The following flaws were reported by Tavis Oramandy: Furthermore, Abrt suffers from numerous race conditions and symlink problems from trusting unprivileged programs. For example, the code below (and lots of similar code) is vulnerable to a filesystem race where a user unlinks the file after the copy but before the chown. https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634 strcpy(source_filename + source_base_ofs, "maps"); strcpy(dest_base, FILENAME_MAPS); copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE); IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid)); This code trusts various symlinks in /tmp without validation: https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806 char *java_log = xasprintf("/tmp/jvm-%lu/hs_error.log", (long)pid); int src_fd = open(java_log, O_RDONLY); free(java_log); This code trusts the /proc/pid/exe symlink, even though it is possible to link it anywhere you want. https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 sprintf(buf, "/proc/%lu/exe", (long)pid); int src_fd_binary = open(buf, O_RDONLY); /* might fail and return -1, it's ok */ This code trusts the attacker controlled root symlink and copies files from it. https://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671 if (chroot_dir) copy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR, chroot_dir, "/etc/os-release"); This instructs librpm to trust an unprivileged root symlink: https://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184 if (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0) { rpmtsFree(*ts); return -1; } And so on. There are other automatic crash analysis scripts, I believe systemd also has one - I haven't looked at it all. Mitigation: It is recommended to disable abrt via the following command line, till the flaws have been resolved: sysctl -w kern.core_pattern=core Note: This will reset, if abrt is re-started.
Statement: This issue affects the versions of the abrt package as shipped with Red Hat Enterprise Linux 6 and 7.
External Reference: http://www.openwall.com/lists/oss-security/2015/04/14/4
From https://bugzilla.redhat.com/show_bug.cgi?id=1211223#c7 "These additional flaws ... have been rated as having Important impact for Red Hat Enterprise Linux 7 as they can lead to privilege escalation to root (from a non-root local user), and Moderate impact for Red Hat Enterprise Linux 6, since they can lead to privilege escalation to root only from the abrt user."
Created abrt tracking bugs for this issue: Affects: fedora-all [bug 1218239]
I'm adding URLs to upstream commits for the issues: > For example, the code > below (and lots of similar code) is vulnerable to a filesystem race > where a user unlinks the file after the copy but before the chown. > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634 > > strcpy(source_filename + source_base_ofs, "maps"); > strcpy(dest_base, FILENAME_MAPS); > copy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE); > IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid)); https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92 https://github.com/abrt/abrt/commit/d6e2f6f128cef4c21cb80941ae674c9842681aa7 > This code trusts various symlinks in /tmp without validation: > > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806 > > char *java_log = xasprintf("/tmp/jvm-%lu/hs_error.log", (long)pid); > int src_fd = open(java_log, O_RDONLY); > free(java_log); https://github.com/abrt/abrt/commit/17cb66b13997b0159b4253b3f5722db79f476d68 > This code trusts the /proc/pid/exe symlink, even though it is possible > to link it anywhere you want. > > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 > > sprintf(buf, "/proc/%lu/exe", (long)pid); > int src_fd_binary = open(buf, O_RDONLY); /* might fail and > return -1, it's ok */ There is no commit for this issue because ABRT doesn't read /proc/[pid]/exe symlink by default. An administrator has to turn it on in /etc/abrt/plugins/CCpp.conf (SaveBinaryImage). > This code trusts the attacker controlled root symlink and copies files from it. > > https://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671 > > if (chroot_dir) > copy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR, chroot_dir, "/etc/os-release"); The function at the URL above is dd_create_basic_files() and the variable chroot_dir is its 3rd argument. https://github.com/abrt/abrt/commit/4f2c1ddd3e3b81d2d5146b883115371f1cada9f9 > This instructs librpm to trust an unprivileged root symlink: > > https://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184 > > if (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0) > { > rpmtsFree(*ts); > return -1; > } https://github.com/abrt/abrt/commit/fdf93685d4f3fc36fe50d34a11e24662c4cb2d8c And these commits make the code more robust: https://github.com/abrt/abrt/commit/a4794b39efc62c9ba92b38b419de3babbbcd8cfb https://github.com/abrt/abrt/commit/2f948bdc09aa346616852a421ce1af2e03b39997 https://github.com/abrt/abrt/commit/28ce40d8db91c1926a95f21ef19a980a8af88471
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html