module
Apport / ABRT chroot Privilege Escalation
| Disclosed |
|---|
| Mar 31, 2015 |
Disclosed
Mar 31, 2015
Description
This module attempts to gain root privileges on Linux systems by
invoking the default coredump handler inside a namespace ("container").
Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
vulnerable, due to a feature which allows forwarding reports to
a container's Apport by changing the root directory before loading
the crash report, causing `usr/share/apport/apport` within the crashed
task's directory to be executed.
Similarly, Fedora is vulnerable when the kernel crash handler is
configured to change root directory before executing ABRT, causing
`usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be
executed.
In both instances, the crash handler does not drop privileges,
resulting in code execution as root.
This module has been tested successfully on Apport 2.14.1 on
Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
invoking the default coredump handler inside a namespace ("container").
Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
vulnerable, due to a feature which allows forwarding reports to
a container's Apport by changing the root directory before loading
the crash report, causing `usr/share/apport/apport` within the crashed
task's directory to be executed.
Similarly, Fedora is vulnerable when the kernel crash handler is
configured to change root directory before executing ABRT, causing
`usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be
executed.
In both instances, the crash handler does not drop privileges,
resulting in code execution as root.
This module has been tested successfully on Apport 2.14.1 on
Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.