Rapid7 Vulnerability & Exploit Database

Apport / ABRT chroot Privilege Escalation

Back to Search

Apport / ABRT chroot Privilege Escalation



This module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.


  • Stéphane Graber
  • Tavis Ormandy
  • Ricardo F. Teixeira
  • bcoles <bcoles@gmail.com>




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
msf exploit(apport_abrt_chroot_priv_esc) > show targets
msf exploit(apport_abrt_chroot_priv_esc) > set TARGET < target-id >
msf exploit(apport_abrt_chroot_priv_esc) > show options
    ...show and set options...
msf exploit(apport_abrt_chroot_priv_esc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security