Update documentation
This commit is contained in:
parent
0d80ca6f79
commit
3c21eb8111
|
@ -7,12 +7,16 @@
|
|||
|
||||
Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
|
||||
|
||||
Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed.
|
||||
Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. Fedora's crash handler was reportedly configured to chroot ABRT by default between April and August 2014.
|
||||
|
||||
In both instances, the crash handler does not drop privileges, resulting in code execution as root.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
|
||||
* ABRT on Fedora 19 and 20 x86_64.
|
||||
* ABRT on Fedora 19 and 20 x86_64
|
||||
|
||||
To test Fedora 20, disable SELinux, reboot, and modify `/proc/sys/kernel/core_pattern` to make use of the vulnerable `core_pattern` : `|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e`
|
||||
|
||||
|
||||
## Verification Steps
|
Loading…
Reference in New Issue