CVE-2015-3315

Related Files

ABRT raceabrt Privilege Escalation

Posted Feb 15, 2018

Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

tags | exploit, arbitrary, local, root

systems | linux, redhat, fedora

advisories | CVE-2015-3315

SHA-256 | 01b8bf4ffa026e722d143beb159ab4a57e3e4542e56046a209e14abce7657161

Download | Favorite | View

Red Hat Security Advisory 2015-1210-01

Posted Jul 7, 2015

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-1210-01 - ABRT is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use these flaws to potentially escalate their privileges on the system. It was discovered that the kernel-invoked coredump processor provided by ABRT wrote core dumps to files owned by other system users. This could result in information disclosure if an application crashed while its current directory was a directory writable to by other users.

tags | advisory, kernel, local, info disclosure

systems | linux, redhat

advisories | CVE-2015-1869, CVE-2015-1870, CVE-2015-3142, CVE-2015-3147, CVE-2015-3159, CVE-2015-3315

SHA-256 | 47a1f50bad2069d1272bed01fda4923643f3bc2e6bea1f01b891e04347c5db10

Download | Favorite | View

Red Hat Security Advisory 2015-1083-01

Posted Jun 10, 2015

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-1083-01 - ABRT is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. It was found that ABRT was vulnerable to multiple race condition and symbolic link flaws. A local attacker could use these flaws to potentially escalate their privileges on the system. It was discovered that the kernel-invoked coredump processor provided by ABRT wrote core dumps to files owned by other system users. This could result in information disclosure if an application crashed while its current directory was a directory writable to by other users.

tags | advisory, kernel, local, info disclosure

systems | linux, redhat

advisories | CVE-2015-1869, CVE-2015-1870, CVE-2015-3142, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151, CVE-2015-3159, CVE-2015-3315

SHA-256 | 92cf38071afd6b4d35ace0c698821aeaa4a129055d2758b46d61251ed3d96e6f

Download | Favorite | View