First published: Fri Sep 11 2015(Updated: )
Multiple vulnerabilities were found in abrt allowing privilege escalation. ============================== 1. Insecure temporary directory and symlink usage in sosreport A vulnerability allowing to elevate privileges from an unprivileged user to root on a default installation of RHEL 7/7.1 was reported. When a process receives SIGSEGV, abrt will save diagnostic information in /var/tmp/abrt/ccpp-*$pid on RHEL 7. Unless /etc/abrt/abrt.conf contains the line "PrivateReports = yes", directories created here by abrt will be chown()'d to the user who owned the crashing process. After saving some initial information it will call post-create scripts, one of the default ones on RHEL is /usr/sbin/sosreport. /usr/sbin/sosreport will be invoked as root and work with a temporary directory named /var/tmp/abrt/ccpp-*$pid/sosreport-$hostname-$date. It will save a number of files collected from the system in this directory and then archive it. Since the directory is owned by root we cannot modify files inside it while sosreport is running, but we do own the parent directory and can simply rename the temporary directory and make a new one. /usr/sbin/sosreport will then write files into our crafted temp directory and will follow any symlinks we make inside. By also renaming some of the temporary files that sosreport works with we can exploit sosreport to write a file with crafted data at an arbitrary location as root. ============================== 2. Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache A vulnerability was reported allowing to create symlinks and files at arbitrary locations as the abrt user. abrt-action-install-debuginfo-to-abrt-cache is a wrapper for abrt-action-install-debuginfo with the setuid bit for userid abrt. By default it creates a temporary directory in /var/tmp/abrt-tmp-debuginfo-RANDOM_SUFFIX and downloads debug rpm files to this location before extracting them to /var/cache/abrt-di. The random suffix is not quite random but in fact highly predictable, and we can create this directory before executing the suid wrapper. By controlling the "unpacked.cpio" file we can trick abrt-action-install-debuginfo into extracting a cpio file that we control. By extracting two carefully created cpio archives we can leverage this to create files or symlinks anywhere on the file system as the abrt user. This only works on non-redhat systems such as CentOS 7 or RHEL installations that do not use the official RHN yum repositories. ============================== 3. Insecure symlink handling in abrt-hook-ccpp A vulnerability allowing to elevate privileges from the abrt user to root was reported. If a program starting with the name "abrt" crashes, abrt-hook-ccpp will write the coredump to /var/tmp/abrt/$filename-coredump or /var/spool/abrt/$filename-coredump. From abrt-hook-ccpp.c: if (last_slash && strncmp(++last_slash, "abrt", 4) == 0) { /* If abrtd/abrt-foo crashes, we don't want to create a _directory_, * since that can make new copy of abrtd to process it, * and maybe crash again... * Unlike dirs, mere files are ignored by abrtd. */ if (snprintf(path, sizeof(path), "%s/%s-coredump", g_settings_dump_location, last_slash) >= sizeof(path)) error_msg_and_die("Error saving '%s': truncated long file path", path); int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_TRUNC, 0600); The call to xopen3() does not include the flag O_NOFOLLOW and is therefore vulnerable to a symlink attack. This vulnerability is not exploitable on RHEL installations with default configuration. It can be exploitable if the system is configured to use non-RHN yum repositories. This is because yum is normally not usable by non-root users if the only configured repositories are RHN.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Automatic Bug Reporting Tool | <=2.7.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Hpc Node | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.