018-06-14

Description

This module attempts to gain root privileges on Linux systems by
invoking the default coredump handler inside a namespace ("container").

Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
vulnerable, due to a feature which allows forwarding reports to
a container's Apport by changing the root directory before loading
the crash report, causing `usr/share/apport/apport` within the crashed
task's directory to be executed.

Similarly, Fedora is vulnerable when the kernel crash handler is
configured to change root directory before executing ABRT, causing
`usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be
executed.

In both instances, the crash handler does not drop privileges,
resulting in code execution as root.

This module has been tested successfully on Apport 2.14.1 on
Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.

Authors

Stéphane Graber
Tavis Ormandy
Ricardo F. Teixeira
bcoles bcoles@gmail.com

Platform

Linux

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
    msf exploit(apport_abrt_chroot_priv_esc) > show targets
        ...targets...
    msf exploit(apport_abrt_chroot_priv_esc) > set TARGET < target-id >
    msf exploit(apport_abrt_chroot_priv_esc) > show options
        ...show and set options...
    msf exploit(apport_abrt_chroot_priv_esc) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today