Apport / ABRT chroot Privilege Escalation
Description
This module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
Author(s)
- Stéphane Graber
- Tavis Ormandy
- Ricardo F. Teixeira
- bcoles <bcoles@gmail.com>
Platform
Linux
Architectures
x86, x64
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
msf exploit(apport_abrt_chroot_priv_esc) > show targets
...targets...
msf exploit(apport_abrt_chroot_priv_esc) > set TARGET < target-id >
msf exploit(apport_abrt_chroot_priv_esc) > show options
...show and set options...
msf exploit(apport_abrt_chroot_priv_esc) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security