This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
9c651a9002f5646905fcb8abdec1552897cd260c341ec403e60727c2cf691713Various security issues relating to symlink attacks and race conditions with Abrt and Apport are documented here.
5d34863098436ca2b737a516dbf202b5b13e18f665c091f7e9911d2b18bd94f7Linux Apport/Abrt local root exploit.
86450ad50a81df27c58911bc2fe3cf1d8a226ce7476c4db37f56410a0c5dd0eeUbuntu Security Notice 2569-1 - Apport incorrectly handled the crash reporting feature. A local attacker could use this issue to gain elevated privileges.
a92ad51b41492b7b06ec3def2af7b30dc49d053a5a7bcaedf82144c25bf84ab1
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed