dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update documentation

This commit is contained in:
Brendan Coles 2018-02-02 02:27:13 +00:00
parent 0d80ca6f79
commit 3c21eb8111
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/exploits/linux/local/apport_abrt_chroot_priv_esc.md → documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md
View File

@ -7,12 +7,16 @@
Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed.
Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. Fedora's crash handler was reportedly configured to chroot ABRT by default between April and August 2014.
In both instances, the crash handler does not drop privileges, resulting in code execution as root.
This module has been tested successfully on:
* Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
* ABRT on Fedora 19 and 20 x86_64.
* ABRT on Fedora 19 and 20 x86_64
To test Fedora 20, disable SELinux, reboot, and modify `/proc/sys/kernel/core_pattern` to make use of the vulnerable `core_pattern` : `|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e`
## Verification Steps