Bug 1262252 (CVE-2015-5273)
Summary: | CVE-2015-5273 abrt: Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fweimer, huzaifas, jfilak, jrusnack, mhabrnal, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that the ABRT debug information installer (abrt-action-install-debuginfo-to-abrt-cache) did not use temporary directories in a secure way. A local attacker could use the flaw to create symbolic links and files at arbitrary locations as the abrt user.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-05 00:21:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1266853, 1284557 | ||
Bug Blocks: | 1262260, 1262302 | ||
Attachments: |
Description
Adam Mariš
2015-09-11 09:38:57 UTC
*** Bug 1262292 has been marked as a duplicate of this bug. *** *** Bug 1262296 has been marked as a duplicate of this bug. *** Acknowledgements: Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue. Three abrt related issues are discussed in this flaw. More details about each of these issues are already noted in comment #0. Here is some additional analysis: 1. Insecure temporary directory and symlink usage in sosreport: ABRT ships with "PrivateReports = yes" in RHEL-7.1 and the configuration file contains the following comment: # Disable this option if you want to allow regular users to have file system # rights to read the problem data stored in DumpLocation. # # Caution: # THE PROBLEM DATA CONTAINS EXCERPTS OF /var/log/messages, dmesg AND sosreport # data GENERATED BY abrtd UNDER THE USER root. ABRT discourages the administrators from removing "PrivateReports=yes". Note: if you remove the line from the configuration, ABRT considers the option enabled, so you have to add "PrivateReports=no" to the configuration file. The above warning is already enabled in the versions of abrt shipped with Red Hat Enterprise Linux 7.2. Because of the above, we do not consider this issue as a security flaw. Note: The "PrivateReports" option was considered as a part of the fix for CVE-2015-1870 (https://bugzilla.redhat.com/show_bug.cgi?id=1212868#c3) and CVE-2015-1869. This fix was not backported to Fedora and therefore Fedora 21 and Fedora 22 are affected by this issue. 2. Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache: An attacker would have to convince the administrator to install attacker's package and the package has to be signed with the imported RPM GPG key, otherwise ABRT would remove the crash data immediately after its creation. So, in order to exploit this issue, a specially-crafted debuginfo file needs to be installed on a system, this is unlikely to happen for a system, subscribed to Red Hat Network, unless the attacker can pull-off a successful MITM attack. This issue has been assigned CVE-2015-5273 3. abrt: incorrect permissions on /var/spool/abrt This issue may allow privesc from abrt to root user. This issue is being tracked as CVE-2015-5287 (bug #1266837) (In reply to Huzaifa S. Sidhpurwala from comment #10) > > 1. Insecure temporary directory and symlink usage in sosreport: > > Note: The "PrivateReports" option was considered as a part of the fix for > CVE-2015-1870 (https://bugzilla.redhat.com/show_bug.cgi?id=1212868#c3) and > CVE-2015-1869. This fix was not backported to Fedora and therefore Fedora 21 > and Fedora 22 are affected by this issue. Fedora 2[1234] does not need the PrivateReports option because ABRT hooks create problem directories owned by root:abrt with mode 750 by default and users are allowed to take ownership of directories latter on (when the post-mortem analysis is finished) by calling ABRT D-Bus method "ChownProblemDir". Users are allowed to take ownership of abrt problem drirectories because the directories do not contain security sensitive data (the default configuration of abrt does not store such data in the problem directories) and abrtd (and other abrt processes running as root) refuse to read/write/touch directories that are not owned by root:abrt with mode 750. RHEL users are not allowed to take ownership of the abrt problem directories because the directories contains sosreport. (In reply to Huzaifa S. Sidhpurwala from comment #10) > > 2. Insecure temporary directory usage in > abrt-action-install-debuginfo-to-abrt-cache: > An attacker would have to convince the administrator to install attacker's > package and the package has to be signed with the imported RPM GPG key, > otherwise ABRT would remove the crash data immediately after its creation. > > So, in order to exploit this issue, a specially-crafted debuginfo file needs > to be installed on a system, this is unlikely to happen for a system, > subscribed to Red Hat Network, unless the attacker can pull-off a successful > MITM attack. > > This issue has been assigned CVE-2015-5273 > I am terribly sorry! The analysis of the (2) issue is not accurate because I forgot about the possibility to run the suid wrapper with arbitrary command line arguments, thus the attacker does not need to generate a valid abrt directory stored in /var/spool/abrt. Hence there is no need to install any additional package to be able to exploit this issue. By passing BUILD_ID to the suid wrapper, the attacker can force the suid wrapper to download & unpack any rpm package that is available in one of the configured repositories and that provides the file /usr/lib/debug/.build-id/${BUILD_ID:0:2}/${BUILD_ID:2}. Created attachment 1087873 [details]
Amended patch replacing functions accepting path with functions accepting file descriptor
Created attachment 1087874 [details]
Test case: abrt-hook-ccpp not saving core files in /var/spool/abrt
Created attachment 1087876 [details]
Test case: abrt-action-install-debuginfo-to-abrt-cache using secure temporary directory
Created attachment 1087877 [details]
Test case: correctness of file system attributes of the /var/spool/abrt directory
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2505 https://rhn.redhat.com/errata/RHSA-2015-2505.html Created abrt tracking bugs for this issue: Affects: fedora-all [bug 1284557] abrt-2.7.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. abrt-2.6.1-8.fc22, libreport-2.6.4-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-de4d7b3b1f abrt-2.6.1-8.fc22, libreport-2.6.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |