This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
9c651a9002f5646905fcb8abdec1552897cd260c341ec403e60727c2cf691713
Various security issues relating to symlink attacks and race conditions with Abrt and Apport are documented here.
5d34863098436ca2b737a516dbf202b5b13e18f665c091f7e9911d2b18bd94f7
Linux Apport/Abrt local root exploit.
86450ad50a81df27c58911bc2fe3cf1d8a226ce7476c4db37f56410a0c5dd0ee
Ubuntu Security Notice 2569-1 - Apport incorrectly handled the crash reporting feature. A local attacker could use this issue to gain elevated privileges.
a92ad51b41492b7b06ec3def2af7b30dc49d053a5a7bcaedf82144c25bf84ab1