ABRT/sosreport privilege elevation

Added: 12/14/2015
CVE: CVE-2015-5287

Background

The Automatic Bug Reporting Tool (ABRT) is an application that runs as a daemon on some Linux systems. ABRT collects relevant crash data when another application crashes and can report it to a relevant issue tracker for analysis. After saving some initial diagnostic information, the sosreport script is called by ABRT on Red Hat Enterprise Linux (RHEL).

Problem

When /etc/abrt/abrt.conf is configured to turn off PrivateReports, the default setting in RHEL 7 and 7.1, the diagnostic files and directories created by ABRT can be manipulated to cause /usr/sbin/sosreport to write a file with crafted data at an arbitrary location as root.

Resolution

Apply the appropriate patch referenced in Red Hat Security Advisory RHSA-2015-2505-1.

References

https://www.exploit-db.com/exploits/38832/
http://www.openwall.com/lists/oss-security/2015/12/01/1

Limitations

Exploit works on default installations of Red Hat Enterprise Linux (RHEL) 7 and 7.1. Exploit may also work on RHEL 6 if the system administrator has commented out the line "PrivateReports = yes" or set it to "no" in abrt.conf.

Platforms

Linux

Back to exploit index