Bug 1211835 (CVE-2015-3315)
Summary: | CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abrt-devel-list, bressers, dvlasenk, fweimer, huzaifas, iprikryl, jfilak, jrusnack, mhabrnal, michal.toman, mjc, mmilata, pablo.iranzo, pasteur, pdwyer, pneedle, sisharma, tazz, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use either of these flaws to potentially escalate their privileges on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-09 05:33:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1211966, 1211967, 1211969, 1211971, 1218239, 1218241 | ||
Bug Blocks: | 1211224, 1214172 |
Description
Huzaifa S. Sidhpurwala
2015-04-15 05:18:33 UTC
Statement: This issue affects the versions of the abrt package as shipped with Red Hat Enterprise Linux 6 and 7. External Reference: http://www.openwall.com/lists/oss-security/2015/04/14/4 From https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7 "These additional flaws ... have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user." Created abrt tracking bugs for this issue: Affects: fedora-all [bug 1218239] I'm adding URLs to upstream commits for the issues: > For example, the code > below (and lots of similar code) is vulnerable to a filesystem race > where a user unlinks the file after the copy but before the chown. > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634 > > strcpy(source_filename + source_base_ofs, "maps"); > strcpy(dest_base, FILENAME_MAPS); > copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE); > IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid)); https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92 https://github.com/abrt/abrt/commit/d6e2f6f128cef4c21cb80941ae674c9842681aa7 > This code trusts various symlinks in /tmp without validation: > > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806 > > char *java_log = xasprintf("/tmp/jvm-%lu/hs_error.log", (long)pid); > int src_fd = open(java_log, O_RDONLY); > free(java_log); https://github.com/abrt/abrt/commit/17cb66b13997b0159b4253b3f5722db79f476d68 > This code trusts the /proc/pid/exe symlink, even though it is possible > to link it anywhere you want. > > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 > > sprintf(buf, "/proc/%lu/exe", (long)pid); > int src_fd_binary = open(buf, O_RDONLY); /* might fail and > return -1, it's ok */ There is no commit for this issue because ABRT doesn't read /proc/[pid]/exe symlink by default. An administrator has to turn it on in /etc/abrt/plugins/CCpp.conf (SaveBinaryImage). > This code trusts the attacker controlled root symlink and copies files from it. > > https://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671 > > if (chroot_dir) > copy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR, chroot_dir, "/etc/os-release"); The function at the URL above is dd_create_basic_files() and the variable chroot_dir is its 3rd argument. https://github.com/abrt/abrt/commit/4f2c1ddd3e3b81d2d5146b883115371f1cada9f9 > This instructs librpm to trust an unprivileged root symlink: > > https://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184 > > if (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0) > { > rpmtsFree(*ts); > return -1; > } https://github.com/abrt/abrt/commit/fdf93685d4f3fc36fe50d34a11e24662c4cb2d8c And these commits make the code more robust: https://github.com/abrt/abrt/commit/a4794b39efc62c9ba92b38b419de3babbbcd8cfb https://github.com/abrt/abrt/commit/2f948bdc09aa346616852a421ce1af2e03b39997 https://github.com/abrt/abrt/commit/28ce40d8db91c1926a95f21ef19a980a8af88471 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html |