CVE-2015-5287
First published: Mon Sep 28 2015(Updated: )
A vulnerability allowing to elevate privileges from the abrt user to root was reported. If a program starting with the name "abrt" crashes, abrt-hook-ccpp will write the coredump to /var/tmp/abrt/$filename-coredump or /var/spool/abrt/$filename-coredump. From abrt-hook-ccpp.c: if (last_slash && strncmp(++last_slash, "abrt", 4) == 0) { /* If abrtd/abrt-foo crashes, we don't want to create a _directory_, * since that can make new copy of abrtd to process it, * and maybe crash again... * Unlike dirs, mere files are ignored by abrtd. */ if (snprintf(path, sizeof(path), "%s/%s-coredump", g_settings_dump_location, last_slash) >= sizeof(path)) error_msg_and_die("Error saving '%s': truncated long file path", path); int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_TRUNC, 0600); The call to xopen3() does not include the flag O_NOFOLLOW and is therefore vulnerable to a symlink attack. This vulnerability is not exploitable on RHEL installations with default configuration. It can be exploitable if the system is configured to use non-RHN yum repositories. This is because yum is normally not usable by non-root users if the only configured repositories are RHN. Note: This security flaw has been split from <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2015-5273 abrt: Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache" href="show_bug.cgi?id=1262252">bug #1262252</a>.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Automatic Bug Reporting Tool | <=2.7.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Hpc Node | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/154592/ABRT-sosreport-Privilege-Escalation.html
- http://rhn.redhat.com/errata/RHSA-2015-2505.html
- http://www.openwall.com/lists/oss-security/2015/12/01/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78137
- https://bugzilla.redhat.com/show_bug.cgi?id=1266837
- https://github.com/abrt/abrt/commit/3c1b60cfa62d39e5fff5a53a5bc53dae189e740e
- https://www.exploit-db.com/exploits/38832/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1262252
- https://rhn.redhat.com/errata/RHSA-2015-2505.html
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5287
- vendor/redhat
- canonical/redhat automatic bug reporting tool
- version/redhat automatic bug reporting tool/2.7.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux hpc node
- version/redhat enterprise linux hpc node/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0