Bug 1211835 (CVE-2015-3315) - CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt
Summary: CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt
Status: CLOSED ERRATA
Alias: CVE-2015-3315
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150414,repo...
Keywords: Security
Depends On: 1211966 1211967 1211969 1211971 1218239 1218241
Blocks: 1211224 1214172
TreeView+ depends on / blocked
 
Reported: 2015-04-15 05:18 UTC by Huzaifa S. Sidhpurwala
Modified: 2018-03-01 18:04 UTC (History)
19 users (show)

(edit)
It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use either of these flaws to potentially escalate their privileges on the system.
Clone Of:
(edit)
Last Closed: 2015-07-09 05:33:34 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1083 normal SHIPPED_LIVE Important: abrt security update 2015-06-09 23:48:24 UTC
Red Hat Product Errata RHSA-2015:1210 normal SHIPPED_LIVE Moderate: abrt security update 2015-07-07 12:39:40 UTC

Description Huzaifa S. Sidhpurwala 2015-04-15 05:18:33 UTC
The following flaws were reported by Tavis Oramandy:

Furthermore, Abrt suffers from numerous race conditions and symlink
problems from trusting unprivileged programs. For example, the code
below (and lots of similar code) is vulnerable to a filesystem race
where a user unlinks the file after the copy but before the chown.
https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634

        strcpy(source_filename + source_base_ofs, "maps");
        strcpy(dest_base, FILENAME_MAPS);
        copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE);
        IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid));

This code trusts various symlinks in /tmp without validation:

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806

        char *java_log = xasprintf("/tmp/jvm-%lu/hs_error.log", (long)pid);
        int src_fd = open(java_log, O_RDONLY);
        free(java_log);

This code trusts the /proc/pid/exe symlink, even though it is possible
to link it anywhere you want.

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368

        sprintf(buf, "/proc/%lu/exe", (long)pid);
        int src_fd_binary = open(buf, O_RDONLY); /* might fail and
return -1, it's ok */

This code trusts the attacker controlled root symlink and copies files from it.

https://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671

        if (chroot_dir)
            copy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR,
chroot_dir, "/etc/os-release");

This instructs librpm to trust an unprivileged root symlink:

https://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184

        if (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0)
        {
            rpmtsFree(*ts);
            return -1;
        }

And so on.

There are other automatic crash analysis scripts, I believe systemd
also has one - I haven't looked at it all.

Mitigation:

It is recommended to disable abrt via the following command line, till the flaws have been resolved:
sysctl -w kern.core_pattern=core

Note: This will reset, if abrt is re-started.

Comment 1 Huzaifa S. Sidhpurwala 2015-04-15 05:20:13 UTC
Statement:

This issue affects the versions of the abrt package as shipped with Red Hat Enterprise Linux 6 and 7.

Comment 4 Huzaifa S. Sidhpurwala 2015-04-15 06:28:05 UTC
External Reference:

http://www.openwall.com/lists/oss-security/2015/04/14/4

Comment 12 Mark J. Cox 2015-04-15 11:36:27 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7 "These additional flaws ... have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user."

Comment 16 Huzaifa S. Sidhpurwala 2015-05-04 11:41:12 UTC
Created abrt tracking bugs for this issue:

Affects: fedora-all [bug 1218239]

Comment 17 Jakub Filak 2015-05-05 11:03:29 UTC
I'm adding URLs to upstream commits for the issues:

> For example, the code
> below (and lots of similar code) is vulnerable to a filesystem race
> where a user unlinks the file after the copy but before the chown.
> https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634
>
>        strcpy(source_filename + source_base_ofs, "maps");
>        strcpy(dest_base, FILENAME_MAPS);
>        copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE);
>        IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid));

https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92
https://github.com/abrt/abrt/commit/d6e2f6f128cef4c21cb80941ae674c9842681aa7

> This code trusts various symlinks in /tmp without validation:
>
> https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806
>
>        char *java_log = xasprintf("/tmp/jvm-%lu/hs_error.log", (long)pid);
>        int src_fd = open(java_log, O_RDONLY);
>        free(java_log);

https://github.com/abrt/abrt/commit/17cb66b13997b0159b4253b3f5722db79f476d68

> This code trusts the /proc/pid/exe symlink, even though it is possible
> to link it anywhere you want.
>
> https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368
>
>        sprintf(buf, "/proc/%lu/exe", (long)pid);
>        int src_fd_binary = open(buf, O_RDONLY); /* might fail and
> return -1, it's ok */

There is no commit for this issue because ABRT doesn't read /proc/[pid]/exe symlink by default. An administrator has to turn it on in /etc/abrt/plugins/CCpp.conf (SaveBinaryImage).

> This code trusts the attacker controlled root symlink and copies files from  it.
>
> https://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671
>
>        if (chroot_dir)
>            copy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR,
chroot_dir, "/etc/os-release");

The function at the URL above is dd_create_basic_files() and the variable chroot_dir is its 3rd argument.

https://github.com/abrt/abrt/commit/4f2c1ddd3e3b81d2d5146b883115371f1cada9f9

> This instructs librpm to trust an unprivileged root symlink:
>
> https://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184
>
>        if (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0)
>        {
>            rpmtsFree(*ts);
>            return -1;
>        }

https://github.com/abrt/abrt/commit/fdf93685d4f3fc36fe50d34a11e24662c4cb2d8c

And these commits make the code more robust:

https://github.com/abrt/abrt/commit/a4794b39efc62c9ba92b38b419de3babbbcd8cfb
https://github.com/abrt/abrt/commit/2f948bdc09aa346616852a421ce1af2e03b39997
https://github.com/abrt/abrt/commit/28ce40d8db91c1926a95f21ef19a980a8af88471

Comment 18 errata-xmlrpc 2015-06-09 19:48:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html

Comment 19 errata-xmlrpc 2015-07-07 08:39:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html


Note You need to log in before you can comment on or make changes to this bug.