CVE-2015-3315
published 2017-06-26CVE-2015-3315: Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink…
PriorityP349high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.81%
90.9th percentile
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
abrt: Various race-conditions and symlink issues found in abrt
vendor_redhat·2015-04-14·CVSS 7.8
CVE-2015-3315 [HIGH] CWE-362 abrt: Various race-conditions and symlink issues found in abrt
abrt: Various race-conditions and symlink issues found in abrt
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.
It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use either of these flaws to potentially escalate their privileges on the system.
Statement: This issue affects the versions of the abrt package as shipped with Red Hat Enterprise Linux 6 and 7.
Mitigation: It is recommended to disable abrt via the following command line, till the flaws have b
GHSA
GHSA-q24q-c8xg-xmvg: Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a sym
ghsa_unreviewed·2022-05-14
CVE-2015-3315 [HIGH] CWE-59 GHSA-q24q-c8xg-xmvg: Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a sym
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.
No detection rules found.
Exploit-DB
ABRT - 'raceabrt' Privilege Escalation (Metasploit)
exploitdb·2018-02-16·CVSS 7.8
CVE-2015-3315 [HIGH] ABRT - 'raceabrt' Privilege Escalation (Metasploit)
ABRT - 'raceabrt' Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'ABRT raceabrt Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Fedora systems with
a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
as the crash handler.
A race condition allows local users to change ownership of arbitrary
files (CVE-2015-3315). This module uses a symlink attack on
'/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,
then adds a new user with UID=0 GID=0 to gain root privileges.
Winning the race could take a few minutes.
This module has been tested successfully on ABRT packaged ve
Exploit-DB
Abrt (Fedora 21) - Race Condition
exploitdb·2015-04-14·CVSS 7.0
CVE-2015-3315 [HIGH] Abrt (Fedora 21) - Race Condition
Abrt (Fedora 21) - Race Condition
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//
// This is a race condition exploit for CVE-2015-1862, targeting Fedora.
//
// Note: It can take a few minutes to win the race condition.
//
// -- [email protected], April 2015.
//
// $ cat /etc/fedora-release
// Fedora release 21 (Twenty One)
// $ ./a.out /etc/passwd
// [ wait a few minutes ]
// Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-1
Metasploit
ABRT raceabrt Privilege Escalation
metasploit·CVSS 7.8
CVE-2015-3315 [HIGH] ABRT raceabrt Privilege Escalation
ABRT raceabrt Privilege Escalation
This module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64; abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.
Bugzilla
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
bugzilla·2015-05-04·CVSS 7.8
CVE-2015-3315 [HIGH] CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
+++ This bug was initially created as a clone of Bug #1218239 +++
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bugzilla
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
bugzilla·2015-05-04·CVSS 7.8
CVE-2015-3315 [HIGH] CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt
bugzilla·2015-04-15·CVSS 7.8
CVE-2015-3315 [HIGH] CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt
CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt
The following flaws were reported by Tavis Oramandy:
Furthermore, Abrt suffers from numerous race conditions and symlink
problems from trusting unprivileged programs. For example, the code
below (and lots of similar code) is vulnerable to a filesystem race
where a user unlinks the file after the copy but before the chown.
https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634
strcpy(source_filename + source_base_ofs, "maps");
strcpy(dest_base, FILENAME_MAPS);
copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE);
IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid));
This code trusts various symlinks in /tmp without validation:
https://github.com/abrt/abrt/blob/master/src/ho
http://rhn.redhat.com/errata/RHSA-2015-1083.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1210.htmlhttp://www.openwall.com/lists/oss-security/2015/04/14/4http://www.openwall.com/lists/oss-security/2015/04/16/12http://www.securityfocus.com/bid/75117https://bugzilla.redhat.com/show_bug.cgi?id=1211835https://github.com/abrt/abrt/commit/17cb66b13997b0159b4253b3f5722db79f476d68https://github.com/abrt/abrt/commit/4f2c1ddd3e3b81d2d5146b883115371f1cada9f9https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92https://github.com/abrt/abrt/commit/d6e2f6f128cef4c21cb80941ae674c9842681aa7https://www.exploit-db.com/exploits/44097/http://rhn.redhat.com/errata/RHSA-2015-1083.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1210.htmlhttp://www.openwall.com/lists/oss-security/2015/04/14/4http://www.openwall.com/lists/oss-security/2015/04/16/12http://www.securityfocus.com/bid/75117https://bugzilla.redhat.com/show_bug.cgi?id=1211835https://github.com/abrt/abrt/commit/17cb66b13997b0159b4253b3f5722db79f476d68https://github.com/abrt/abrt/commit/4f2c1ddd3e3b81d2d5146b883115371f1cada9f9https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92https://github.com/abrt/abrt/commit/d6e2f6f128cef4c21cb80941ae674c9842681aa7https://www.exploit-db.com/exploits/44097/
2017-06-26
Published